Analysis

  • max time kernel
    145s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 22:47

General

  • Target

    3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe

  • Size

    243KB

  • MD5

    3ce23461e15c48785716ecef4a2f9be8

  • SHA1

    f8cb374c9d216f3859cd0e681ad79fb7e7e8f84d

  • SHA256

    af2c25f184a8542888750b7d150d955c638c3ee1633933b7262dcb6a1b82d0e2

  • SHA512

    eb9da01bba9f172c90b8c330f8b52c6534429c72bac6b65179564fe0e82f738b7233461220163d55a92b62d665cde82e1243cdcb9f3752271707ab6f56ef9a7c

  • SSDEEP

    6144:MkyacpfMzk1+nQFGbjVXgyLB5NaLVtju0r0/fk4Xc/Be1H23:MkyfYk4nXbjVLLBGLVtjuf/fk40Q1H23

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C" id="url_1" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.f0jlbj.bid/DB98-C1D2-6C07-0046-154C" target="_blank">http://52uo5k3t73ypjije.f0jlbj.bid/DB98-C1D2-6C07-0046-154C</a></li> <li><a href="http://52uo5k3t73ypjije.cm5ohx.bid/DB98-C1D2-6C07-0046-154C" target="_blank">http://52uo5k3t73ypjije.cm5ohx.bid/DB98-C1D2-6C07-0046-154C</a></li> <li><a href="http://52uo5k3t73ypjije.jal9lk.bid/DB98-C1D2-6C07-0046-154C" target="_blank">http://52uo5k3t73ypjije.jal9lk.bid/DB98-C1D2-6C07-0046-154C</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/DB98-C1D2-6C07-0046-154C" target="_blank">http://52uo5k3t73ypjije.onion.to/DB98-C1D2-6C07-0046-154C</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C" id="url_2" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C" id="url_3" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C" id="url_4" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/DB98-C1D2-6C07-0046-154C</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C | | 2. http://52uo5k3t73ypjije.f0jlbj.bid/DB98-C1D2-6C07-0046-154C | | 3. http://52uo5k3t73ypjije.cm5ohx.bid/DB98-C1D2-6C07-0046-154C | | 4. http://52uo5k3t73ypjije.jal9lk.bid/DB98-C1D2-6C07-0046-154C | | 5. http://52uo5k3t73ypjije.onion.to/DB98-C1D2-6C07-0046-154C |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/DB98-C1D2-6C07-0046-154C | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C

http://52uo5k3t73ypjije.f0jlbj.bid/DB98-C1D2-6C07-0046-154C

http://52uo5k3t73ypjije.cm5ohx.bid/DB98-C1D2-6C07-0046-154C

http://52uo5k3t73ypjije.jal9lk.bid/DB98-C1D2-6C07-0046-154C

http://52uo5k3t73ypjije.onion.to/DB98-C1D2-6C07-0046-154C

http://52uo5k3t73ypjije.onion/DB98-C1D2-6C07-0046-154C

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Contacts a large (528) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4396
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic.exe shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4632
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:532
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1172
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# HELP DECRYPT #.html
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3ab046f8,0x7ffa3ab04708,0x7ffa3ab04718
          4⤵
            PID:716
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
            4⤵
              PID:3064
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1168
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
              4⤵
                PID:4008
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
                4⤵
                  PID:3568
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                  4⤵
                    PID:3540
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
                    4⤵
                      PID:4140
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
                      4⤵
                        PID:3708
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
                        4⤵
                          PID:4776
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
                          4⤵
                            PID:2548
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
                            4⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2432
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
                            4⤵
                              PID:1872
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
                              4⤵
                                PID:2068
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                                4⤵
                                  PID:3228
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
                                  4⤵
                                    PID:2124
                                • C:\Windows\system32\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt
                                  3⤵
                                    PID:1172
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C?auto
                                    3⤵
                                      PID:4112
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3ab046f8,0x7ffa3ab04708,0x7ffa3ab04718
                                        4⤵
                                          PID:4200
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\system32\cmd.exe"
                                        3⤵
                                          PID:3496
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /f /im "3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"
                                            4⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5116
                                          • C:\Windows\system32\PING.EXE
                                            ping -n 1 127.0.0.1
                                            4⤵
                                            • Runs ping.exe
                                            PID:3012
                                    • C:\Windows\system32\vssvc.exe
                                      C:\Windows\system32\vssvc.exe
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5064
                                    • C:\Windows\system32\AUDIODG.EXE
                                      C:\Windows\system32\AUDIODG.EXE 0x3e0 0x498
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4700
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:4404
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2296

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v13

                                        Execution

                                        Windows Management Instrumentation

                                        1
                                        T1047

                                        Defense Evasion

                                        Indicator Removal

                                        2
                                        T1070

                                        File Deletion

                                        2
                                        T1070.004

                                        Modify Registry

                                        1
                                        T1112

                                        Credential Access

                                        Unsecured Credentials

                                        1
                                        T1552

                                        Credentials In Files

                                        1
                                        T1552.001

                                        Discovery

                                        Network Service Discovery

                                        1
                                        T1046

                                        Query Registry

                                        2
                                        T1012

                                        System Information Discovery

                                        3
                                        T1082

                                        Remote System Discovery

                                        1
                                        T1018

                                        Collection

                                        Data from Local System

                                        1
                                        T1005

                                        Impact

                                        Inhibit System Recovery

                                        3
                                        T1490

                                        Defacement

                                        1
                                        T1491

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          4158365912175436289496136e7912c2

                                          SHA1

                                          813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                          SHA256

                                          354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                          SHA512

                                          74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          ce4c898f8fc7601e2fbc252fdadb5115

                                          SHA1

                                          01bf06badc5da353e539c7c07527d30dccc55a91

                                          SHA256

                                          bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                          SHA512

                                          80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          36f184961b4bae1964214706db7ae890

                                          SHA1

                                          342d868b498d0841036b17f855238bec6f16c698

                                          SHA256

                                          17fb546803a9411b10102f94fa6693907d242603cca65290af96fb36344e03b6

                                          SHA512

                                          ad8751e175a129c5eac62a494fe9e1e3fe91225fc900d2df7e5a689f95b52cf96b9489aa3dd6ccab9c6fbd139874e62816ca577dde103dd53ef64a9974b5a0c5

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          bf84bdc4d09ea08cfe2f1441c232b9af

                                          SHA1

                                          c016ba66f4daf39f3aaa1cb20e4b084408be4284

                                          SHA256

                                          2aeb0e447601f1bd22c347d0f92c03d059aaf4effeb4f051fdbbeb6a6f8f07b0

                                          SHA512

                                          91f2a80816c03518e5698736df205bf5e84c426f1ffc8edecbfdf804176cff38678a8a02954c63330e3b285fdc135d1c736f1818c4883a774b4fd52e382850d8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          11KB

                                          MD5

                                          2d5001f9288c13a982e0a20f659b16bb

                                          SHA1

                                          1877c3965d1b44c7719b2d020d09ce031e0d2854

                                          SHA256

                                          8d2c8a957ce5e264f721f0622135077b752cd5fe0168bc73cad65e6e31b07029

                                          SHA512

                                          1c288489fd91201b8ccf05f49c3f3c30a87d7d01a33d89b2e0275dcd18ed28d1b527054d9b1fae9520ebb1697be39145da73924b29bb761edc47aba1e3bd3e0c

                                        • C:\Users\Admin\AppData\Local\Temp\nsw5823.tmp\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          ca332bb753b0775d5e806e236ddcec55

                                          SHA1

                                          f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

                                          SHA256

                                          df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

                                          SHA512

                                          2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

                                        • C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.html
                                          Filesize

                                          19KB

                                          MD5

                                          117063409556b144f08c32637caa7235

                                          SHA1

                                          e71fab96bb3e691bdefdfc47de5c7279c4dd0094

                                          SHA256

                                          4acbe1c31047896b0527d4fcf7fdad681ef97e81495263fbdf73820759d79d6d

                                          SHA512

                                          498cfe57cbe75bfa0b942a689dcaab757fff8a7ba06e5202b97c1b900a357b0edee982b9d6b8d66dcaf39b76bed4c326d6e7a555ca303ecc34fce53fbff60671

                                        • C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.txt
                                          Filesize

                                          10KB

                                          MD5

                                          f794c03d6e7a880589a18b0428345535

                                          SHA1

                                          a05d477625e139675032a8a066d81c0083e9d39a

                                          SHA256

                                          8ef62fd1ba538b55be895f07d904d9d340d5baf3581001144dbf549e74dab1b8

                                          SHA512

                                          0d04999c4eebc4d21b765a831323f886a590a69262c6c75abb3dad31f0a9fd562dc78422cff5689acad2764e328ea4e141d2a332211152cbf688b2502daedf54

                                        • C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.url
                                          Filesize

                                          90B

                                          MD5

                                          d803d52ce862017ef7397c8e3659bac7

                                          SHA1

                                          b6ffaf7c6be96142683fd896e2d5e8d14091d1ad

                                          SHA256

                                          bded4dec5f5305075af5d4dcd6eda14aa53691ad50379ee50e5863535cfa847b

                                          SHA512

                                          76569b34581ba807dbe08dc0ee8dd69bda91fbb5d20d657a939d4ae407e10a5675f07d657b1fafb7a88776c819108215057590a9fad387d661c22d91084d8028

                                        • C:\Users\Admin\AppData\Roaming\Chanson.c
                                          Filesize

                                          177KB

                                          MD5

                                          df7ceec86dc2d8da6ddc14bbb7e4e55a

                                          SHA1

                                          b2bb4006412cf2a7f3077133eb82205c238c2cd4

                                          SHA256

                                          31fe8b94b1df733e0709e69d1783f7864c090c9edcb0cf8c9d6aaa76034b69b7

                                          SHA512

                                          f5645c5ad57362672079058b0bad20692fead1d9b818a17d8790ceacccd80cf2efcac2baadc00785d9e00966ccee488ac2e6e6a69a72302e0de44af4c44ceb29

                                        • C:\Users\Admin\AppData\Roaming\NsResize.dll
                                          Filesize

                                          116KB

                                          MD5

                                          75376d6bbd017ec8711f820aba8ed53b

                                          SHA1

                                          74c776e288b1f8eb193264333098f44defa871c2

                                          SHA256

                                          523e5bca53ee608535aa63662168cae8cebe7f83a0416c9c3f612599a892e930

                                          SHA512

                                          9ff3f135275ec20c366411d95979197aec8eb96d7d7274feaf441d835cf2123312f6a81fa00c2ef59591a545212d9a7833ebd1e633eb43880f551b76e91c8ed6

                                        • C:\Users\Admin\AppData\Roaming\forward_disabled.png
                                          Filesize

                                          1KB

                                          MD5

                                          875ff3260a35602560fa96c60aab9b09

                                          SHA1

                                          457c51cb571ed8c2f66860b884b3897094832563

                                          SHA256

                                          e6ca6d6e4408a85d06dec320917eaface8871796c5bc5c7974d99b8415e49e2e

                                          SHA512

                                          aab5a58ee6147c1d2dd40722d6ca56df336d49103f08c123936a8efe2f3250a5ce1d0e90c1c54edbb82e1014213aa78b74ea3570c3c53d9a3ad36af37e42d09f

                                        • \??\pipe\LOCAL\crashpad_4724_NWWNERHOGFZKTJCS
                                          MD5

                                          d41d8cd98f00b204e9800998ecf8427e

                                          SHA1

                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                          SHA256

                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                          SHA512

                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        • memory/408-12-0x0000000002090000-0x00000000020AE000-memory.dmp
                                          Filesize

                                          120KB

                                        • memory/1368-748-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-772-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-26-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-742-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-745-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-25-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-751-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-754-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-757-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-760-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-763-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-766-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-769-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-27-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-775-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-778-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-781-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-784-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-787-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-792-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-22-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-21-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-20-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-821-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-18-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-19-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-17-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB

                                        • memory/1368-15-0x0000000000400000-0x0000000000430000-memory.dmp
                                          Filesize

                                          192KB