Analysis

  • max time kernel
    128s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 18:58

General

  • Target

    47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe

  • Size

    204KB

  • MD5

    47937d75be86ed7ab9c2048cee4bbaf4

  • SHA1

    d7eed8c49beca46ce4be3b376611f22a0351c09c

  • SHA256

    911184d3633225146e3c57884f9c1a7ed7849b8e7e575a8b33de8fd42e745b66

  • SHA512

    802a1196fae9bf3f3cb8dd9abdc359ef5bfa0728dec28d70033b3341f0e6eb6aee1560307f5f7553c1f38ba279de7d6ddce2e7370c1f5d7100fed8c539cdbae8

  • SSDEEP

    3072:XA1yBUlytLJVM9yQGVTcuB4rdSQTDOkoycTXiv+5oN87KppRsqYaefim1:rBUlyzVM9yQGvwPXoyc+C7Kkaw

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC | | 2. http://cerberhhyed5frqa.xo59ok.win/4C5E-999B-1B09-0063-76AC | | 3. http://cerberhhyed5frqa.zx34jk.win/4C5E-999B-1B09-0063-76AC | | 4. http://cerberhhyed5frqa.rt4e34.win/4C5E-999B-1B09-0063-76AC | | 5. http://cerberhhyed5frqa.as13fd.win/4C5E-999B-1B09-0063-76AC |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/4C5E-999B-1B09-0063-76AC | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC

http://cerberhhyed5frqa.xo59ok.win/4C5E-999B-1B09-0063-76AC

http://cerberhhyed5frqa.zx34jk.win/4C5E-999B-1B09-0063-76AC

http://cerberhhyed5frqa.rt4e34.win/4C5E-999B-1B09-0063-76AC

http://cerberhhyed5frqa.as13fd.win/4C5E-999B-1B09-0063-76AC

http://cerberhhyed5frqa.onion/4C5E-999B-1B09-0063-76AC

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #CerberRansomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC</a></li> <li><a href="http://cerberhhyed5frqa.xo59ok.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.xo59ok.win/4C5E-999B-1B09-0063-76AC</a></li> <li><a href="http://cerberhhyed5frqa.zx34jk.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.zx34jk.win/4C5E-999B-1B09-0063-76AC</a></li> <li><a href="http://cerberhhyed5frqa.rt4e34.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.rt4e34.win/4C5E-999B-1B09-0063-76AC</a></li> <li><a href="http://cerberhhyed5frqa.as13fd.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.as13fd.win/4C5E-999B-1B09-0063-76AC</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC" target="_blank">http://cerberhhyed5frqa.6oifgr.win/4C5E-999B-1B09-0063-76AC</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/4C5E-999B-1B09-0063-76AC</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16390) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\mmc.exe
      "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\mmc.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1508
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2128
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1852
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2368
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:537601 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2556
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1452
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:204
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "mmc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\mmc.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "mmc.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2444
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:1936
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2372
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2360
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1680

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        2
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          216B

          MD5

          48ac29422570636cae371b68c858b988

          SHA1

          ff86dea198c93a8ae49ee52c6eb919fcbd259aab

          SHA256

          3926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0

          SHA512

          75019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          02bf34b97a210769ddc077dce2911d23

          SHA1

          c05159824a71fe81f012ad0c8d489ec1c0831e17

          SHA256

          c6323383d1df3fd2da75e9dea6bbe17dbcba64c62d829dadceb7889592303a64

          SHA512

          1e4e831771555dc815fff9c310405f4efbb793e2bb17a1a9e14976a5a5beddb6515d7d54cbd389a389f06e8e03ffdb751b796c80b7ae8c15c8b2cf901a590410

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          fe631737bbfdf0bb5cffce74955688f0

          SHA1

          13ad82f5ffac6b7ddf5fb0c705b3bbc1026696e2

          SHA256

          49cef3c2729d83fe95f2cf15c8be6221e538367d5291b0f6d70870c86779c4dc

          SHA512

          e1d6eb797ae17931540e55f51c37b8be2f92f6a4551c1a9e94be83459c4feb2da1544353f3c90397555f880a663164b3c8cb82afbe1bd72ac47f1a046976481b

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          14fb988c5c8b975599948d7afc0581e0

          SHA1

          35e081b1e3f8dd2f768a42e549c320f986704629

          SHA256

          e73ed2dd2369a0dd2f6bd07fcea396fe1f95d2683d355e3195c52cb5572dcfbe

          SHA512

          0c39fa30cf4c5eef32f4b00ab8c0abed5ac89df9f74a74a74601ddd9cffe85df79badc4951f2d145508ee3905f1cbcf00d99796d188fc99e9eac1d0f808ef3e2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          40803ae3a980bd1c65e2868df55d46c0

          SHA1

          594821b62280cef7143308f602e3397ac5d33864

          SHA256

          d4b1c8667da1f8e88fbe5b0b7954a25ba69288f0f3fbbdcda5ea6c40c846427a

          SHA512

          7d075eb2fe86d590289136b54f9bd6be3592b90e45cb9afee434cc579e40800cd4d4d3c3c4526318b9ea7d14fc0ff4ad5b306879c8294adbad8b8067aa8bd783

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          307ffd5b7937db7aa347cc04a7788b47

          SHA1

          52d172358375fffc1d410b1db2f9d298bcdbfa0d

          SHA256

          0137f06322cfb82376f152ef5b9032e14308f18c2ac71e2ef0cfd01b2f8f66a9

          SHA512

          9b679927157fc00b1c67efe97215a412a2d00d2c79c84ff050a9f592af4e81a660d1eaed04713a3223d0b0ac77d4935edbde42a5a4aed231d5fd7ae0cb738065

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          4b389f10c7e97e6949ee67140fe590f2

          SHA1

          fd3eaad2b3d6ca314e9f033ccf8f2b67cf93615d

          SHA256

          04bc08e98d1ddb321aec7783701955627d1a785a441a0b7a730b25cfbeaeef65

          SHA512

          e420d1b6871c515bc23b077c4924a8291a84a599c796982e6b3d9da03b93a61fe10348cd1877bbf28f8999a0af98f499a0b7c28db212036210ec394613856cfd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          786b24e2e0b4217a106f3c8f4207a26c

          SHA1

          f01d0765bd78207dc74b1f7e76bcbdbc4a488c1b

          SHA256

          dd63ff63a66419278c08891474ce4b90fb072d5eeec010ad18548f0c11200446

          SHA512

          a27b286d07a963f57ddb2b48ca9277d9a4cf7dffddec63925217ddbe9e98b568e7532ff646cb82e5e97642c5a07ed126ef262fd4242f9c7b0b33e11f5ab13fe8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          0ebc64fc55ab601d7186f27ef6086892

          SHA1

          d504e5612e215a17707266290d4903abcb8e205c

          SHA256

          31d014a7f09c924bb1c5e34dcc3ece7e5308375474e372aade5944af36fda1ee

          SHA512

          785feccc02e6cd09274a0dc9fb0c884d72249a1983d3bb0fb7127dfc9beb79d55e1668b7703ff8bbddd15c003f98c60b144b3abe06aaca537b64a301b75c133a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          56a8313d6bad0f566364c821d7108997

          SHA1

          8617de90c85086ef3c1447973a5f6379c6700e80

          SHA256

          3dba3300222dfbe3e6f9b81f8a99182e633ddbb844cdfb2ed8823741c7291b41

          SHA512

          8169cd550abaa6df4428b258ccfd08696e28aec581076f01b9f333dfad771a816bd8dd3ab24305c3e3c636a77d541bded8afee0afb30c674f6cea5199c9f8d42

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          43902be593b468640f7a4c87b4ff2dfd

          SHA1

          23ca85001e9ed2e6bfc296680972b9f3fca549a1

          SHA256

          7a0bd22c6abf2dd3405956548b125014ade2ecfa4d54980d17d8bac6972bdb68

          SHA512

          0ad46e418eb50e6bc499203750c2cfaf69daa999db6e51bb5612840a53273966eead5557a1e6a0f511dd8f5aa2cf53cc55f0bdf65cf397edcf7def1c2b14f601

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          a0ccf732f1f491cfb0b960b4ee7090d0

          SHA1

          15b3d05384c351d8baa77733b097d75c4322aae1

          SHA256

          5d19e9eef76abff88ed45c735c8ddfd16f13bb87a784bd02720880d8bf99896c

          SHA512

          046031658cbad8fc139abf17eb59962de8a97b8302310b16a0425bea2a8a76c342fa9712b83712e69df2195879a9317c6deb714f219e0bdc7677e1f65715ab38

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6510b180a0cbd29400a8a08246e3255c

          SHA1

          e83060a9ff6497929da4e6d406f506f11e998800

          SHA256

          eb741466bb370e0f35ae045a9d946c935ae853f990f5b8bb5400e2e816e1801d

          SHA512

          4cd1b3c69c869b4ea91bade7a61d9a956623e470f2169a12edff2bd4eb7a270c88081ac290b3d44eafc445e4ea5dd71a68c36950520c227baefc58ca7a1ef1dc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          27905cc0d98960b640103e45af99ef50

          SHA1

          79ed759e9e0a485606d81c82bce1a49f6ac3fdc6

          SHA256

          217520f090c3453bc4fc7e09dc3b0659994803f1542d405722218de2944aa2d9

          SHA512

          4f8bbd3c5436e9953cc250e4db07fde6efbc73abb769799ec2c055b68d5dbb20fcd1746f08b31cfcd14685ca97c4a8ee440a09382306d07d9174b67bd1ab004b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          09b38aae410c977144d71bd447d65233

          SHA1

          fa161acdf7020f0f6da4c89facf37d5ea44eea5e

          SHA256

          03b8ddbf22de2da596e82d3443acae42ce379dd2e854c4481443b84e4bdd9533

          SHA512

          be683564174334bb4110547c1101ee0092e474c6780979da968797e72f41c5fbbe58a74d00d43f7e9015c006fd97631e9bd2013457a0bb7d878cb6521b5c0564

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          5d23ac8ee2f7e065ed51c90026a50888

          SHA1

          5d9524e86f0afa1b6713bbc46745a235aaf436e5

          SHA256

          01dfaf016d28472c702072153d61a64d83213c37652450b0418f9df7d82b556c

          SHA512

          7c2e6e6123d71596d8f186f6ff886d3612b603781a388d7fd726d86f4f09bbe907e94414ac7b36ed995b53be66f79eec60677d1a488ad9d92be2985f7969dd20

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          57272e813542462bfaaf7aa3c5d334f7

          SHA1

          06f7634c9e7b335d44c99dbbfb2da0a9099e763a

          SHA256

          323e648619d752ef2d9aef15099b4ad6dc57fbe0ad7c2c803dc9ddf0814d8efe

          SHA512

          8324f02b74cd47d5621238dd8ab49064f218eb8ae953c1fb26877f249e29cfdab5e4ea9f96f136acb083db1d2f52c3b3007034685fe3fca074489e033cb2c084

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e956ce275f1a7ff1bb1d9aebdd04d189

          SHA1

          ecdd6f2d82fe64cb7bb4c1f097b371e5fa687736

          SHA256

          edff95d108264f476fee4d213c0acfd0eb0b1129d53e9a669f5962ad976f8685

          SHA512

          87280f4c87720c4a801491c988f1bb3049e1eb93a2bf6b4087783ecf855d308bd78ed760fc33b711380629e5e64184760ab09461c85b01223112e4a244efd19d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          f82a9c8a7b686b0b2023c916189035aa

          SHA1

          d6f207131f9d6b751bf9d88008c95da97e586f2b

          SHA256

          3fa49ccf685fd8e53673965f7984f2792af876773081fd93af912e8b780655f2

          SHA512

          2790842936a5df6146baf878a73058aec2105c9b5495e4acd0b29ec6e40bdee4ab3a1d18e35e4b6675c151545fa7f77e3db3c49f9dcf84445e38c69152ff8c98

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          fe5d8210f4f31ac53ed23691c11e4019

          SHA1

          9c9982c0edac8fed0b0022b3d85b29fac5c3bfa9

          SHA256

          f760b299dba23e67e887c06ddd41d1a10a82b5f3a7516b64c5c849a169762f51

          SHA512

          378adc7421532183904cba8c00d87f9d9ce010b722c100602594951fa3f53073c53ce5f9215823c6d97e82dc56305bf0fdcf41e79f9a2839290fd10d3c3f8e0a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          1e5bcf84cab7148d8de345108ebf7c0f

          SHA1

          1892ba7231a82b58158d68d0705c8fd59ff2e7f8

          SHA256

          b3cb74b44052dbadb5d9e3f8091ca1c11b8f950f30848248d96670dd736ccb74

          SHA512

          33b84300026cd4f755d42945b710d2fa386d1b5c28239ade8939d7a103cff9b15fb35cf5ee7a6ba4dd348c6a444b0c101c68a655988bfe6f415ca68587292d67

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          506af82744bf06f1018d361e0a78cb1f

          SHA1

          92c42f32b0703aa4bb1fcc1be57c92b513dea4d2

          SHA256

          d71689cc868be2f72017b54ae956adf8d4216968b3e772126d59b1a806a20504

          SHA512

          1c713438bbe03e4ca3f12e2e17612810d5a2213a141dccd833ca177a649ab130d8ea72774dd9cd4a2d12035497759d2a39377fdc20276a50adaf3a83e7104fbb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          34bd020a15a876631c129acc97eb82cd

          SHA1

          6f6e2f00d6636e3a59693afa1ac8df26bfd3fce8

          SHA256

          d55b9f2130b155b13134f5accad71a8c97f0a2270114a8c01867624336a8833f

          SHA512

          f9ca94afaf7109220b2a6fa31c69ab273827142c4d9baba2dce163ebb7c19b74d6b5f0215888ed93e88aff94ba420a13f7f74d69d9bcacfcb35079679d8f0408

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{51A6FCB1-12ED-11EF-A57D-4637C9E50E53}.dat
          Filesize

          5KB

          MD5

          553cc1d126cfcf407a8d71f7eae172e8

          SHA1

          60195bf071acc78a32c67ce54545dc7fc79184f1

          SHA256

          ee5da65b9032b1de12552399f05c5dde01026c26bfb407803f5f8f73853c1667

          SHA512

          4551767c7b4116e8bebb6788f19b390b63b1decedc56bec4eaa9aaecddae08df1deddaf1f21e1827ca41ef23e7540a7e748a141c4993300493e202e7de067084

        • C:\Users\Admin\AppData\Local\Temp\Cab1FF1.tmp
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\Tar2053.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mmc.lnk
          Filesize

          1KB

          MD5

          d3bd19cd8946ea701c58dabf41c36622

          SHA1

          13f443cf9377e2943248d5211da5d0ec588bcde3

          SHA256

          dd1ffa3edb6851937933c07b0ca96da240f19dfedc8eaa22b4bd99b6c372ab2f

          SHA512

          8b5dda29727be513a6f74ad7e6ccc07b03bfae9fc7d9d42f25c5d211834970f1b0b59d65f75184a62afbccd048affdd08580c5f84e1482ca36a3e1440ae16dd7

        • \Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\mmc.exe
          Filesize

          204KB

          MD5

          47937d75be86ed7ab9c2048cee4bbaf4

          SHA1

          d7eed8c49beca46ce4be3b376611f22a0351c09c

          SHA256

          911184d3633225146e3c57884f9c1a7ed7849b8e7e575a8b33de8fd42e745b66

          SHA512

          802a1196fae9bf3f3cb8dd9abdc359ef5bfa0728dec28d70033b3341f0e6eb6aee1560307f5f7553c1f38ba279de7d6ddce2e7370c1f5d7100fed8c539cdbae8

        • memory/1196-0-0x0000000000220000-0x000000000023F000-memory.dmp
          Filesize

          124KB

        • memory/1196-1-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/1196-2-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/1196-17-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-450-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-431-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-429-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-38-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-24-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-23-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-21-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-472-0x0000000004720000-0x0000000004722000-memory.dmp
          Filesize

          8KB

        • memory/2140-455-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-453-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-442-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-447-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-912-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-423-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-425-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-427-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-445-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-19-0x0000000002CD0000-0x0000000002CD1000-memory.dmp
          Filesize

          4KB

        • memory/2140-463-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-15-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-457-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-459-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

        • memory/2140-461-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB