Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 17:32

General

  • Target

    4741333a78be539951c661ddbd47442f_JaffaCakes118.exe

  • Size

    225KB

  • MD5

    4741333a78be539951c661ddbd47442f

  • SHA1

    e642cbf75a235b76f2f7ec6b8222d21ec518ed98

  • SHA256

    5fb92c512e17ae11f78d2c8eca04440fd89bd32e0b0bcca3d86784f7ab5581e4

  • SHA512

    2b159ae11a567060ac0e17fa85da98ac334cdf1b6edc1d4179bfa879116e15349003d657abc2555b1b13240e40541c3bd3e69ff282cc1b4edf6f1bc3caac3a24

  • SSDEEP

    6144:Mg1KQjoGwizt5vq/vPWLbxOSin2cNUt+J+gr:SGws2+LISi2E0+Jxr

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57 | | 2. http://cerberhhyed5frqa.gkfit9.win/7CF5-E4D5-EF72-006D-FF57 | | 3. http://cerberhhyed5frqa.305iot.win/7CF5-E4D5-EF72-006D-FF57 | | 4. http://cerberhhyed5frqa.dkrti5.win/7CF5-E4D5-EF72-006D-FF57 | | 5. http://cerberhhyed5frqa.cneo59.win/7CF5-E4D5-EF72-006D-FF57 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/7CF5-E4D5-EF72-006D-FF57 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57

http://cerberhhyed5frqa.gkfit9.win/7CF5-E4D5-EF72-006D-FF57

http://cerberhhyed5frqa.305iot.win/7CF5-E4D5-EF72-006D-FF57

http://cerberhhyed5frqa.dkrti5.win/7CF5-E4D5-EF72-006D-FF57

http://cerberhhyed5frqa.cneo59.win/7CF5-E4D5-EF72-006D-FF57

http://cerberhhyed5frqa.onion/7CF5-E4D5-EF72-006D-FF57

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.gkfit9.win/7CF5-E4D5-EF72-006D-FF57</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.305iot.win/7CF5-E4D5-EF72-006D-FF57</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.dkrti5.win/7CF5-E4D5-EF72-006D-FF57</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.cneo59.win/7CF5-E4D5-EF72-006D-FF57</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7CF5-E4D5-EF72-006D-FF57</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/7CF5-E4D5-EF72-006D-FF57</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\ARP.EXE
        "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\ARP.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\ARP.EXE
          "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\ARP.EXE"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:408
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2292
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1640
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2828
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:996353 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2320
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:788
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:2220
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "ARP.EXE" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\ARP.EXE" > NUL
                5⤵
                  PID:2772
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "ARP.EXE"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2508
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:2988
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "4741333a78be539951c661ddbd47442f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2592
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2092
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:2008
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2176
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1948
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1236
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:1976

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          3
          T1490

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            51d063d1a5a2307dff39de7ef103cf16

            SHA1

            19b8569b79801a137a630ae72bb78900f96be1c3

            SHA256

            2bdea58f6dcac56e405fb94ad4be218d7bd232008c8c5ee6227207d65b7a030e

            SHA512

            27e44da5e1975e669c135deefb908f5247e7caddf685cb22dba10f9218a126308e0e07cf44acb97349b7603c2f2fda6234ec6ee50dcdc12f483e550940d5842a

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            219B

            MD5

            35a3e3b45dcfc1e6c4fd4a160873a0d1

            SHA1

            a0bcc855f2b75d82cbaae3a8710f816956e94b37

            SHA256

            8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

            SHA512

            6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            03975169f03858de12b9705c9bdd4a77

            SHA1

            d5b4a7e6ec63aa028b3ea88b64672600e53f18ab

            SHA256

            7994850c9c22d7e3431298941ccb297768454ad8697b06aa5be32274be66f2e8

            SHA512

            b87d0ca99ff37126f783f4970e7ccb63b9668bf3ba18b5acf3ac923c265135ca2171c3e90d6b85e7469a72121016c125d00c5c77274fcb41b1678ac06f9cae27

          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.url
            Filesize

            85B

            MD5

            52dfb85453ed2d61760dfc13d1c55c48

            SHA1

            68f716a846e422ea687b9744751d233a5dd9faed

            SHA256

            51c1deca277dbd889b6ee714cbda413ace6a97f54692569846f5e8a9e0982881

            SHA512

            2aa54dd03313e7fe9ecbbd039d5ae7fc8091cbe303adfa199bc73963bb40b5ebd7e4f9b6dc532d2b0880b86ad0e667524f9105b9406e9cbeda40b22053f45cf3

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            28d2859fec5bd4161103146d5f9a36d7

            SHA1

            2e7846e6aff202d80ca3977684d9cf2770e709e3

            SHA256

            196825e298ece3fe2e70b8d52a1965af9cf06cdee79b21dece9c57f02b446713

            SHA512

            c8769e2c6dfc927e66c9b1821ea716b784d2273ad94f152acb93ed3e78bd35817e51c9ccca6e00c4c4e258c62bbe7e9c1ca37824bb9fd9877e312773dc871c06

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            ae8692deb2e749343e674ef005e73c77

            SHA1

            0342b9aa2c4944a7af4c8747bcebdb45491e1557

            SHA256

            307bca0d6893ba072d89226027404a650a2f2aa81be0d40eec45370ea89c54ec

            SHA512

            c1321159061bd39fd42f813cf1227a4ab5786cc498acfdaf4544a707858f3ec84ec690883628eafea36f5452186b8dafe02050f4f5c5ddd62dfc6d672f61cf2e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            0c6a138b871060e0aa8438223dbc03eb

            SHA1

            069e32877f936d40352a02d8a7807932540a485a

            SHA256

            b5b36987abd9b0330794267c8237d59fe4bd63dbf4dc03da44eae78a9824a96d

            SHA512

            75d337653010e389f89e3e050eafa9b08796246b28dcc0886f86b4ccc80449a8947b6402a18c324da454a5b89be0744898b240215863e8b14e912d9e5be58d0f

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            21e48a238b2fa2cf1286e00a894e3604

            SHA1

            91224ab72fac77cc5adbcfe2383d55f7ec77b6b6

            SHA256

            54d6f70aeda3dd628b5420f2b0f6510d2614f2324d550f400129b632f1e2c1c3

            SHA512

            1bf97fe89c37806f5763b8e4a4002d422b3606face5e10e21f5aacd04ddcae86b0c22403711744d58c8a68f77a169a902b9f366d75e19745708de6570c69691f

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            a6056b71e7ba6b6767c61e74f654daf3

            SHA1

            95f29392eb39f1dd06bc81af47c11b21cbcea6ce

            SHA256

            109dcff70548ba07856e5843e9b6f0f5c2e7655105579350306f04e12401f2be

            SHA512

            d8a67a41934ad6c3a2c7e6f55be962c358c343e19c2095e221e7162834ff12946711ea072ce4f88ecbe2e67e83ce7001f00c98d583aefbeb6b78edcd1b964399

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            03d785e4738427b37526d487e73916e1

            SHA1

            3a6e3ee6e641659d4b60141ed06918c55b952eee

            SHA256

            f518d7b740fbf77e810e2bad047a3949792294bd17be55d218915f5d5987d323

            SHA512

            5f2da767213a386e2d128a021a0313327f58db52852f4296ddd04ee2ccc0f4b6a9bb9676f2bea51fc49055f133341ae4943840295cb15faee27024b1a12f87d4

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            fce381b76ba50841c481071cd7ecdf33

            SHA1

            9c93eb4691ae754c3fa849c95631b8af7688d235

            SHA256

            394884acb99d02e4432126a4b1311cae8a516c791ccf3d5d28a1f95aa8f5ddcc

            SHA512

            8e637348e519da96b70b6cd1836ff535ad742eaa43fb2fa934c55cbbad4146a4b9ec08a6c5df32f10105b548ea7070a5db52d23996d3c8e62365a5d4604d4737

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            87d5837c2559047cc6f3b6dd34412cb9

            SHA1

            cf7b4c85b0a2dacd7cf4102d8f1e2b15c1620095

            SHA256

            5eb63ac86f7aa4df71809e0ebdbe78dbc2bdc27acc95acd3ca48819a9bb09444

            SHA512

            b49b20e2f339fb393848e28f8f3c97bd757e6d7f747e846c5a04e96bedc8071d3546610a10cfe38990fe9744be96140ef263a76ab66d2cbe5a5025207df1e427

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            38e01557abfd3eaa45b85fef4b7c1e98

            SHA1

            5fe7c59d41a898ae2b89bde5913125a10fffb02f

            SHA256

            5260514b1a6a6f36dd4e0492f57797cd6cd66f37d616fff3ff566cb8fbcbb394

            SHA512

            502277821491a6c943882cb221334bd9401995119eb5e616e662de1fea51db5356f83ac5a7669951296ec49b6149fcfeaf73a9fe8e3fe0911a9d910e143ba366

          • C:\Users\Admin\AppData\Local\Temp\Cab7F6E.tmp
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\Local\Temp\Tar7FC1.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\1047x576black.png
            Filesize

            4KB

            MD5

            fbdb5d3bf5606f2d20ec11dfc0523542

            SHA1

            7d46fb2ba2a91ea6facb923f8817f1d9ce234002

            SHA256

            b39f7c1b861a0aea80ca0626e0922b030123828ef4930da43d424b578459c784

            SHA512

            4be6540678fbcfda29184e6034196f5253459e56a23d49e35e07a6ece05be2f895b8407f7d4859531ded67e6a9ff31a671ed43c0026baec024b792229c851b6a

          • C:\Users\Admin\AppData\Roaming\1047x576black.png
            Filesize

            4KB

            MD5

            20a30ea248b486585ed4d9d2c217988b

            SHA1

            8b585ce375fd32f8a03989de0fc9916f653a046d

            SHA256

            e8616b7a9635eb14f0aadba0eabd6ad02f8d5c77a3802a6056fdad0f40f2dace

            SHA512

            8e34ed542ce9655fe46bdd41e2199e31928a060c112753f8b96ddcd9cf4ed5e0df9babb3de4c62f9428bd80795e72f671bf9f0a32a9dd5127b63d233b2845f81

          • C:\Users\Admin\AppData\Roaming\404-2.htm
            Filesize

            1KB

            MD5

            78f1a9d75f7e25e5e14ea3804e7102d1

            SHA1

            878e200221853fc23e8d1e338cb6030d4a2bf39e

            SHA256

            c43f04e0a10120ac19d2b1fc162887e56759409a6233de3c14366ca97a0a5f80

            SHA512

            fb37cf9f45d9366abdb307c364ac8e5813abe758516ace319a0afce8103afb558d78bef9e83be0e24a098ef93192099150b63158ada65f070bc77ab4d75bc959

          • C:\Users\Admin\AppData\Roaming\406.htm
            Filesize

            1KB

            MD5

            3ecc8613572d7e5b305bf90f59f9be58

            SHA1

            9627e5b8dcf39a6a9f48c4d770f0ca7e49748f78

            SHA256

            9b29d1934ff2f61d0583b4f31496aa053473d631653f04845d695326419f2424

            SHA512

            930b00b4a3863cabf53e678e4a99094a328b1d49e0c2a3d5e3cf480fdc87b99707c381650a9f076d99f7c4a4b41586f2bbce78c976ca5e0f2a53a2edf2c6f700

          • C:\Users\Admin\AppData\Roaming\7.gif
            Filesize

            907B

            MD5

            3b65f2e2286842f3df086d355aceb01b

            SHA1

            079d7bd2561bc0d4921dc3842071d6bfe8caa68b

            SHA256

            3a3f2e5fa85bca0e33c9fe947820658177ae754eb212782f863bc1d55119357b

            SHA512

            87ecac60ec60558770e5bb489f6486401370b54b84eba13c55d67bab5311b6b708f94e15c85ba42137f98e7b0bdfa4d4c05d327eed041bb165cd7b8f1c21ed69

          • C:\Users\Admin\AppData\Roaming\7.gif
            Filesize

            1KB

            MD5

            4a5a66b60583542ad22f980def509a2b

            SHA1

            c0e24b9f61256cbb0926fcc5bd81ce732761aa46

            SHA256

            450c159822873eb0df74081e156f1a0972588b6af85d67ad475604c08a61b756

            SHA512

            98a63171a0e497e2cfff795a421507240669623e76f3d2d0676908a0282f9ec6cc9f31b3c04f5c751f9e7c7da1f17f003d5876fec452148d7706ba367c13b323

          • C:\Users\Admin\AppData\Roaming\7.svg
            Filesize

            738B

            MD5

            faec5a97513d807747c7bf0f3aeae2dd

            SHA1

            3de524a9421127adef209757fee17831e41c6ead

            SHA256

            b77145d3f8f053daef82a995a204fe952e0e9077c40b39e3930f371818cef63d

            SHA512

            91fdb30dee16282b1f62221b045612303ea5cd551742fb82827f5eb211905e9a38b70e18d55b28fa97723fd31a680e2038070683ae43f449d7e4f4c890eccb70

          • C:\Users\Admin\AppData\Roaming\7.svg
            Filesize

            1KB

            MD5

            db663dce2b6be80ee30f1513b16e00d5

            SHA1

            0f76ec1685d4db5150cd57f8e7d18bf4a4b521f6

            SHA256

            268b300c9d1d622fe84f1e7a6ea4766053444b9bae2df405d08f41286311d0d4

            SHA512

            056ae8dcd26252d8031e66fbf54052c693a30f43b41a5f41f3628b66ec7df5eaae33da7fc87bb1deba998a00a64f438fa7b122a8f6db049256df24b89d9bcd3f

          • C:\Users\Admin\AppData\Roaming\Adobe-GB1-H-CID
            Filesize

            3KB

            MD5

            2089895c093ffa44bffb0903d78a6abd

            SHA1

            19ff1e5bfb1cd5fa1d507d7c5d8c939df41da3aa

            SHA256

            2ef1601474ccc13fc01c91e3aa2a317279f55f75821a36833c5ebf3b367781cf

            SHA512

            2047b3c2d7d11b9928540b37507d5efa00f2449c2b0795eace16b7f6a13cda3e20fad83a55ef3d5358ebc5e0ffd47e37929538029c8e026d02ae1f8a81cbcab8

          • C:\Users\Admin\AppData\Roaming\BMY red 3.ADO
            Filesize

            524B

            MD5

            f603a2c217b5b63995d8c39730d35491

            SHA1

            bb25bbde47ecb5f2c40db35c9bd4f6621a403337

            SHA256

            bcda37996eadb7820490356c0f70c4f47811bea513b48de5e1566c6f365945e5

            SHA512

            c2ff6fe9761eaaf520678989d516819349aa585d872dce806aca137ae23e934fee8a1462eed68cfd4cca15db40ddd02e9d32f9c4f9b69f46c267162cfa2ceb8e

          • C:\Users\Admin\AppData\Roaming\BMY sepia 1.ADO
            Filesize

            524B

            MD5

            17b79ea0753c3ec356f0bfd869a45c1c

            SHA1

            c323d10eeb4e84a510639f447053b134e1afc651

            SHA256

            82d2060902489b8aa93ed1d051b7fc8f0597b8a0994bbddf20bd688a9c183409

            SHA512

            73f2ee5957cee739fdda773358ea9dbfba10986b8aff421218cb92d53a0e378802626c1b55cf15fb4eccf280226f82f2f4f0e4bd3ef2f893492dc8fa81cca43b

          • C:\Users\Admin\AppData\Roaming\Blue Filter.blw
            Filesize

            294B

            MD5

            db2c5fccd6b45bf55a58d845923f694f

            SHA1

            b29798524575a05c1c4ee2516c5167d90593f880

            SHA256

            a56eb0b2c4240371feec1f1ab6d2983ebd03509ec59aad249e072deabb100f5d

            SHA512

            0edd4d91230ca2775bd0db7ec4b1759f16a6762c08d814f72c648a0f752e2cc446a15071e5dae49a796eada206ed1af1cc2aeccb6a8060b0dd7ed0745bbfaf0a

          • C:\Users\Admin\AppData\Roaming\COPYING
            Filesize

            1KB

            MD5

            0adb5afdae1597917f41f7c5863b9d0c

            SHA1

            033f4d9f1e108d64e059048c3363a7c5c573c4ea

            SHA256

            fb2072a648da193dd85c59c89123d882e727e54db96446f52d727815a36f1e7d

            SHA512

            9dd94690246f33b3b0b3740b8635492473725b5ab3c58c9ab4a5e1f59522566fd28bd6f45e18e2858c3b168fcaa898a4f680f9347bd51f26737e44e3b386e380

          • C:\Users\Admin\AppData\Roaming\Choibalsan
            Filesize

            449B

            MD5

            c3d77a7327602f3ef5d81c5fa45e3311

            SHA1

            dd5fc349c0377248989a596ec2571f10bd563994

            SHA256

            c7f453fcc2ac619ac906b694c9ba90a876acbd3e7e01862d2966585de3323584

            SHA512

            f29f7f5c52691041f0feea5837a89c7f38aa2f4e37401f09ba560955f9cc1de0f8df61b5e8fbfdeba9f7afc1e5b93c4bb4be345396c1cf11b931f378311b0e91

          • C:\Users\Admin\AppData\Roaming\CommandTemplate.mws
            Filesize

            4KB

            MD5

            c3f6ff0818d66a2a3725998f5c44ffa4

            SHA1

            127417dc331619716ba8f3b3aa63d23d0c59c443

            SHA256

            fd5d297ec3edf6973d7c2cf834dd8fbd7ded61748ba82f3e259507f30eee09f3

            SHA512

            c69b0cf5e2f62a1b5be3137fda26d1d3c5cca810b845f2c51e8c5253297bffcabcedb845c322dd643cd467504f82569545f1c03626b0d60d59d604845722b6e9

          • C:\Users\Admin\AppData\Roaming\CreatePanelsDir
            Filesize

            33B

            MD5

            1f3bc75daaf847977f7cf3529e4c48df

            SHA1

            f4dc15cada37c0eb4277dfb13f054c0c4e26f381

            SHA256

            d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678

            SHA512

            01fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d

          • C:\Users\Admin\AppData\Roaming\DEU.zdct
            Filesize

            1KB

            MD5

            a0a1920cffb51a8ac629fe603a1769af

            SHA1

            7cab3cd12f20a6c76554a58eb70470446b7a63e1

            SHA256

            e2f92b3123f18a3445303862c16acdf82b133783ac52ed61094168f83935f7da

            SHA512

            089c78f98acf74217904b9709f33dabbca5e7f40419e24cfc5ca82492f353e4b5a090d764cd8ce842b06217edf34ba6d374b0bc5dafa6729b7d43c5e32a24b6c

          • C:\Users\Admin\AppData\Roaming\Dibranchiate.J
            Filesize

            72KB

            MD5

            98341365da439b247f8ba85d9c0c7778

            SHA1

            b61a73a71f2a5be78e0a0ede0fc6cd493045884d

            SHA256

            86f8230cec2b22ea7a8e8d04f050909c345ffc06c9f0b0db73f158a1ad656f64

            SHA512

            17c0aac6a6fd751ddc2534e69f8100d59e09b19bfed3c5d48c649a21275888c0229f94593ae2d5936d54e288a25b3b3cf6af7c12af4b8dc77da2cfc527482125

          • C:\Users\Admin\AppData\Roaming\Frosted Detail Plastic - Frosted Ultra Detail.3PP
            Filesize

            1KB

            MD5

            f3ea89e2ff94329f2fe06046f3397131

            SHA1

            813d806951418ae29f8d6514f1e8619e09bb1c0e

            SHA256

            c8588b373d6f9e4445a7f0420e86f0ead65284c78a28866f6979a80008f1dfd1

            SHA512

            5ba1c20e1fd834cec01d505be15bb19b0e67d63eef4856890fe41d8f6d206f1cb3c2b4f5e0321c3ad669bfcc6c28028827b1b7447993e6422df2c026f8214478

          • C:\Users\Admin\AppData\Roaming\GMT+11
            Filesize

            27B

            MD5

            41dc583620885308274e1af0be12e78e

            SHA1

            9f96a25b7539ebc2a5bc0661b65a03992b63e210

            SHA256

            f3236a2b39954dc659c25482fde3dcdc735b6b6829e3827bedb7c8c8dc72dd54

            SHA512

            ec50aefdae3b9e276b1ca87677dbb89841a91169350eb88da1bd61b84726c8ffd19de6ab037bc0159a16bd44587f01daa3421298640c168ac2562a66170f9e3e

          • C:\Users\Admin\AppData\Roaming\GMT-4
            Filesize

            27B

            MD5

            4bc6b6291a5e77acb663283b05cdbb02

            SHA1

            6ebebc4883fd74246e5f39d211a51d6ffe21e7b4

            SHA256

            bd6b0557cdab100425a5d39783174e7ae4134cc59ebe6dd3ee837944eb76381e

            SHA512

            ed98d7547a5aa0506253fd7f37c39ad323a57b8ff184ee7a88fd0031dcc210c91bb5c1c0266b5b528568425206dfd49faadd693ff8c61cd84023a18766fba335

          • C:\Users\Admin\AppData\Roaming\GRAY.pf
            Filesize

            632B

            MD5

            1002f18fc4916f83e0fc7e33dcc1fa09

            SHA1

            27f93961d66b8230d0cdb8b166bc8b4153d5bc2d

            SHA256

            081caac386d968add4c2d722776e259380dcf78a306e14cc790b040ab876d424

            SHA512

            334d932d395b46dfc619576b391f2adc2617e345aff032b592c25e333e853735da8b286ef7542eb19059cde8215cdcea147a3419ed56bdd6006ca9918d0618e1

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ARP.lnk
            Filesize

            1KB

            MD5

            a9143b2263cd6c89ee82dff0f621ed62

            SHA1

            6911dd3e4095b0f8f00b139270063f7fc2d9f389

            SHA256

            0ee4d412c9ce5e3b32b5ec9969c7c3d3f49112a80a26cd3690e5958407806d84

            SHA512

            57b7525ce14d5041816bcda265434f04105ce5faf38a8001a03414632eddb9b5b5617676ad460b067e65da8f3e30e5e675a4006b7c5d3dffd425a83e208979ac

          • C:\Users\Admin\AppData\Roaming\Skullduggery.amx
            Filesize

            1KB

            MD5

            c38a9a83d65b6e83d9b71eedb039bbb9

            SHA1

            2644f2ea208a6bb4d895c260a9f91b226d813a27

            SHA256

            413e764638d70f96e9032c06c489eda58318eccb6ac8225aeddb18ff82d41cc9

            SHA512

            d83b1078fc46df5563c49dda178bf1e7910f883d2ecde82d3f6c16968632b8db3ab7f38339cd0d306f99f469e3401ed2cd870270cad18998b8dc616cb0d8091a

          • C:\Users\Admin\AppData\Roaming\add_licenses.png
            Filesize

            1KB

            MD5

            e8a2b07854032ed884e15558d45cf227

            SHA1

            733914f98c81adb9ca0e0c5e90a264e446c7308a

            SHA256

            441d8eac3139cc3d28d7f3ca5f8412a99f0ef37466d1d578abfdc315b4840d7e

            SHA512

            d13ea83232a9d76049e9b79ba70bea422e51fd113505082da81044d6ebfa10c1b4510507b960f2b6d4c66f82a819c586416645e5fc4171ae2d08b24a7bff3391

          • C:\Users\Admin\AppData\Roaming\add_licenses.png
            Filesize

            1KB

            MD5

            5cbbb0c88230c3793c197150695ce8d1

            SHA1

            9729aba0fc5f9515693ac35dadfd5c271ab97124

            SHA256

            e0050e03b817d45fb5722f1314d69392e3a1bd31f4d27c42e0e25020644e40c7

            SHA512

            d95732409ff4915ce381088946e85bb73254b51296ff0d03275843036c870a5aa2a6c1720c3c159ed0522af84cfd2a26a8a84a42699900f74888bee964719bde

          • C:\Users\Admin\AppData\Roaming\app_updater_body.png
            Filesize

            2KB

            MD5

            86c9a4c802b04a554b3829d4be312828

            SHA1

            773f47126a7a7fa0aa23e1ca894d9912df2f57ac

            SHA256

            ceec03700eee7c9342a537d53ab8cb25d1e7e2c152ca9d977045dc0d22364d8d

            SHA512

            99244fe9a66d7f30589054b0f33a21ea5b4ea7f47dad6ed4301aa2c652277b345eca8ffbdc4420d86dcc6163e570baf59dbe3f7dbff7f88bd554733cd6c6504a

          • C:\Users\Admin\AppData\Roaming\app_updater_body.png
            Filesize

            3KB

            MD5

            8b64c78939508c3ea68a5ca9d8768ed7

            SHA1

            74ca4d93f5fca082a482d0975c04180d472ed8ca

            SHA256

            087c9fd2e65f1e9f814e4a979e0b76bebfe37dc4910b560fb7cef47466fac91f

            SHA512

            3208be1900fb9c8a3054882311050ef82a46f31cc9034ae2f2bbaa874cee139bd69b165ee193a66c8cc82c7aa99984c366368de6f6f6d4a207c0a044f7a9b6c0

          • C:\Users\Admin\AppData\Roaming\arrow_up.png
            Filesize

            2KB

            MD5

            07b3126cfe4ab7297cbc21fde173c930

            SHA1

            95fc835cfe39e9a938696c5bf5020a6a3fb75369

            SHA256

            7ca400062c5571a845b5968a4cb4c46e0588511b7776d30f8d418ae753bb067d

            SHA512

            ea7ec034541f34753a7d580c052e1c9dbeffdf2bc730874ccad54bfdd548928eaed865b8223a1fda3f4bd9010bae7c9b5315b5a02f451bcb35f935db6e200a42

          • C:\Users\Admin\AppData\Roaming\arrow_up.png
            Filesize

            3KB

            MD5

            192824986ef99d7bb79e5a9a00eed735

            SHA1

            3228f62e3e56ce0359c1da240a540f5ff8f371a9

            SHA256

            a203713df597f5af7970ed44a448dff260aa87e45572ea094ad91e3ae46f6f97

            SHA512

            7a5bab3a3ff5e7d2ed681cd542be5e2c5e4bc671c61b7635ec025b97ca6620b8b671ce929babde86b82366861d9bb3ebdcd50d3a565301ee0ccb6477b2ac9a91

          • C:\Users\Admin\AppData\Roaming\article.appendix.title.properties.xml
            Filesize

            1KB

            MD5

            adb1a285a2b926f98c062fbb74e1e992

            SHA1

            1f9799a61072673042a1a3da0fdf3fa93cf10f90

            SHA256

            4ba4637bffa741ba5619c3de97b6c209b5a9deb330385efc7a588492a98b7b45

            SHA512

            aa65628e34601645dfcdcb1f5f0347ae84555bd1a99432d4c25a50044dae932385bfa1f50551f6577d184de684f9264743facb53f4aa2e46bdfeff5c85bc6bd7

          • C:\Users\Admin\AppData\Roaming\article.appendix.title.properties.xml
            Filesize

            1KB

            MD5

            5023ea7bbe05e8f4f3418a9f8fb73789

            SHA1

            6ba99e7f9a3f8e979e39d08adc502a72f0b9f57d

            SHA256

            713fff4e444be9c5c9c35f080f4b9dafc9a77b59929d48849d97864cde0716a7

            SHA512

            4fd004d7165eceaaa57eb0788ceb5fcd2e93512011ce91b6790de5c1b5c9ec8ad3e1a1923c1da3224f8be17d6512cee91c009ab0e36fa3c1ad5fcaaff37f966f

          • C:\Users\Admin\AppData\Roaming\blank.png
            Filesize

            100B

            MD5

            67f611eb6a01800784b30b1925f45990

            SHA1

            4153ec1738c0d9106316eac05ffdddedc2df890f

            SHA256

            c6c7d65aed683cadd9b78c00a766d638baa361ca49f8017b069eb9f21dae2256

            SHA512

            cab3e5e32279f510f59b7818ce765b5064f102684fae68f675c482818d41036354270532b13366058de37cb63d9b8e17c3abe076e0a3d2150ced4da1a1fc8a03

          • C:\Users\Admin\AppData\Roaming\chat.png
            Filesize

            3KB

            MD5

            44ce0f81586f9dc6f8afdc7ecda1a52c

            SHA1

            e5af8e985bba2fd5cf1a5738c529b56a14c79982

            SHA256

            8b1a955f10699452c86f45ed99f4767cca8281de26a7de4fc0c2523c89345f9c

            SHA512

            dc9b568f878b8c38560413765727d040f2b0460c5469b69404cc04071e51ac1d6d2c4d255121ee0127fd3240101f5d018701fd6d69da69b67d933ad2c10f5bc3

          • C:\Users\Admin\AppData\Roaming\computer_diagnostics.png
            Filesize

            3KB

            MD5

            bd8078dcc074aaebdc63ba53082e75c2

            SHA1

            a3887f75154e5de9921871a82fe3d6e33b7b5ba7

            SHA256

            9e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e

            SHA512

            9a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66

          • C:\Users\Admin\AppData\Roaming\copy.js
            Filesize

            154B

            MD5

            77ea68c673c183a92ecc07e600e956a8

            SHA1

            c2f17a0351e2c9361580408eef9e19b16c0a0fa3

            SHA256

            a7e7893e6867a93582a0e78dfa1261145068e01535db0d157409be338dd0d0d8

            SHA512

            886664c977d8ac7e251a8a2730d6c2fc207026f18e93a5c3676bf42ce64ae4125ba058e570788467f989e8e91e49463fbdd1661a47f664ac17c38d568551d61c

          • C:\Users\Admin\AppData\Roaming\cp_mouse.png
            Filesize

            1KB

            MD5

            4b782493b3f024be4234e49787b89449

            SHA1

            c5b2e4db4cf7020825ce517c2e65adf9a42d3162

            SHA256

            ddf35cf22dbf079edf6917148aca53b1d3681d36a03fed851d28b43006f72ea4

            SHA512

            bfd7d0522b589d073f81bcb124428e01349bd704bc41f5b9a40b91f5a8ca4e826aa1dcdf785d829809c0f35a2c35b2d3cac12ef1e04f1c04d2793ef9612dfdb4

          • C:\Users\Admin\AppData\Roaming\crop.marks.xml
            Filesize

            926B

            MD5

            575e59f092ca7ff2d1e00847b43278f4

            SHA1

            0d80635152b5cfb7f2b985853e8d46fac989e971

            SHA256

            b0aea0cf41b3b65f77a68c9b063c7f5c77e0b8f083fc9ab00428f9a658bf7e7f

            SHA512

            6c5c73dd659dc7005c44f8366232a1116fe3c031731cc74f4ecd300fbc7946fcf0bcf03466d02d6c6e143185a43859549f352e2e30185d9908fc0c43de86f939

          • C:\Users\Admin\AppData\Roaming\cursors.properties
            Filesize

            1KB

            MD5

            b92c29f94e268e7bb210b7aea4cf0d95

            SHA1

            c33059af1b5f74da238efeb1636d54b5dab9108b

            SHA256

            779c8cfd088520536f6e77ad0266d4668075116c72a90c41f19ae6ca993496b8

            SHA512

            36ddf6ef84d1a8c839334b1bddc5a069126f6446ec61fb84bb2be4f89974d362ec4e41e7363d6fb11529e56ddb6f6d481dad56c35d7f09de34d12ba7580c3cc8

          • C:\Users\Admin\AppData\Roaming\default_hash.js
            Filesize

            136B

            MD5

            06a09bda9d5dd7dba611b2dd460d545e

            SHA1

            73946d0150e298464b8a55a107bb22be6368029c

            SHA256

            c062646586359c92950920a9e5a51bcec73afeb863dc01337a88adadc789f05e

            SHA512

            b104418ebc3eabf7a3d4aae3a23bdeea63d0118f56397e3763318397baa0b59ed5756a354a922c2c6206636ab761197e379e6fa5b4aa7cf2a60c24416a2ad459

          • C:\Users\Admin\AppData\Roaming\default_programs.png
            Filesize

            2KB

            MD5

            e8a48f10253a8814fd9c7d4d898e28d1

            SHA1

            c75a29a841542997f33e5fc286713ac6a4782c61

            SHA256

            8e971bfb821a095ceb84e8570eaa449a7a9db2a38ecc7632229ec28230d31df5

            SHA512

            f340864a0a4a0d767b0bdf94662914ec74407a7254d7a43ebe03269d97568742d293393dfddf413f3da1791abacff1031ebdf28d928866f9b78d574755bda0a6

          • C:\Users\Admin\AppData\Roaming\down.png
            Filesize

            212B

            MD5

            f6dd493e5aab353b336c1093f0ec473c

            SHA1

            e61cb9d6e0f8c0c9588c2b232b432984ba3b68cd

            SHA256

            12a34a266a7d3e51112cde7b492940823986d62a64726fdb92c2a10f995d76f4

            SHA512

            b1b33e18dc801144f3d19fdae881fed006000dbbb89ec9e642c9be440e6c96ecdf2fefc8117d2fee5a5c8a6d5f13e8c1e3c9ce8c62716566b7fea228b640cd28

          • C:\Users\Admin\AppData\Roaming\dsc_health_alert_tile.png
            Filesize

            3KB

            MD5

            715352b867b82894ee1e3dcb857b8d9e

            SHA1

            e1e14f1298f5c0817b6bcfd12a2495e9595b5f10

            SHA256

            c88fc5d7260ddc763e0146ab6ae64ca31a92edc9efff181ffe84b9305e2e8fe7

            SHA512

            284e47d2c7f7031cd2b1e3a13b231968236777b3fe97f052cb9cf4bbfb69676f2f1f17ae269bf274b71d27e2dfb89d9642f4d815f96eba9d9450ff3f9706727f

          • C:\Users\Admin\AppData\Roaming\dutphon.env
            Filesize

            2KB

            MD5

            d3fd7121b844308f5e0d98218b25f7a1

            SHA1

            57eda098a5ac50befbbaed81c9358542508d2025

            SHA256

            3f19660f2ffcb1b75ce092e05a9d02128025f89a378cfa302a3fe406c065139b

            SHA512

            0512e3887235754102c623ba704421c745f43d5300a8dd31cc79d1d70a537158dd5a2a25e8e0eab69dfd8cfa234a437ebfa89abafb5c31dcaf28f745a17feca5

          • C:\Users\Admin\AppData\Roaming\example.xsl
            Filesize

            2KB

            MD5

            ccfab72640a4d5de19096e61cc1111e7

            SHA1

            e5f992187707c256949fee3987482de01527776f

            SHA256

            963cca28032d4a5e5fc05cb3cb509ac235bd390161fa862611ee1543ae5b744b

            SHA512

            93d7a787626f9444527574257a41266512565a5e3543b1026984ec5b2e606b8339d5a5901059b8e7fef502f62be50992d7bbe96522d7536ca4341bb9a4f1cc67

          • C:\Users\Admin\AppData\Roaming\f41.png
            Filesize

            1KB

            MD5

            653752076a0bc3cdd589c9215940dc0f

            SHA1

            092a3e84f77999dd0acd6b1cb6899003fbefa955

            SHA256

            89c0e91bcede61d403c70779ff981446a473faf2fd13cc64d53123cd68e6cdde

            SHA512

            93bd0a58fb422c486d053abe60e40170e1447214ecd0dd3b1364f44707cbf39a7059fde57fbeec83b1729752c32d56bbc2fae5007633bc3b9edaea08090a9996

          • C:\Users\Admin\AppData\Roaming\footer.table.properties.xml
            Filesize

            1KB

            MD5

            d28689de508a6a6be60abb456d260c3c

            SHA1

            c330b1ebedd5cd04c670e6a86f11c5aaade2907f

            SHA256

            783deb3f90d033c6e0ced3ec8300691ad10e29de0d91f290fb866973bd34798c

            SHA512

            b0fbceb6d2cebec06a433cc55a9a0521820181b31f217912b06dbe4862bc8ea23e72e74b1a81eb248f83beb26ea98a3d5beffadec7fdf8961e2f091e9ff277c0

          • C:\Users\Admin\AppData\Roaming\footnote.properties.xml
            Filesize

            1KB

            MD5

            bb4e3258bbeff063e10c2a2daf0af1d4

            SHA1

            246cac6fe61a29d597bf7ae2a4943877b29ebbbb

            SHA256

            c8a211a3e1816d38d6320cea2fffded89267c5268fdef91a19940de36eee61df

            SHA512

            18db9ae4810a7878adba3dfcf67fcf80f986ce8fe8c9623420fa79603b8b6c6b4c3334d14590018f04cb9387df6a942d3f284fe0e509a469c68f4c0cbef07334

          • C:\Users\Admin\AppData\Roaming\forrest-credit-logo.png
            Filesize

            4KB

            MD5

            16c7c07e2b54a06d72db929643c7693e

            SHA1

            dfb1cdd39ad9aeca1dbdec2a2adc88b762f1ad13

            SHA256

            f9bff20afb094c9035335c27b2a77e8ff80e5b4aa5183281ae88572b030d7c6b

            SHA512

            93eeb5260857dd04aaee75f8cfa8538c6134eb8b8bd44ba3b4839dfd014cfd16c3c971eb07173c64376ae0d7a5c975c878356d8baba3d0630224b9ba8ee890ff

          • C:\Users\Admin\AppData\Roaming\forward_long.png
            Filesize

            887B

            MD5

            52a6ccee7b61aaebdad8b0ac25d54680

            SHA1

            4aa90440ff85fb8eb9900f4f761e1706f8a763b7

            SHA256

            78dc9a077f420c64ac03126608e052f33a471191e55ac51625b5f8081e78c96e

            SHA512

            becce92eaa29f38b11cf2fc3b68d6feb7d2de12dac03634685a8f2f09dbfeff518d2c540830a6565d27e9e4706154fdcfb592de655ad6cb480beb5f602167fdb

          • C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xml
            Filesize

            1KB

            MD5

            a057463e49cc7a282b9de9bd1f98c940

            SHA1

            17f203dd324b4dc61fc85a2848b93f0941946d4e

            SHA256

            ca43ac52dec0ed1083c006678f4e1e0b7e6c2882e8bcc66e76bc776b7340bfe8

            SHA512

            b18514215cc196d457629ee48c08b05078aa7b61dcd26a540ef9aa107e4231a27a80de11e068a03611c85966fcb511bf22f0ab40fc8e461cb817a1caba9c0734

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_dk.csv
            Filesize

            518B

            MD5

            3fec1a1bc69597a7054db95ebf91e61c

            SHA1

            dc7fb848c3795a0dd624bf6ac582b7b70f60d227

            SHA256

            2ff8a15469629d8635be5808d2e182405e90e913d2790fc3cf66f485a3a8a27d

            SHA512

            772930180028665dfa6e8bd98812aae2560dd221e4009a7e1808088cc14d2fae0f5a5c22608e53a934d8726939ec2a06926f0a7fd5ab7631cc6f9f7fa25f786a

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_no.csv
            Filesize

            518B

            MD5

            e54f3471b7e6ae44caa1b0fb2a32325f

            SHA1

            5046d257620818cc3605ef367e40b2e001241cd0

            SHA256

            a30f37f7a171ed62ef468ada6402335fc68fe3595cbba75074c1abbdca150fea

            SHA512

            5b2b3aa8239bfb9e34e321dc77a11ab2fa99ad4c9d3ff1b74cc26c1d0daf8caf891b2e634bae936e4cefc98b9eafcc698ffefa94d4a6c90b4462ec02b1e28af3

          • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_se.csv
            Filesize

            518B

            MD5

            41bb605104de8fe3f2d526d56e260854

            SHA1

            534485bc29a3b04776b02b8bb8f909578890d782

            SHA256

            4fb079d4828a572b8b7de6fe2ce001297ce9abed557ce29cb4885119bdd0b0a7

            SHA512

            acc8603600346b12186a5d216a1d89797b327927b7a024f230204e765166e043738c93b34a69151d3c2a82bafcdf6500ec104d24de7ff99c450b4e8e70aa2577

          • C:\Users\Admin\AppData\Roaming\green 349 bl 1.ADO
            Filesize

            524B

            MD5

            1289782651c9af159c54bd25c344a26e

            SHA1

            5ff702833f8e0b9b2bc066d7de9e9d3885984135

            SHA256

            82020a2103aa444d0b44638ee2666fa3f077af7b5dda85433607d871d103fc39

            SHA512

            afe7c5e2df5643fec0c486c7efd9b8a440d2ac9631b70369e35b14561995ca91151c1859ef2d49e20621652cf38f024ea94898ff4c2b258380f5a92613a3df51

          • \Users\Admin\AppData\Local\Temp\nsd18A0.tmp\System.dll
            Filesize

            11KB

            MD5

            6f5257c0b8c0ef4d440f4f4fce85fb1b

            SHA1

            b6ac111dfb0d1fc75ad09c56bde7830232395785

            SHA256

            b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

            SHA512

            a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

          • \Users\Admin\AppData\Roaming\Services.dll
            Filesize

            57KB

            MD5

            bc9a77439744af3f7fad690872190509

            SHA1

            e878df68c65b47e3de3d0b23666718668250a462

            SHA256

            0ea3132bf6bb7290b373174a82f9112bcda8d745174d16d364aefb6fa66c79a7

            SHA512

            40bcacdb105077ed814fe25bad7f32a680624f106e1e06a6bb0c17522839d9ae6745c00c02664f4329aeb10ae849df4f02cc37651449bb89b14ae571f17ba8ec

          • \Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\ARP.EXE
            Filesize

            225KB

            MD5

            4741333a78be539951c661ddbd47442f

            SHA1

            e642cbf75a235b76f2f7ec6b8222d21ec518ed98

            SHA256

            5fb92c512e17ae11f78d2c8eca04440fd89bd32e0b0bcca3d86784f7ab5581e4

            SHA512

            2b159ae11a567060ac0e17fa85da98ac334cdf1b6edc1d4179bfa879116e15349003d657abc2555b1b13240e40541c3bd3e69ff282cc1b4edf6f1bc3caac3a24

          • memory/1376-209-0x0000000000440000-0x0000000000456000-memory.dmp
            Filesize

            88KB

          • memory/1376-195-0x0000000000440000-0x0000000000456000-memory.dmp
            Filesize

            88KB

          • memory/1476-218-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-235-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-226-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-221-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-220-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-216-0x0000000001E40000-0x0000000001E41000-memory.dmp
            Filesize

            4KB

          • memory/1476-214-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-212-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-213-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/1476-225-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2580-71-0x0000000000480000-0x0000000000496000-memory.dmp
            Filesize

            88KB

          • memory/2580-56-0x0000000000480000-0x0000000000496000-memory.dmp
            Filesize

            88KB

          • memory/2796-75-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-74-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-76-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-66-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-58-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-62-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-64-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2796-70-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-60-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-77-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2796-95-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB