conti | 217d101b037020cbcdd9fb7e67b2dae7ed3e8467b0dad1ca1ac0a160dc39fb48

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
Size

2.0MB
MD5

1c37c947943a928e5378931ca23d3379
SHA1

570eead825c666609b7f7d94de4ff90a86cacb94
SHA256

217d101b037020cbcdd9fb7e67b2dae7ed3e8467b0dad1ca1ac0a160dc39fb48
SHA512

70b16ed622c6cbf75e1e20c08f6415e0ed055c1b1ac9528e98713079bc93eefde4c67a06b8ba20265eafeeb7eb25c21c20f6d74ad00896533638ef6759683ace
SSDEEP

49152:0/PdqNddtNfBTXtF7tcEXwNBn+fxl7LI4mfe7mEttebsA8EnqN2U:0/PQNdjjtF7rSn+7LCfLE/eJH

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- WIzXR2lGvuQk29m1PY7u4rlctcqqD9r7P8cxcChaQuFbVn9c3SEhznrejtQj3jBf ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (4630) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 38 IoCs

Processes:

1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\readme.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\es-ES\readme.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01149_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHDHM.POC	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\readme.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171685.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233665.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\readme.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR27F.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\readme.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21527_.GIF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00267_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\readme.txt	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe

pid	Process
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeBackupPrivilege	2568	vssvc.exe
Token: SeRestorePrivilege	2568	vssvc.exe
Token: SeAuditPrivilege	2568	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c37c947943a928e5378931ca23d3379_JaffaCakes118.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1600 wrote to memory of 2644	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	31
PID 1600 wrote to memory of 2644	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	31
PID 1600 wrote to memory of 2644	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	31
PID 1600 wrote to memory of 2644	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2560	2644	cmd.exe	33
PID 2644 wrote to memory of 2560	2644	cmd.exe	33
PID 2644 wrote to memory of 2560	2644	cmd.exe	33
PID 1600 wrote to memory of 2732	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	34
PID 1600 wrote to memory of 2732	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	34
PID 1600 wrote to memory of 2732	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	34
PID 1600 wrote to memory of 2732	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	34
PID 2732 wrote to memory of 2760	2732	cmd.exe	36
PID 2732 wrote to memory of 2760	2732	cmd.exe	36
PID 2732 wrote to memory of 2760	2732	cmd.exe	36
PID 1600 wrote to memory of 2592	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	37
PID 1600 wrote to memory of 2592	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	37
PID 1600 wrote to memory of 2592	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	37
PID 1600 wrote to memory of 2592	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	37
PID 2592 wrote to memory of 2396	2592	cmd.exe	39
PID 2592 wrote to memory of 2396	2592	cmd.exe	39
PID 2592 wrote to memory of 2396	2592	cmd.exe	39
PID 1600 wrote to memory of 2476	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	40
PID 1600 wrote to memory of 2476	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	40
PID 1600 wrote to memory of 2476	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	40
PID 1600 wrote to memory of 2476	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	40
PID 2476 wrote to memory of 1648	2476	cmd.exe	42
PID 2476 wrote to memory of 1648	2476	cmd.exe	42
PID 2476 wrote to memory of 1648	2476	cmd.exe	42
PID 1600 wrote to memory of 2140	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	43
PID 1600 wrote to memory of 2140	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	43
PID 1600 wrote to memory of 2140	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	43
PID 1600 wrote to memory of 2140	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	43
PID 2140 wrote to memory of 2404	2140	cmd.exe	45
PID 2140 wrote to memory of 2404	2140	cmd.exe	45
PID 2140 wrote to memory of 2404	2140	cmd.exe	45
PID 1600 wrote to memory of 268	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	46
PID 1600 wrote to memory of 268	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	46
PID 1600 wrote to memory of 268	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	46
PID 1600 wrote to memory of 268	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	46
PID 268 wrote to memory of 2656	268	cmd.exe	48
PID 268 wrote to memory of 2656	268	cmd.exe	48
PID 268 wrote to memory of 2656	268	cmd.exe	48
PID 1600 wrote to memory of 1080	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	49
PID 1600 wrote to memory of 1080	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	49
PID 1600 wrote to memory of 1080	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	49
PID 1600 wrote to memory of 1080	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	49
PID 1080 wrote to memory of 860	1080	cmd.exe	51
PID 1080 wrote to memory of 860	1080	cmd.exe	51
PID 1080 wrote to memory of 860	1080	cmd.exe	51
PID 1600 wrote to memory of 1736	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	52
PID 1600 wrote to memory of 1736	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	52
PID 1600 wrote to memory of 1736	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	52
PID 1600 wrote to memory of 1736	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	52
PID 1736 wrote to memory of 2164	1736	cmd.exe	54
PID 1736 wrote to memory of 2164	1736	cmd.exe	54
PID 1736 wrote to memory of 2164	1736	cmd.exe	54
PID 1600 wrote to memory of 2096	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	55
PID 1600 wrote to memory of 2096	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	55
PID 1600 wrote to memory of 2096	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	55
PID 1600 wrote to memory of 2096	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	55
PID 2096 wrote to memory of 2044	2096	cmd.exe	57
PID 2096 wrote to memory of 2044	2096	cmd.exe	57
PID 2096 wrote to memory of 2044	2096	cmd.exe	57
PID 1600 wrote to memory of 2412	1600	1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1FFFE2A-FCA2-46FB-AB3E-856A1E7D212E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1FFFE2A-FCA2-46FB-AB3E-856A1E7D212E}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FC48C72-9C18-47C6-8B58-44674A6F05C7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FC48C72-9C18-47C6-8B58-44674A6F05C7}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{204EE53C-B0C6-465C-A10E-C7D01BB1DC56}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{204EE53C-B0C6-465C-A10E-C7D01BB1DC56}'" delete
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBE0BD6A-49EE-4877-9DF3-2402C31847DC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBE0BD6A-49EE-4877-9DF3-2402C31847DC}'" delete
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F15D746-ED0B-4572-94AE-1166A292DB55}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F15D746-ED0B-4572-94AE-1166A292DB55}'" delete
    3⤵
    PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A07542A-1109-4887-882A-BF29A37D8CD5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A07542A-1109-4887-882A-BF29A37D8CD5}'" delete
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AF7EC3A-8A71-4E82-A340-0C14FAF5465F}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AF7EC3A-8A71-4E82-A340-0C14FAF5465F}'" delete
    3⤵
    PID:860
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1DFBBAE0-E294-4355-95C6-36BFB92E0C52}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1DFBBAE0-E294-4355-95C6-36BFB92E0C52}'" delete
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4095CEB-C8A5-4EF2-B87A-10A0EE0A7922}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4095CEB-C8A5-4EF2-B87A-10A0EE0A7922}'" delete
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68599A65-ABD7-47E8-9515-79BD8AE1303A}'" delete
  2⤵
  PID:2412
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68599A65-ABD7-47E8-9515-79BD8AE1303A}'" delete
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91297E19-2CAD-413F-A07A-377C39D7CDFE}'" delete
  2⤵
  PID:1204
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91297E19-2CAD-413F-A07A-377C39D7CDFE}'" delete
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4C666236-5F6A-4AEB-853C-1D58C067D79C}'" delete
  2⤵
  PID:1632
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4C666236-5F6A-4AEB-853C-1D58C067D79C}'" delete
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45A30E27-E172-4F14-BA8C-41653AB26A7F}'" delete
  2⤵
  PID:1764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45A30E27-E172-4F14-BA8C-41653AB26A7F}'" delete
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3A6DF31-F853-49AE-8216-CCA97D39DF0D}'" delete
  2⤵
  PID:2312
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3A6DF31-F853-49AE-8216-CCA97D39DF0D}'" delete
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1706141-E98C-4DD8-B93C-0DF9ACA0A9B6}'" delete
  2⤵
  PID:2840
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1706141-E98C-4DD8-B93C-0DF9ACA0A9B6}'" delete
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A32BE965-B73A-4EA7-8E0B-7DBEE93FB2E5}'" delete
  2⤵
  PID:2324
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A32BE965-B73A-4EA7-8E0B-7DBEE93FB2E5}'" delete
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{836E661F-607C-451E-A4A6-8F8E4A56E87A}'" delete
  2⤵
  PID:788
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{836E661F-607C-451E-A4A6-8F8E4A56E87A}'" delete
    3⤵
    PID:2996
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FF70A0D6-E5D2-4C1C-817F-7E56D7E90DC7}'" delete
  2⤵
  PID:2672
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FF70A0D6-E5D2-4C1C-817F-7E56D7E90DC7}'" delete
    3⤵
    PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
8f6296784a2d2a437c579768503f8737

SHA1
937b7bab4c20d01d8c9d324c830a14f73cb534a8

SHA256
946ca299d775712a93ca6d5daf44b96c986385a584001bf40730eebe86df9071

SHA512
f798844b0b44ee8baeba06caf9ac994bc8ad454a9923894567f04154eeeaccd5a171262bf8d0f69356cbed40356f194bf0d7d069ab3c7ba6741642d1e0b0673d

Download Submit
memory/1600-0-0x0000000002250000-0x000000000244B000-memory.dmp

Filesize
2.0MB

Download
memory/1600-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1600-258-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1600-1538-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1600-3271-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1600-6461-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1600-6486-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download