Analysis

  • max time kernel
    130s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 22:36

General

  • Target

    270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe

  • Size

    344KB

  • MD5

    270b70bad151a515136f553e5bc880ac

  • SHA1

    77b7def336c7647c6faadaf7136d70ff1e9ba7fc

  • SHA256

    db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

  • SHA512

    c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

  • SSDEEP

    3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116 | | 2. http://cerberhhyed5frqa.45tori.win/7C14-B991-6859-0073-1116 | | 3. http://cerberhhyed5frqa.fkr84i.win/7C14-B991-6859-0073-1116 | | 4. http://cerberhhyed5frqa.fkri48.win/7C14-B991-6859-0073-1116 | | 5. http://cerberhhyed5frqa.djre89.win/7C14-B991-6859-0073-1116 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/7C14-B991-6859-0073-1116 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116

http://cerberhhyed5frqa.45tori.win/7C14-B991-6859-0073-1116

http://cerberhhyed5frqa.fkr84i.win/7C14-B991-6859-0073-1116

http://cerberhhyed5frqa.fkri48.win/7C14-B991-6859-0073-1116

http://cerberhhyed5frqa.djre89.win/7C14-B991-6859-0073-1116

http://cerberhhyed5frqa.onion/7C14-B991-6859-0073-1116

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.45tori.win/7C14-B991-6859-0073-1116</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.fkr84i.win/7C14-B991-6859-0073-1116</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.fkri48.win/7C14-B991-6859-0073-1116</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.djre89.win/7C14-B991-6859-0073-1116</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116" target="_blank">http://cerberhhyed5frqa.vmfu48.win/7C14-B991-6859-0073-1116</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/7C14-B991-6859-0073-1116</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\wecutil.exe
      "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\wecutil.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2716
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2308
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2228
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2764
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:603137 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2056
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:764
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:232
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "wecutil.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\wecutil.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "wecutil.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1136
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:684
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2500
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2748
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2308

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        2
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          c8c4f45274744b74e7502050e9e7c87d

          SHA1

          a80f622de3be949be71ce1f4e9eed200ee2ef29c

          SHA256

          88b70df7c6a18649050f8d1cd5f34f983ffb50d4ce15edbbc58300bbe0432cad

          SHA512

          3662adf47a8188622af42c0841b909f518329c4e7df7dfafdd2306e7fbdd91e4ea5c51d0a74a8a6dc9ea203d33800b3d4df9b5cc488764a87e2bf6eacc4e13a4

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          bcea9d9ec189e304bf3c09900ea70b84

          SHA1

          f334b320e20626c4e3dbd2b2c277b7b457beaf27

          SHA256

          fd537d81dee51f4bf0a8fdb6a7585aed397fb40837e7157e6644d592ed1ebd35

          SHA512

          0dd633775d62ed60b86a6baa1a82a31bca8bd74aff4edbd6741efaa4f93eea89aa26b4393a370e6157c2d1b5740b88cf29528aaa9c1a8a05728e1fb100079695

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          65c5303fcb97dcb1d3b6aefc697fc010

          SHA1

          90bb3db7ba50c70107e99ea37cb3d192bba94e9d

          SHA256

          1379b29fdca02b8c009cfeb49e710aa71ec964a9cc350a8972d0454819fe9cd4

          SHA512

          45c228592783238dcfdcd7bc13e55e1a5131fd366935f54d3dd8f3c20694d16db49d3fe196ca17042a07361eafa63bd267434e34342198bbe593fa5b78eec555

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          219B

          MD5

          35a3e3b45dcfc1e6c4fd4a160873a0d1

          SHA1

          a0bcc855f2b75d82cbaae3a8710f816956e94b37

          SHA256

          8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

          SHA512

          6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          70a026a3a4e6b4f69ca589dafc67f6a0

          SHA1

          e12b6fc963fbb2c57a6a2b5da551a30a8b819c18

          SHA256

          e8891c817ff6588853628cf69603038fcf997e792c9ef00913e91952797636de

          SHA512

          d13355c03f30ed61387817a9471198caa7b7c5bb0305b01034cedc18bd2f5507817ae47d194507033565c5a93f893a9205dd08bf2effc00cd6aa40a8082ef087

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          49a00829c30c5fe1869c63c024ba8bb2

          SHA1

          cf1b6f892c63eba516a076e9863527bb071a73e8

          SHA256

          24a07138e1f4cb4316e8406a00dffee1341469aec7cd4be506376f626ade1dc1

          SHA512

          d8f6d331fc6049d0563d435019745342fe85f45ef19a2753d43d40556c9f9b9c804bec3b0d20f6926b2bf9b74d4b3d440d4ad3968950443cca045977a0206f55

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          42bc913f48d0cad009547290ee5a99c7

          SHA1

          c91e8bcad73500ec63de14d12d82d614725cc508

          SHA256

          d6b372273fcd42e129abbd8c1432c9b2a6b93ddd3e241ba5ac4401ae5e927b79

          SHA512

          9c17b5313400fa5f02d63493eff1d606acbda7c05b38a0989fb0a21c00c9332c5d7955c2bb9fe46f279df4f3e74505966277c7242f3ddbec09e608df1f388d3b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          a50f4c392e5b4d174e3f0e417bd95f82

          SHA1

          f3569dd6af7aba5f758d78517da299f442254448

          SHA256

          b75f83b217da42c66ec2cf75ea11849b82cc00545dfc5d85fa0727a0a7f892b7

          SHA512

          a6a605e083c1d26b22d9926f353869b2447e242129159adcb3d575165d5960aa09e3caf09152209eb8cb0f4c6ffc7ad55d3be259cf2b8188808e475d9cdb2641

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          896a3fa737fe0020a111417fa139b5cd

          SHA1

          9c8759451e283b0171f8f17bac164c5c575bc443

          SHA256

          485e1ee640f620381d9d61e2b009ea33c914c35a9224141d72d5a2783439c31c

          SHA512

          ecaa93bf60640331f42eb3f0cd70e072aab9d1501fb4a7537d037771132d10017aead3262060f3cd898d8d4d36816ea65c4f24b41e08496bdaf4ebe660b72672

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c4d018d93c5e0d33ee119e6931e560b4

          SHA1

          5c1a1edb43b2e5d95543d9b582931be4cbfe8df8

          SHA256

          8a617f8003b4caf6a650eb16ae25b811c5c050d26cd278b4ef2fb9f8c5154fd4

          SHA512

          ddb135034c19da10eb52d538288d0709952cc6c484f110a086aa628356c10ea63fe51fb651bd26d13687804fcba47e76eb99ca7bab2f9c5a085c392cd7daa9a5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d810be7589647d6653db516e5a8a4e21

          SHA1

          f51810f0aabcf5594c7ed24a45718fe15a141819

          SHA256

          b7507669d6342d45f470ce4fee100376dedf066ff98671de0922305405dff2e3

          SHA512

          3ee9c32837067c5b3fa8217140656312a5324c777fbf03383f3d18ad307bed9b05ef070e07e126639964696bf0770f91b7193195f1104bcb969a9b15c7e0113f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          347a3d45ae458847de28d7fe9ec90451

          SHA1

          aedb3294b79d5b94619b1f6c16b5407bfeb1d2f4

          SHA256

          64e21932e058d8e81fbd4d555ca0e235f3832e1cfefa85d1fd7e7fcfd9c09762

          SHA512

          a39d6dc039866bb66f44974fa90411f1c9a63e215712d71a52d841b0513619c71f70512ee714a2c438872d0082db0581575cc0980d79b8e1222ff2eb810a38bb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          71d1e2fb3a9b4cff7717fdb46517e6fa

          SHA1

          8896d12aa4de6ad79d1754b9b9afb0219d2f3401

          SHA256

          d8cbd9e5cc1dab202e58c3f03b4a281b92322c3ad821f1cc41159735b241f5b2

          SHA512

          f604d2a02fddbab43d33ca47eef963cec577e8569e002d2ac7239c9ca32f4ba144b48773c8f7dc3468862d1c6b35cff7e05d67b549958ac017c92b1aca634d8f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          84ef53447151faa58259fe80caaae712

          SHA1

          388fd074c6bd51b419146519eeddd6a337d5072b

          SHA256

          35fe7b318f814231212ff18ab6c9def143236d74e7a4252d48079b864ecfa407

          SHA512

          67e1b5023f54c74204cae8f2ed3a6c71dda47b60b6524835793ca7e097387402891abc390b44f938f37313ea1461a4722d037bb41c6276911f73f2bf1b3d93d7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          deaeffddfdd5fa17f4dddd6660efbe02

          SHA1

          391dd3b85c9fc41ed2f12ee6a8f0af60f556b6ec

          SHA256

          822cfc9ddbedfdc1dd0be19c327264685fa2f2272eb992e08aec19af2a9b8d89

          SHA512

          215ef7734beffa8a6307edde1199d48521087d3342c38200243cd0a0ec564e0ecb10de9f5a2e79145441556fae29c6c55d2ed304cc15dbbca3247afad47903c4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6ef1a295e73e6259eaef90ad1e8226e2

          SHA1

          072ec889ed2325329af507fb61a6b098b8969e6c

          SHA256

          d09645a0e20b9b85d54f9c3e02cdc36d4193cc162cb2f7687a38842c87b3ccf1

          SHA512

          63a518ba2215ede9b997367044be2f0e7ae43ca0df74e708bbbda357618e9157e5521f9f5fdc3ddaad3b97e8ddc28244a44c012c9d2512272f9635589404136e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c009bcc0f32222252b179cccc7f903a8

          SHA1

          390364b4fb4b4634c75d36b4aa834aa9517f03cb

          SHA256

          d697ba247e2e66929846aec38ac2c1ddda2119341f870c274fa561db62264e10

          SHA512

          1359a610798e141d6303011e446bd078e824d832627e8c066c5cefa61c0189a47fb6fffae8db2af90af236be658a4863a5f3c6cde2e334a0149b0075a75197ee

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          375f801ec73b259ab52347e7e2fe260d

          SHA1

          9cd3b969c96e027f1aad528af15d4db46fe541f3

          SHA256

          bf2195269bf40078eb443cdcd78da904f74df05d24c684ce1825773c96736f1a

          SHA512

          4d63845faa9a7b60a8badd36b568754764ff5b81d93fe11ac19e328606fe479b1734c09a9e5e54ca8a2f55d6fb88fb418b10918366bfbdd5f86fa0e4b2f7bf84

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6162c5065433dced61623fc3b777e611

          SHA1

          cfa5f640562c4b7d2458ef2658536b0d695905ff

          SHA256

          5cc089aeec6dbeead647713cb8ef8773a776771faf0cc209712888d314fee7d7

          SHA512

          1a5d0704940aeadcfa8606f10ec29ad65f60ea347bb88bb397d653446285e8b664c60d3e74f6075780466d00356606ecebf8d5ab574babd0877378d16ee8f761

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          f7d56f143aea2136f13cd39cb09040dd

          SHA1

          37f43c97db89ec8094a3c00fd8351616589807e3

          SHA256

          e6bee18075adc4d967494202ff4e40a5964ef3aba849ae89c6ae6e375a2bd6fe

          SHA512

          49ba1690503acf1fe9e003858bd81a4cbd4d31b1311fe5674328fc51f2658492c27dfd3911c68468a5c083315aaf3d4fb491c9b434882e1fdb2eb258d5899bfb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          8fce11ab35449bd92afaa9bd8cd51b86

          SHA1

          fa60db222fb86f8480f831f1c18ece30db64c13d

          SHA256

          ede022537850d7e470c6fcff0ea2b3e18517699b286f227078b707382e926cf8

          SHA512

          8cd787732c575c419d0d29c6b9f68b5a4187fde6782723bbe743e5bf521edb0277f2c49bb5e53505e6858b897771d90c17ff3538bad53bc63a0dc16bb6a745c2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ed020bf6dde230bb84a1ba50e91672b5

          SHA1

          0710a7226d7ad6767cca54917ebcd24c43fb9f24

          SHA256

          10525558c88908df90ca2b1fc818ee6b153ff9d70a0b697571f884113a22c311

          SHA512

          0b6e4eec42963177ad0d075641b584407cec329d2beee100b2eb5f17a9a5aae6ddfce9f9e9299fe3abf7eef4c09b26118c5a01f3be7ff85e93d9e792b22067a5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          1ad8e08ad8ebe365fdd7d831e38f3711

          SHA1

          46904173a1b5c2812053e8332d8a52ea53f9987b

          SHA256

          4c68304ff3efc07e959a4cf2a976fa004ad5b9e62c3aa3a7a4513a3dd6562fbb

          SHA512

          8c47931653bdc6c40f1202776d031ace98f5f00c7510b26f5356ff6435f4a2c8f462123afbe258f5d5af06fbd5a9518bd59029a947d09a7c9b2feca994ae0534

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D986221-0D8B-11EF-873B-52ADCDCA366E}.dat
          Filesize

          5KB

          MD5

          9f3f1ed551ddd4a152f3e6aac6dd5ed4

          SHA1

          90c3ad65732e86e03e9190a099c80f7b0c0b72dc

          SHA256

          1cd7f8576a358d3ca4d1fba2ba6bfb555bb362c7c177ed14d980b13c7d8b6fa2

          SHA512

          0a77936441cfad3d2df673573fb7ba21c73980da8babbfb28f2a449c2e2d3912457383a65365959bc32ed48d5fc656e3c1e08d9638aec0efbb28eaab633f7336

        • C:\Users\Admin\AppData\Local\Temp\Cab2C32.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar2D04.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnk
          Filesize

          1KB

          MD5

          bd4d7397a14bfe90058e155b63eb6118

          SHA1

          f68ff454800ce8e2119121385902949043af0674

          SHA256

          18b335ca356b85a255b3000acb9e970246c22449b0d944715601aa88ec16c87d

          SHA512

          ab5bec3f28bc949907100ec77db71831f485a97af22137d54778909f51fd3b22ad696a36a2759a8ab9de22989242bf8902d341915d634892a82ac6846ba9bd86

        • \Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\wecutil.exe
          Filesize

          344KB

          MD5

          270b70bad151a515136f553e5bc880ac

          SHA1

          77b7def336c7647c6faadaf7136d70ff1e9ba7fc

          SHA256

          db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

          SHA512

          c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

        • memory/2340-428-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-457-0x00000000053E0000-0x00000000053E2000-memory.dmp
          Filesize

          8KB

        • memory/2340-411-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-409-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-41-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-37-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-28-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-417-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-27-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-419-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-25-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-24-0x0000000000400000-0x0000000000459000-memory.dmp
          Filesize

          356KB

        • memory/2340-447-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-444-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-426-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-413-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-430-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-434-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-439-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-943-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-437-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-442-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-22-0x0000000003480000-0x0000000003481000-memory.dmp
          Filesize

          4KB

        • memory/2340-15-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-17-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2340-14-0x0000000000400000-0x0000000000459000-memory.dmp
          Filesize

          356KB

        • memory/3016-19-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/3016-0-0x0000000000130000-0x000000000014E000-memory.dmp
          Filesize

          120KB

        • memory/3016-2-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/3016-1-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB