Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 04:53

General

  • Target

    385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe

  • Size

    219KB

  • MD5

    385af1697f3c8dc280ca4eca303cd79a

  • SHA1

    d2696e30475c91cd6c0e8bb295191bf2729d2f9e

  • SHA256

    8628de0058b0a0a3fb0a68a6e62827e28d8b74a7a0cfed84764394692caefd92

  • SHA512

    63cebf1ebd346e8a4a460ac0d1ea586f8c648fada8bee3bf41e90e4c1dd80423a3dce063470722e5ef8092acf9987fd2bf34805a769df6231a9ab0cdbb760504

  • SSDEEP

    6144:8yAge9RrJpDsGwJWg3ZU0WbOwV1+Md2X2VsC:IJp1wZYBV1Ld2X2CC

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6 | | 2. http://cerberhhyed5frqa.we34re.top/C1AB-E64A-7D44-006D-F5F6 | | 3. http://cerberhhyed5frqa.cmr95i.top/C1AB-E64A-7D44-006D-F5F6 | | 4. http://cerberhhyed5frqa.45gf4t.win/C1AB-E64A-7D44-006D-F5F6 | | 5. http://cerberhhyed5frqa.lfotp5.top/C1AB-E64A-7D44-006D-F5F6 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/C1AB-E64A-7D44-006D-F5F6 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6

http://cerberhhyed5frqa.we34re.top/C1AB-E64A-7D44-006D-F5F6

http://cerberhhyed5frqa.cmr95i.top/C1AB-E64A-7D44-006D-F5F6

http://cerberhhyed5frqa.45gf4t.win/C1AB-E64A-7D44-006D-F5F6

http://cerberhhyed5frqa.lfotp5.top/C1AB-E64A-7D44-006D-F5F6

http://cerberhhyed5frqa.onion/C1AB-E64A-7D44-006D-F5F6

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6</a></li> <li><a href="http://cerberhhyed5frqa.we34re.top/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.we34re.top/C1AB-E64A-7D44-006D-F5F6</a></li> <li><a href="http://cerberhhyed5frqa.cmr95i.top/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.cmr95i.top/C1AB-E64A-7D44-006D-F5F6</a></li> <li><a href="http://cerberhhyed5frqa.45gf4t.win/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.45gf4t.win/C1AB-E64A-7D44-006D-F5F6</a></li> <li><a href="http://cerberhhyed5frqa.lfotp5.top/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.lfotp5.top/C1AB-E64A-7D44-006D-F5F6</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6" target="_blank">http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/C1AB-E64A-7D44-006D-F5F6</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (2065) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
        "C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
          "C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4384
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83e1946f8,0x7ff83e194708,0x7ff83e194718
              6⤵
                PID:3036
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
                6⤵
                  PID:2364
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
                  6⤵
                    PID:876
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
                    6⤵
                      PID:1148
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
                      6⤵
                        PID:5072
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
                        6⤵
                          PID:3636
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
                          6⤵
                            PID:3404
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
                            6⤵
                              PID:1316
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
                              6⤵
                                PID:2388
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                                6⤵
                                  PID:4896
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                                  6⤵
                                    PID:4824
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
                                    6⤵
                                      PID:2836
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
                                      6⤵
                                        PID:3452
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
                                        6⤵
                                          PID:5256
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
                                          6⤵
                                            PID:5532
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6410228234235218859,7483199881163438242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
                                            6⤵
                                              PID:6140
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                            5⤵
                                              PID:3936
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.cneo59.win/C1AB-E64A-7D44-006D-F5F6?auto
                                              5⤵
                                                PID:428
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x8c,0xe0,0x104,0x90,0x108,0x7ff83e1946f8,0x7ff83e194708,0x7ff83e194718
                                                  6⤵
                                                    PID:4704
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                                  5⤵
                                                    PID:4488
                                                  • C:\Windows\system32\cmd.exe
                                                    /d /c taskkill /t /f /im "sdchange.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe" > NUL
                                                    5⤵
                                                      PID:5668
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /t /f /im "sdchange.exe"
                                                        6⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5720
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 1 127.0.0.1
                                                        6⤵
                                                        • Runs ping.exe
                                                        PID:5800
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /d /c taskkill /t /f /im "385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe" > NUL
                                                  3⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3464
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /t /f /im "385af1697f3c8dc280ca4eca303cd79a_JaffaCakes118.exe"
                                                    4⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4524
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping -n 1 127.0.0.1
                                                    4⤵
                                                    • Runs ping.exe
                                                    PID:2024
                                            • C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                              C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetThreadContext
                                              • Drops file in Windows directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:2452
                                              • C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                                C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:588
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:1592
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:1044
                                                • C:\Windows\system32\AUDIODG.EXE
                                                  C:\Windows\system32\AUDIODG.EXE 0x51c 0x2ec
                                                  1⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1468
                                                • C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                                  C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:5616

                                                Network

                                                MITRE ATT&CK Matrix ATT&CK v13

                                                Persistence

                                                Boot or Logon Autostart Execution

                                                2
                                                T1547

                                                Registry Run Keys / Startup Folder

                                                2
                                                T1547.001

                                                Privilege Escalation

                                                Boot or Logon Autostart Execution

                                                2
                                                T1547

                                                Registry Run Keys / Startup Folder

                                                2
                                                T1547.001

                                                Defense Evasion

                                                Modify Registry

                                                3
                                                T1112

                                                Credential Access

                                                Unsecured Credentials

                                                1
                                                T1552

                                                Credentials In Files

                                                1
                                                T1552.001

                                                Discovery

                                                Network Service Discovery

                                                2
                                                T1046

                                                Query Registry

                                                2
                                                T1012

                                                System Information Discovery

                                                3
                                                T1082

                                                Remote System Discovery

                                                1
                                                T1018

                                                Collection

                                                Data from Local System

                                                1
                                                T1005

                                                Impact

                                                Defacement

                                                1
                                                T1491

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
                                                  Filesize

                                                  12KB

                                                  MD5

                                                  e6baaab7cf7ad10c053e3aabe1dc4ecf

                                                  SHA1

                                                  7dfceda11a6b88959b749dcfa69d76a53f89cd9f

                                                  SHA256

                                                  f05cf4d9ae7caa64ad3cf8dab70b79bce437e4e5ef1d5cb716bf4aa54d4c6160

                                                  SHA512

                                                  fcfca0690fc4e308468ab3722e3bc9891fd4aaa133ff7da15e16f12ee56f53cc2b8a3da64a4c1ed1486a3262e3a96aceb57c167fc9f6e328a057fbdfff925c97

                                                • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
                                                  Filesize

                                                  10KB

                                                  MD5

                                                  b1f8d6c64020dc7bb3f542feb18269b9

                                                  SHA1

                                                  4aef056b8609275870661338423ba127032e9ebc

                                                  SHA256

                                                  c78ca26726d895cf29c8a74089ec6f66a8d866c87ac819e7e26c4502affa518e

                                                  SHA512

                                                  b49940ab002f4cab66cb8514de01f355cf1a502daa0c1732c33deca692ce906e5c8a210fcabc19b92866af1dac5c93d341c5722517adce03d9da1da749be8720

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  ecdc2754d7d2ae862272153aa9b9ca6e

                                                  SHA1

                                                  c19bed1c6e1c998b9fa93298639ad7961339147d

                                                  SHA256

                                                  a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

                                                  SHA512

                                                  cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  2daa93382bba07cbc40af372d30ec576

                                                  SHA1

                                                  c5e709dc3e2e4df2ff841fbde3e30170e7428a94

                                                  SHA256

                                                  1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

                                                  SHA512

                                                  65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  34bfea3b0f29b23dddf4ce8fc4722cbc

                                                  SHA1

                                                  66c529d0a65fe0855b8d3b301ef9b0f49ea86305

                                                  SHA256

                                                  38bed436aee01f536f8232059519674fa72a500f73c1b1be2486526b010bef15

                                                  SHA512

                                                  2580c2247be5d017e739ae86a8944d01404f2dbeff39d435c23adc9449354f8eb27ad22bc94f48b40d20fd3958d92b2626ea640b9ffa51dc68e3f88c9341bc48

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  31dfbbaccb04cad86a65373ce5c1a849

                                                  SHA1

                                                  2f6c53bf55803db5a3fe8073d7e16c472d303323

                                                  SHA256

                                                  7fd1b31465df9e2fff6fa04e71816b72d48da12607356fd6863571613bacf67b

                                                  SHA512

                                                  8a9e330c65f36e279ce96915204f0b05a7bd69d9ff73b218d9b55778d0125cd8b3cb3608479c9232398de7b873a699cdf5a853e1d7f6890740d0d8087a821a7c

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  a94443b27f0b8191eb24d52f61f7b477

                                                  SHA1

                                                  4b78b16ec4524a9e367f5c3c8525742081e57cef

                                                  SHA256

                                                  1d19c5302ef209068cfd7050ae98c1387e3fd187ef6d5b8db6761ab5ab0b7c96

                                                  SHA512

                                                  09218d21d726992ec955c61989ca111cd919c54a0e9c80978a7186f5a9b04f14b05510216d1a54826ca05809c3d4732db7a30fef9ce92a0bbe7b8b289026861a

                                                • C:\Users\Admin\AppData\Local\Temp\nsw303A.tmp\System.dll
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  6f5257c0b8c0ef4d440f4f4fce85fb1b

                                                  SHA1

                                                  b6ac111dfb0d1fc75ad09c56bde7830232395785

                                                  SHA256

                                                  b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                                  SHA512

                                                  a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                                • C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05012015040015.xml
                                                  Filesize

                                                  922B

                                                  MD5

                                                  2441eb89ca0fdf56ee7b248574cdcc34

                                                  SHA1

                                                  1996c906f2525d15333b0bbb516c8ec8ac53c537

                                                  SHA256

                                                  618b5228301b0ba1898110336137e8668e56392249356adc5d8643dbc7e5ee48

                                                  SHA512

                                                  ff19f6a29511b7adb1261808a0cfa3466d5b50ef2c03755cb5e0db054a2345cb87f298affd8822bf19e294030c3c9734fe861af9d1e5702f7dc6af717cc09a83

                                                • C:\Users\Admin\AppData\Roaming\401-5.htm
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  431b67e464486add8912ba19ba8dba03

                                                  SHA1

                                                  1e19d1844548c0aed8d9723dca02de0e500e7f4c

                                                  SHA256

                                                  a8b19979f9011710e1a839690d109188eba8d4ba9890efcb1333b056bf0f831f

                                                  SHA512

                                                  b2fc415ad7255f24a06c1f345edff3bb2059b4328f2a7f5cf78e6592baa59aaa88af7b0da533e0a59b4b58761b5bba07d7c0ee9cdec31af0df20e1fb28e3d9ff

                                                • C:\Users\Admin\AppData\Roaming\ActionInfo.java
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  81fa79dfd944fc960b1a93e7e242d13b

                                                  SHA1

                                                  5e1534edda93c74c30e2bd1b07adcd992f70b1b1

                                                  SHA256

                                                  d52f3713b6bb99d5a124f352654ea06e6856d521b354b75b8662babf4f2bae9b

                                                  SHA512

                                                  36b3752c5526dd38f933cd5d430493ebe60779c1dd39076e5fd137d82dd750be95a4e0a01d2bb318df174cb710ed5e8694274330052d11fc638d149844612836

                                                • C:\Users\Admin\AppData\Roaming\Adobe-CNS1-3
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  02fc9c141c7fe565396ee5479e0206e4

                                                  SHA1

                                                  94f8be8f0a8f5245155686c37a78b83ba51d6984

                                                  SHA256

                                                  dd0a8f1fe12bdab4387ac528e12244ee68bb6d098548e31e84343e8660b9ba2d

                                                  SHA512

                                                  0ca311a23f55ba2c4eefedf7a2280257113ed77c3dd7a7d6c4d04c4e1a51de6c3596c4cc8bce413f3799e3f279ae31b402ca26de24584fa97060e0a6fa24a307

                                                • C:\Users\Admin\AppData\Roaming\Ageratum.w
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  5371876aab8792b1544810e4fe347e29

                                                  SHA1

                                                  aadca4c0bac0f576417caaced7411aabeb5e1098

                                                  SHA256

                                                  6e7aac54de5f4c11d067a1887718a5f447ad0e07c19d1aae375d8c4c716dbb49

                                                  SHA512

                                                  7e770d02a7da88bf4217f8151f0bc23bca1578d6571a4fd98eead453e54f5a420a76644a47c13726e0caaa7961aa0400f3f936570afd072f795197165ef787b9

                                                • C:\Users\Admin\AppData\Roaming\BCY green 2.ADO
                                                  Filesize

                                                  524B

                                                  MD5

                                                  c5db28a2e96c21437f165c6383197907

                                                  SHA1

                                                  291fd6e83f7bb84ca7867cfeb0fd09ce1b8d4d03

                                                  SHA256

                                                  533cd7262b177c70e80265298c1956d86bf49bc7936d8817b218abbe8f28fafd

                                                  SHA512

                                                  714fb27977897bf8026bdae465a207d35aec54237d4accfaec65cd2362aecae410e3e4bdb09b568b029a96e6534e63e3569b83b40b52e4a3dd1e5ca2cf79e83b

                                                • C:\Users\Admin\AppData\Roaming\BlackRectangle.bmp
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  a59552f1c776a3745ca8391aff8bcca6

                                                  SHA1

                                                  be8e062d1fec7eed2ab33177019069798fde07ff

                                                  SHA256

                                                  4adb9b44ae64eee08d87750ba2cd2ddb1e88da5ff7e90c63d813755d73a92005

                                                  SHA512

                                                  1ee933756e08f71219753f5921ccbc8c307541ce4bfc15a654cbea075d7c28071b627779cec9d2146d8263e37dc8005bd333275058dc0de9a62c74391bd24595

                                                • C:\Users\Admin\AppData\Roaming\Blowfish.dll
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  162f091bc878c23dc07bd5d252b85102

                                                  SHA1

                                                  36785ee3ac4bf5e2e5494c665668b96deebdb5e2

                                                  SHA256

                                                  90ddec5a0d2bad402ef79988914970e7904f6448d8bf87b85f979d27bf0a0606

                                                  SHA512

                                                  ff413fa363f2e9e23a4b76053bff8fdd81832e6110cb838b369a3a1285fa536f14a8a91a9489a18dd51ff6e48f388803beaa0aeb70c92d2979170e94e2216592

                                                • C:\Users\Admin\AppData\Roaming\Boise
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  46866a49bb80f05024b94dfaf49d6af8

                                                  SHA1

                                                  b8b759cddda32c7eee8d8d76b9a3e6cfcaaf9b05

                                                  SHA256

                                                  1cc8d2f24ecfc2b71857ff973f8a17ec2eeed7495dd3db02f6d5f1b7c4deb528

                                                  SHA512

                                                  d42ad553e700f6b88411909ca241a8db3b2f5e1f38056fd2b5a873b192bbd6e437bb81c8500d2e44fdf564f11568247f186154564abf3a549bed1a7a112f9f2a

                                                • C:\Users\Admin\AppData\Roaming\CNS2-V
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  68ba9ca1e541c73104daf446938e5583

                                                  SHA1

                                                  9d863f17dfbe0e7ac172fddbcc5fde8e636d49ef

                                                  SHA256

                                                  d6a643978fd39cf31494da165c80d655de92565c834af7457cd2828fe7548a09

                                                  SHA512

                                                  023cad6108ad3d505f8d9ca340f004bee44f74817a43cc94a6c316fdbc1346b3af9a16c887af55cb6942370e84df4ebdeadd8fa8b4e335a2365f41cd4c1ed525

                                                • C:\Users\Admin\AppData\Roaming\CNS2-V
                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                • C:\Users\Admin\AppData\Roaming\Efate
                                                  Filesize

                                                  233B

                                                  MD5

                                                  a1e91923c47567f6a6e8b4759efbdce8

                                                  SHA1

                                                  96472c46cc0d85901b0612b27e6ed1b927310534

                                                  SHA256

                                                  3947884f27876aba39f268da374a8aadffe79eb7068e85c1d244487294e132ec

                                                  SHA512

                                                  26cf0f0e925b4da8f49fea549c95d171e2c771057c52948679efd17ec821bc1e7774cf78ca08dcc60adf2cb449da67526f6077f0b0f582ab5126f5a743729e13

                                                • C:\Users\Admin\AppData\Roaming\Gambier
                                                  Filesize

                                                  65B

                                                  MD5

                                                  18eac4b6b7149274ea66f02c467fe5fe

                                                  SHA1

                                                  f2b9fff005feb2f8d573833552c62465316fce03

                                                  SHA256

                                                  096be05f33b3bade8093bb35977c4c19d3fed290da514747ed03cef359170315

                                                  SHA512

                                                  f02a26cb37eca5da6a28ef02d7003fa73509c92233ed5510c350a33a025c21b00eb9b1ea5ad847f24bbee7c64e580de3b8a71c1884090e65e91e6b9e1d134c20

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  a881ab144c3d1ae77eb5eb9db15f3604

                                                  SHA1

                                                  cccccf7dc4a5e061eea371b695521fb28812df51

                                                  SHA256

                                                  f0d65ed6502c78da52cafb9e947a4792e1fc5c0b62d8f5b061c69aa5e16abc12

                                                  SHA512

                                                  fb9391627fbd8ba6b45e317909fa9c8267a37e2c9533e7dbb4de031de68704f51214e441bdc0dbe4adcce240fb26766716895e3585f1112bf5e2d1646267d17e

                                                • C:\Users\Admin\AppData\Roaming\Votary.w
                                                  Filesize

                                                  128KB

                                                  MD5

                                                  de0c11b1f825fe79eea50696673311fa

                                                  SHA1

                                                  8511cb0309233e99f8b4e3bd8dbb286a79a9009c

                                                  SHA256

                                                  5b21f2c9a59f86d537de5cb69607b2833a127397f63874a8bacd4e60b8f8ba4a

                                                  SHA512

                                                  79945e797c7a932a8ca642cb9271b10858fecace01937b2fe6a600736281d487e713b752c710130e82f0c1a64d09d74f8040b09e6f47dcc13ead2e753e6f8119

                                                • C:\Users\Admin\AppData\Roaming\annotations.xsl
                                                  Filesize

                                                  698B

                                                  MD5

                                                  5e12d213c51e81583c3396448e65a451

                                                  SHA1

                                                  73610d7d9e52526d65ba6626922a40a3c8225732

                                                  SHA256

                                                  f1f317710778eae65cde8266eda110a3e237171020e3e0fd8863b9103952836a

                                                  SHA512

                                                  4165e60f036c557b70f13817043a8ed9304bb424b714713a41a173b62a72d5e7568ab951077672a7f1a07b15f2aa6925bdb7f2dec17f387b4b36a41c9d0aa127

                                                • C:\Users\Admin\AppData\Roaming\atstamp.xsl
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  ee1ea399056a74f3e90996b198b23533

                                                  SHA1

                                                  1bf06bc18cd19e769a23fb1c7dde3ac82d1dc05e

                                                  SHA256

                                                  0d5620c426c14276135373978f381b53dc5d0fd0b9c3ec0d07e597eb53f8c3ae

                                                  SHA512

                                                  497222110bb4698ef6034b166577c53c9c06b48c26bcbe2dfcb97299fee0aed7268e3733c171a019ddafe92cbea10795cf3ae2995bfed94e2127a9e83c09a0e4

                                                • C:\Users\Admin\AppData\Roaming\batik.NOTICE.txt
                                                  Filesize

                                                  702B

                                                  MD5

                                                  057093f3e2fb79cc8f84d11577d28420

                                                  SHA1

                                                  ce7046631d30d1a29be7abec225062c382d77bfe

                                                  SHA256

                                                  aca191714442d813bf736730cb6be9c2150b09be3840e6678a18e5b057b52f4c

                                                  SHA512

                                                  5f0c2b00e93da4ab83995a7e6935e32b2a9a280a715fbeea35aec40168115c8e91cbcb5f5812ae85d18c5a57e02f762b3943624cf482e217d7f626b573795c0f

                                                • C:\Users\Admin\AppData\Roaming\callout.icon.size.xml
                                                  Filesize

                                                  923B

                                                  MD5

                                                  524be3d8b21c7b33c619ceb3d968fbf4

                                                  SHA1

                                                  3b14fa89d2cb0541da1482d21b06d640a787e45f

                                                  SHA256

                                                  f6993201c3af85c8461426c311c099894d2a0f70632f4e51e96b60b544dffb41

                                                  SHA512

                                                  ff5628c5c5f05a25f08047ec25531f82d06c8ca32bfbc8aa992da62b94af50f3a501fcbc90337f292a471edfd00d285bb3c6f267eb809d26f1e2bcea9a9f83ab

                                                • C:\Users\Admin\AppData\Roaming\chapter.autolabel.xml
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  7623f2b569ab91833cd345eead830e73

                                                  SHA1

                                                  e95ea6aa4880ed4d5616d1766d514541c815b0e5

                                                  SHA256

                                                  4e5e5197a7baa85df15b2ab86932f8c90c24e4a1896f84e44c263f1af46bde43

                                                  SHA512

                                                  d31796f75db3c503c78298d16eef50700a57899f473a2ee3723899c6c0bd6c448c2b90270742f3b32446c0a105cb10beb2dafe81f4dd3b4dca7738a1dc674c98

                                                • C:\Users\Admin\AppData\Roaming\cleanmgr.png
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  f341233b35df61978a142487b89c6f4b

                                                  SHA1

                                                  5bb6c709ead39c4642dd9d5666a4cab1cabd25df

                                                  SHA256

                                                  6e70478b7b9618d1615e1bf96667dba878142ce57749c30f467c18dd5f9688c7

                                                  SHA512

                                                  2a608c9b31d603686fd109b4bb75d8fe6d3d212fdcc8d02349fd2b83278db0836a7e45d886727d7df20c3eda1b8f2265809c214efd5970082b680ac95dd862ef

                                                • C:\Users\Admin\AppData\Roaming\close_down.png
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  0b4c456e11bf25d883e8f265368e5989

                                                  SHA1

                                                  30bc42209dca7f0e39d68485d226ada5e5f0d18c

                                                  SHA256

                                                  01bddb021ba9db0385876496c4b3fea84708b0e8e304d2ac9df15205e3f51dac

                                                  SHA512

                                                  3dd02c261d2d091988008fbfb7b22043d2ca64170d464a8ec23f60f38fa90eeab0e7d28793048d5b70069b75fb515dd94188f7c28725fc14ba1b2d766b076681

                                                • C:\Users\Admin\AppData\Roaming\compass_marker.png
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  227fb8e068d500dc6ccbd62cc1682bc1

                                                  SHA1

                                                  16f3901b9b4c74fbb6f8f9cc71748196eae09f51

                                                  SHA256

                                                  1b0b09e8f1108de72f11263b1b7f3932ccf9b38d7c3bfb47a1e697ef58ea93e5

                                                  SHA512

                                                  b17dbef4878998037ed65f75bccaaeea63ed7cff13c7c088c78c8248317e5b05a641cadd2148a634fe8e2a04951a6d54970ea1d234c7a0dd97ae57ba5b2cb905

                                                • C:\Users\Admin\AppData\Roaming\computer_diagnostics.png
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  bd8078dcc074aaebdc63ba53082e75c2

                                                  SHA1

                                                  a3887f75154e5de9921871a82fe3d6e33b7b5ba7

                                                  SHA256

                                                  9e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e

                                                  SHA512

                                                  9a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66

                                                • C:\Users\Admin\AppData\Roaming\css.xsl
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  ded24462fb0c166fbe5ef1565485fc4e

                                                  SHA1

                                                  4b499df9d3993106e71adc8880a62d14f03149c1

                                                  SHA256

                                                  980629ce32592a6cf0a0d0897bfd469adba888966dbb9e11f4dbd72b642424e3

                                                  SHA512

                                                  010033a51437cbd2d8271941db82a2ecc3200aa0f2d4fcdde1c8491c945b05f40aa245fa492cbcec254e6cd255de0a86b6d7097511f0eab05d484d91d3faf2e2

                                                • C:\Users\Admin\AppData\Roaming\dsfroot.inf
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  a9525c72b61ca351d7adc155866f3331

                                                  SHA1

                                                  1acd90bbb46c2d8ede1018bb62e8fbf4b788326f

                                                  SHA256

                                                  44f7115e9c4a02f1a1d712ba719094c5e68f7850bd9247dc14d381ac53ad1c19

                                                  SHA512

                                                  15d2512ab113662728af610d2c9c2583043bf20b53433a2e1aa11590a3c61da6a48c0ba8bd7268abb7ca4e5bea9f54cb95bc397a004490b4efe134b2355d431a

                                                • C:\Users\Admin\AppData\Roaming\email.mailto.enabled.xml
                                                  Filesize

                                                  1012B

                                                  MD5

                                                  00b985be2ff3a54b1a40727574f4113e

                                                  SHA1

                                                  ddcba70fb5bace0ccd241d7c9552c80954aed645

                                                  SHA256

                                                  e3cb99162c94217f05f416303cab7cf1e1b98daa0c159d9aa2e12a4d09852063

                                                  SHA512

                                                  4f9e7bb76a321cd524275239391daf2e9d4b3e2f5a81a65bed5f56c26dc1ebe874f23bea8d009b51ca1845d9b303af7146dedc0d61815c82593e31670a59f1b3

                                                • C:\Users\Admin\AppData\Roaming\en_GB.lng
                                                  Filesize

                                                  62B

                                                  MD5

                                                  8d63bbff3bb89a80861e33042680a423

                                                  SHA1

                                                  be8a5ea0dea66d97d2006c76a3677fd56cdcd70c

                                                  SHA256

                                                  419b9c5901170236a918d64bedeae838bef031e354651ee300bd8b03af6d01f9

                                                  SHA512

                                                  4ffaafb44b065f8b4341405b3a2e2b728b9db5a6ebb1d0249d2137902f3a0189f7427e6ad4894e43e89ddcb2e5b41a3bdfdd795c4c19826aa91f69f89c73630e

                                                • C:\Users\Admin\AppData\Roaming\engine_glow.jpg
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  f8e64c91f63872f6cd8a5a8eaac8c0c3

                                                  SHA1

                                                  4b8c896f763b5a8400826ea796dcc96c0210d1fa

                                                  SHA256

                                                  a168bcf78cc7e0a02a6f427f2b3e32b9912d8afc5ef3d3923091f03769242c92

                                                  SHA512

                                                  f1d60a437ff4337393009e2bb65f0f9459eb79eeceead3e6ffbaab9f82dc782c8172d5d9f63da6d156ad9b60cf879a56a9d3779c9c28905849b62e99f6a7e235

                                                • C:\Users\Admin\AppData\Roaming\engphon.env
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  8a4a4021258135dbef8fe0c4b8059b9d

                                                  SHA1

                                                  2f0fd4c492295453f8c17e6b399207811117af62

                                                  SHA256

                                                  a5bd83d0eb2a96375ad43983bc414a5ff3f1f88a87db17a3aec02c0cfbba3872

                                                  SHA512

                                                  a36138c4296a71fe1eb68e8c9904cb045d8edb17a4410804333473d48a82eb6aac6e81124da7f3c02977147437d89d85ef5a7ae7aad466a3a33a241fb087fc6b

                                                • C:\Users\Admin\AppData\Roaming\f31.png
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  8b4d93dfd0d70b162857206e8c7330b6

                                                  SHA1

                                                  a67a4d4583a08a0fd3789a7c27051ba55ccef069

                                                  SHA256

                                                  0ec0b04ccda9fc04086a5f6240ffb6f6ee6bd025c7e8233523fc68cc090e9806

                                                  SHA512

                                                  c68fef174d73f42ccbd2766ad0712770e32d51fb8085dbff01099f0521f29a746b45c456b0047109e30071edd94d54b6f50e0a79204e11180dad819fc563b6b3

                                                • C:\Users\Admin\AppData\Roaming\fontconfig.bfc
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  eae4324b48ece18f48a817cb53a1fc72

                                                  SHA1

                                                  9c05c88b8f8361a06e0b6218d79605e0be55d886

                                                  SHA256

                                                  2ebd07443b5e98f38629e58c1d41a19be6f7a0cd920fcf4c093717170de6824c

                                                  SHA512

                                                  6c5ca78ba558774ebc98908488a4256b7e5cf09078218537291204e3d79f7a7408eab07c7a641467d12336d6b8ec7e20e029a383d530001b6dee4d49aaa66fb7

                                                • C:\Users\Admin\AppData\Roaming\globe.png
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  eed8f97cfcee662001cc34f0ca382db1

                                                  SHA1

                                                  631106c6b1d5b6e70e670b2f4eee3757c072f13a

                                                  SHA256

                                                  8d330af6424df369cf4e383ff5dd374742cabce0fdc8473bb9e12ccb5ad7649f

                                                  SHA512

                                                  b5215164ef4a5169c6e1888031f98a0048ec9b00ffb85dfdfb572190e70afb4e080c94c7a514ed8beab2e2551ace99ab9f4b3deb556d011af2982fbb4d630fc6

                                                • C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\sdchange.exe
                                                  Filesize

                                                  219KB

                                                  MD5

                                                  385af1697f3c8dc280ca4eca303cd79a

                                                  SHA1

                                                  d2696e30475c91cd6c0e8bb295191bf2729d2f9e

                                                  SHA256

                                                  8628de0058b0a0a3fb0a68a6e62827e28d8b74a7a0cfed84764394692caefd92

                                                  SHA512

                                                  63cebf1ebd346e8a4a460ac0d1ea586f8c648fada8bee3bf41e90e4c1dd80423a3dce063470722e5ef8092acf9987fd2bf34805a769df6231a9ab0cdbb760504

                                                • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.url
                                                  Filesize

                                                  90B

                                                  MD5

                                                  91b44b3dcb2d8b7e5083e6f0678f1f9c

                                                  SHA1

                                                  1f703bd7a67c06412cd45161727c54d15be2a0d9

                                                  SHA256

                                                  6b31e73d37b46f9519f5779591c2100da121358f60928a5c893ab61a54ad27df

                                                  SHA512

                                                  04b601dac12ee07c2c591b172e1e43ca14c7ccadda9929ebb9ff4492ef8b8fb010f54d84d1962f50ca10c116e9c47dc649deef9b401322afa7d568318d03ed39

                                                • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.vbs
                                                  Filesize

                                                  231B

                                                  MD5

                                                  9d8c4bfbd009c4d6001e2125abaa8b02

                                                  SHA1

                                                  cd040558172b5fca5b200447a281843956243741

                                                  SHA256

                                                  a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

                                                  SHA512

                                                  c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

                                                • memory/588-236-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/588-237-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-169-0x0000000003780000-0x0000000003781000-memory.dmp
                                                  Filesize

                                                  4KB

                                                • memory/1344-520-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-241-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-243-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-245-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-244-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-173-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-172-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-171-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-166-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-488-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-485-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-482-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-491-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-479-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-496-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-512-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-234-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-522-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-516-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-510-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-506-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-503-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-499-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-524-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-167-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-587-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-586-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1344-578-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1840-56-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1840-57-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1840-64-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1840-54-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB

                                                • memory/1840-52-0x0000000000400000-0x0000000000424000-memory.dmp
                                                  Filesize

                                                  144KB