Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 10:13

General

  • Target

    4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe

  • Size

    237KB

  • MD5

    4a91d6952c9e040e6c17662cfc271b62

  • SHA1

    09a6a44e25bd15841b97381c603fe3a16a0dd68d

  • SHA256

    89990552456235fc80e303433ef6609ce137d9c74016bf9c14218125edbe8854

  • SHA512

    ccd64aefbb628ae2c39cfc5ed685f5f4b8ea0d093484290c1ade7a4174b4e556791ff23db34c97f00eb21244e4990ea696402c0f72ced0292e1b9a5c20b08950

  • SSDEEP

    3072:pXbUhF2VZhu6sfLj0+QqQ3LVXkH7PUpg5+ua0Sq6ViqxFUZ4Jf5q:pQLqbid5Qbybspq9XSqAZYT

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695</a></li> <li><a href="http://4kqd3hmqgptupi3p.o08a6d.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.o08a6d.top/9147-29FA-6784-006D-F695</a></li> <li><a href="http://4kqd3hmqgptupi3p.6ntrb6.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.6ntrb6.top/9147-29FA-6784-006D-F695</a></li> <li><a href="http://4kqd3hmqgptupi3p.vrid8l.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.vrid8l.top/9147-29FA-6784-006D-F695</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.onion.to/9147-29FA-6784-006D-F695</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://4kqd3hmqgptupi3p.onion/9147-29FA-6784-006D-F695</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695 | | 2. http://4kqd3hmqgptupi3p.o08a6d.top/9147-29FA-6784-006D-F695 | | 3. http://4kqd3hmqgptupi3p.6ntrb6.top/9147-29FA-6784-006D-F695 | | 4. http://4kqd3hmqgptupi3p.vrid8l.top/9147-29FA-6784-006D-F695 | | 5. http://4kqd3hmqgptupi3p.onion.to/9147-29FA-6784-006D-F695 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/9147-29FA-6784-006D-F695 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://4kqd3hmqgptupi3p.thyx30.top/9147-29FA-6784-006D-F695

http://4kqd3hmqgptupi3p.o08a6d.top/9147-29FA-6784-006D-F695

http://4kqd3hmqgptupi3p.6ntrb6.top/9147-29FA-6784-006D-F695

http://4kqd3hmqgptupi3p.vrid8l.top/9147-29FA-6784-006D-F695

http://4kqd3hmqgptupi3p.onion.to/9147-29FA-6784-006D-F695

http://4kqd3hmqgptupi3p.onion/9147-29FA-6784-006D-F695

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (518) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\rdrleakdiag.exe
      "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\rdrleakdiag.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2316
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:472065 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2208
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1860
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1668
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "rdrleakdiag.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\rdrleakdiag.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2224
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "rdrleakdiag.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:572
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2536
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2456
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {9052A978-5316-4461-94F2-9013C08255D0} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\rdrleakdiag.exe
          C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\rdrleakdiag.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:2240
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1800
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1548

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        1
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          234B

          MD5

          6f84dbf74ef41dc3d861f5fb3e0f45ff

          SHA1

          3e5f17e9b9589f33ce6add7f2518a666ff2253a4

          SHA256

          df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

          SHA512

          9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

        • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          90B

          MD5

          ddb38536642e22b004f77111a4237796

          SHA1

          faec04246fc5fad54cddb992f740e24841dcb9e5

          SHA256

          8ceda18f6434aa79f8dc48fd70ff7d09a9393ee0cf58922d3616607e337cc50d

          SHA512

          db0edee600e5bc2d890b369ccbb6541653c03c4d11f0ffdc9c87681d74e899fee7e5fd04b570d625ea92dbca3e8aee642afb44d1220402a35f30debec0def46f

        • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          96c57f63b4a5bf9eab86084e26280b3f

          SHA1

          125d1861766888fa10142e8e50ac9d11fc0629d3

          SHA256

          1962109ba6912244c0bb111677e62595907218d0bf748bd9fdd80cafee8775b6

          SHA512

          d284395b3dd023259efe33d4a815bfdbc30df29c88886aa561b7db0f8299b63eb7aef90610e7c6d59a7652542c08748c14970c7549a21a57c462f209dedac6f0

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          997ad0d3e259bc30a98c3f482ebaa387

          SHA1

          9eb1f1630868eccad06fe169b34a8371d8519c3f

          SHA256

          6904007baa325f42415efec7e013bcfc7e0274728c2a5e61bc27aa6ca8131c67

          SHA512

          c8cba126dfdd29e0308c3fa2aacd04f070605dcd068c08d9dfbc7ac9071ee6e1017c3df14f345f4f9d597a41eab0accf8e17d16db2bb9bd43b7cb8b2e5791b5e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e2e1836667735b53bde0507e178521a7

          SHA1

          f1c166277052a2d2b4365e86e2c09594b65f2257

          SHA256

          867c48b89d82824de9d8c047ded7726fd326832c910ceda3f821e0be2cac8502

          SHA512

          f5594b13a1ebc800c07321e840fba71461dc4781b62bb2e3f28c2b8d4315a41a81df51eda245039cc05e5886982f5e687169b983ded52a1cc13d0b090a7ea115

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d70f1f054a5e1610772dbcf8f2bf0112

          SHA1

          3921a7c044d210a287cbfdfd073499664d7fb6a2

          SHA256

          e3e466be48b092f478d674183e22107fa412eaa54e283441e95ec72dbf339bca

          SHA512

          4cb334a21695f64622e9e656cfbba5a2f6a051236598adc7e7f063e3a5ea2608c2db54eec65420150ae128e0c7799795262232389e78a1a89bb8abac389e818d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b5993ec6e1d5bedc6f4dee9bc43dc24e

          SHA1

          e9c74b24d53a57c27d9430fc61c758447cfe903d

          SHA256

          0350054524f88e422a72043dc92fd9080cd51a1691eef7904e26721fe2dca079

          SHA512

          8ac5cb2d484804d4c4bad7d9f9307144d319a7027d058e0312ec82075fb4a24ef40da91ad737e7ab4c72dc26d63a8bb3ecf16d6b37e739fcad2f821f29010f3f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          abd301adddd9f8f24f94ac700a25ef11

          SHA1

          2b75289056851ecf333eeeaef9d67e72d9a0b2ef

          SHA256

          1ed42f69c0a3e87a5f0c5f66d9b59bce041aa791651375f5ac9d6e670661f915

          SHA512

          d56741729012a8b05deff169ea3a639e757b339d36181066494a17312007089a7f358c28c285480c63e3fdc582811c78a543c8d5f9b1e41409d3a1b5d7795301

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ff92763fcb29e1aaf8698251038f62a9

          SHA1

          a8a435c3ade58071cabf2336bcdf395f6dc68e52

          SHA256

          88777cf731001ff9593aae1370671b714b549b46018be5380a95aefa55358ef9

          SHA512

          358adee3166aba9d9b57b833152605ca0955ef6b132932c13a0d5f593b9dd20fb6a53e277bce0c41bbccd22ed90e8b8195c0a7ceda9850b5b7991641f63728de

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          3694a4e387f6e185fb5aedd15ce606c0

          SHA1

          9484053c8afd0246694e22b282177eb1f70a1898

          SHA256

          87813928f1b3d07fc057cbf4d7d1c3125a5b465f9b4335fbefc30e49e632548a

          SHA512

          84d0b0702d94b01932943e7ac76812d66e5772c1a4ec564234830e3bed8498f5a4e84c3624a0cf06777cd0ba14d908ee2f090bc98c42902be18876263ba3a4b5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          787ebfb8dab28001a7f37c0d14ad40a0

          SHA1

          a7167506f48372c12caa45a256d5fc1ab072577b

          SHA256

          360a1d0c83db558b1928d3b67209ca337486de76e80731c3ac92071171bb2fdd

          SHA512

          5063caee1067e50655639f23d083837e8481be5a78798a69e2e8397264672e7fb4236cd3470bde65a1475bde9266ec27455019c5a08c8216b0bc87f823e1945f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          345c622a0b98c30193da1796aa852da5

          SHA1

          04177cf41802bbd35ceb8e44c712115d218efe6f

          SHA256

          acac1ba360f9f6f74475d89471bbeba46451304200c1947fd6e417d564e4df63

          SHA512

          11247d33d0cd87b8d4934d7312d97b4d76eebaea6fcdb55ead27d8e700d006526c918e43a444224e4dacf79ce2196b4c5d04179a6464a88e039b88afbb8291dd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9a17d6f59056b25a9dd7e64e62f2cb49

          SHA1

          d0be87919c56fcbe7795f4e7294a2072eaaa51c5

          SHA256

          7864cb55e74923791502acaa34b2b9196f515309c54ead8ae3cd106b0dd1bba2

          SHA512

          c9d48e73cf4947c6e13db004b9a2b885ef0510e6433dc56a3949ecf36e1c461d0e7183fdef9c94338e46fd972365912806c8253b302ed6c7437aa4e292443720

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          81aa7f31f78fcc6042727aa0e520e929

          SHA1

          46eddd1eb30307731af922289112e95218fd113f

          SHA256

          b598202b86f74a2d777abd948536e0323d039850f8baeaa77c3d1a0b80aca70f

          SHA512

          878b96c082c67b1c7909e4cb12dd8d533b09b87248a38ad671121437e3abeaadb1119a2ea1202ba24be90815db1fe30e1fcfcb4744190246a4f2ac22720a20f9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          1b8051d55d171cb9da83eff30d38b9a7

          SHA1

          4b009ce2dce57a4937c147e61f30cbb0c55daf06

          SHA256

          00266f2349bb6fd22b9c494b267e713cf21191b8ea7257d0e01379baa0576e17

          SHA512

          4764fcce1b25280b2dbf21809a066c7309b8217e68b665d3135428d87ccfd95d8aa87447d7c293014d8cc89d4a26383368daeae1cd84df374bb98ec03f751407

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          bcfd9da94364e014baeeef4253e23597

          SHA1

          02f249a975d7589714cdb3e69a18e9eb26f342d2

          SHA256

          244443ac980773b3b32bbbe5ab9a48d954c8e98e8d841f8f9290fa05c27ae6d8

          SHA512

          724e2c2c6034fafd20fd8ab4180e4ecddd1c5c84ac30c06345affca6c8ce289f8e2354eb9acde2aacd9baef43b5674afc6a9504efbee65f1ec794ded2655d529

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          07af60180d205941561a5ff3b9e30aa7

          SHA1

          06d0d934450c5fdc777bd8446b37300ac1c5fe59

          SHA256

          05aa9ba1ee2bcd66f14e3a2b598fa26d0bff0f8ab0edc65a9ca296ae3397cbbf

          SHA512

          80b3ce7c8b82de511a3c09d74cc740914544fe3ca5fc7612599f6d839b1721b7a6de8a83c32a3f2f2239d98516424d0f9c3bbef170e811d215eab158fa938c76

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c19232daf3be70ccdc9d2be84b04f320

          SHA1

          d0942d11c8130925068349864b601e614507fa74

          SHA256

          9443572e8c68cf5543741a4d77df2636e3ae0b8bb1c9873214d27496bf11b288

          SHA512

          dfee9cdcd9f49098f2ecc8af7eac37f0f8ba7d2978a291baafeccfb20d316151fdc345750a5aacbb8681eca0d60ab98577b402b5dc76459dccdcdb9e7a2a9e78

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          fe1af8f3eaaa2786fd887aaef6a68c26

          SHA1

          a64c99a65bcf4340abab6e39b5fbcb3faead90a6

          SHA256

          f854415e93472792bba52b077b4f442348bbb385870757c07705dbc10e5e2cbb

          SHA512

          2061ef58377cf5779051e3b0ecaf8070929e4984470eb55d7cbc5cab3c28f7bc3bd949cd72f7e7c52c697191fcaa1ba1d58edb692361cdc1b8d95babd596a1a5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          08299058f65c607549b6f7ed37207e3a

          SHA1

          9f8a84b2ac4e3c176ade5408494f2d7a2938f516

          SHA256

          a4e2e359671d550236739a3c63a9b5242bedbdc0359c708932db21fa94077d4d

          SHA512

          56d90d64a59c181842f475813d8a02dfbdbaabbbc2f43002eadd1a6352b8b61914bd2fe5e5a345d34fa85fba6bb77030d50254716a5ae7505ccdb2760fced5b0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          683ad2b450308cbef0c7c288eb6ccea5

          SHA1

          3149b274dc6f260e404d6a11c5284a6f41a041b9

          SHA256

          04178d5b11a51e7b19b9a8624dd7cf54010f0ad0f63ad7179396145bd934077a

          SHA512

          fc84da34b2096f24a9ad2d26e96ed3a6e8ea003d77e92c703f36b1be6ab1135d88a2406f63e8317c0ce5bdc4303b36e32e705682bdba382cc0ef1531fd7174ac

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          5e362002f6005d783bf4333a055e0f67

          SHA1

          84e7bf4e5f0d9933d580adb711c5c1b5c1e786be

          SHA256

          a9b5ce7a220c923dca5491a87d795838beacd12746e802f3e1771c6606e6b554

          SHA512

          ba29db52ff7445cd370c48a20bcc6167150390f8892067b384af9afb79ce738d55e258358cf931ba2dc8f8c4980c6bedda31d01d5cec8e1e96f9dd70ef64aafd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9e9258b99ae03a8fb926971abfbf1a81

          SHA1

          2eccbf2e11cad2a4e909f016651073700d4b477c

          SHA256

          6b907e55ea51ecb8e6eecd136fa49c1d55760108ed1e5e161787b9822160272a

          SHA512

          d0531e5cbc2d0111ee8cbcedacfab043216bd6412d8f8a7723623e2a108d9bd8df85cc0156d77768a2555c8902fe0fed3e768273f51ee50ee7dad54718a83c30

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1069F061-136D-11EF-BB1B-4658C477BD5D}.dat
          Filesize

          5KB

          MD5

          5c181cca09960fc039bf2702c31ca1af

          SHA1

          c7b8e8ad1d33f05ec74638d0490345980c37e894

          SHA256

          1e2d7925d27bdd94e11e104e268928bc2b6e1087afa55c9c60c26cc71ae5d26a

          SHA512

          2c84b42885f34da255edb5f87a3c994cd26a9c12382df0ef20a1421208e0cc37c5cfa3e91c013140f237d67cab77461531a5c95c6fd675cb2db82b6a47416945

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{107A9A01-136D-11EF-BB1B-4658C477BD5D}.dat
          Filesize

          4KB

          MD5

          1402cfb384d522c5495c7f59bb7254e2

          SHA1

          06839594fd990d5aea34177aef5afb316ba754d9

          SHA256

          1534a2c539da03f5cec9fffc40fa222a4386e117b54220dd220cb438c84036bd

          SHA512

          fc51fd5279c6a772d57eac9c59479afb2f297b786044ce6a4b1660226a852e381d04cd76e7be686158386670228300d56efbcb2657e71f99486c82db66e8beef

        • C:\Users\Admin\AppData\Local\Temp\CabB1F3.tmp
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\TarB245.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk
          Filesize

          1KB

          MD5

          4476828a0c9072d2d98a36acac5cdb58

          SHA1

          0e87c20c593165009c9b1c05338854badd8077d6

          SHA256

          b7009e3bf1aaa663e7ff0216ac18421352c39419fdec5c5d32e772c933d10094

          SHA512

          088e14bc47dd49c24edc6da842fdda3a500043c7eca31f4fa1e32f55edfb688780e42b6ff28a343d22214cfdedb5aeae247fb72d1452854e8349c94ed46398f6

        • \Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\rdrleakdiag.exe
          Filesize

          237KB

          MD5

          4a91d6952c9e040e6c17662cfc271b62

          SHA1

          09a6a44e25bd15841b97381c603fe3a16a0dd68d

          SHA256

          89990552456235fc80e303433ef6609ce137d9c74016bf9c14218125edbe8854

          SHA512

          ccd64aefbb628ae2c39cfc5ed685f5f4b8ea0d093484290c1ade7a4174b4e556791ff23db34c97f00eb21244e4990ea696402c0f72ced0292e1b9a5c20b08950

        • memory/1036-2-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/1036-15-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/1036-1-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/1036-0-0x0000000000130000-0x0000000000151000-memory.dmp
          Filesize

          132KB

        • memory/2240-20-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2240-21-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-38-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-372-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-373-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-425-0x0000000005EC0000-0x0000000005EC2000-memory.dmp
          Filesize

          8KB

        • memory/2708-437-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-438-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-376-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-378-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-383-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-389-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-395-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-396-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-413-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-398-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-401-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-404-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-407-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-410-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-386-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-380-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-35-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-24-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-23-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-22-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-17-0x0000000002610000-0x0000000002611000-memory.dmp
          Filesize

          4KB

        • memory/2708-12-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

        • memory/2708-13-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB