Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 10:13

General

  • Target

    4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe

  • Size

    237KB

  • MD5

    4a91d6952c9e040e6c17662cfc271b62

  • SHA1

    09a6a44e25bd15841b97381c603fe3a16a0dd68d

  • SHA256

    89990552456235fc80e303433ef6609ce137d9c74016bf9c14218125edbe8854

  • SHA512

    ccd64aefbb628ae2c39cfc5ed685f5f4b8ea0d093484290c1ade7a4174b4e556791ff23db34c97f00eb21244e4990ea696402c0f72ced0292e1b9a5c20b08950

  • SSDEEP

    3072:pXbUhF2VZhu6sfLj0+QqQ3LVXkH7PUpg5+ua0Sq6ViqxFUZ4Jf5q:pQLqbid5Qbybspq9XSqAZYT

Malware Config

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63 | | 2. http://4kqd3hmqgptupi3p.o08a6d.top/2A7B-2A5E-BF5B-006D-FB63 | | 3. http://4kqd3hmqgptupi3p.6ntrb6.top/2A7B-2A5E-BF5B-006D-FB63 | | 4. http://4kqd3hmqgptupi3p.vrid8l.top/2A7B-2A5E-BF5B-006D-FB63 | | 5. http://4kqd3hmqgptupi3p.onion.to/2A7B-2A5E-BF5B-006D-FB63 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/2A7B-2A5E-BF5B-006D-FB63 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63

http://4kqd3hmqgptupi3p.o08a6d.top/2A7B-2A5E-BF5B-006D-FB63

http://4kqd3hmqgptupi3p.6ntrb6.top/2A7B-2A5E-BF5B-006D-FB63

http://4kqd3hmqgptupi3p.vrid8l.top/2A7B-2A5E-BF5B-006D-FB63

http://4kqd3hmqgptupi3p.onion.to/2A7B-2A5E-BF5B-006D-FB63

http://4kqd3hmqgptupi3p.onion/2A7B-2A5E-BF5B-006D-FB63

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63</a></li> <li><a href="http://4kqd3hmqgptupi3p.o08a6d.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.o08a6d.top/2A7B-2A5E-BF5B-006D-FB63</a></li> <li><a href="http://4kqd3hmqgptupi3p.6ntrb6.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.6ntrb6.top/2A7B-2A5E-BF5B-006D-FB63</a></li> <li><a href="http://4kqd3hmqgptupi3p.vrid8l.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.vrid8l.top/2A7B-2A5E-BF5B-006D-FB63</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.onion.to/2A7B-2A5E-BF5B-006D-FB63</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63" target="_blank">http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://4kqd3hmqgptupi3p.onion/2A7B-2A5E-BF5B-006D-FB63</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (532) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe
      "C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe"
      2⤵
      • Adds policy Run key to start application
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc194d46f8,0x7ffc194d4708,0x7ffc194d4718
          4⤵
            PID:1504
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14919995175993477140,17326916525315298512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 /prefetch:3
            4⤵
              PID:4000
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            3⤵
              PID:2408
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63?auto
              3⤵
              • Enumerates system info in registry
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2392
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc194d46f8,0x7ffc194d4708,0x7ffc194d4718
                4⤵
                  PID:4352
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
                  4⤵
                    PID:3984
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
                    4⤵
                      PID:164
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
                      4⤵
                        PID:1604
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
                        4⤵
                          PID:4188
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                          4⤵
                            PID:1600
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
                            4⤵
                              PID:4800
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
                              4⤵
                                PID:4964
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
                                4⤵
                                  PID:5044
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
                                  4⤵
                                    PID:848
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
                                    4⤵
                                      PID:1300
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
                                      4⤵
                                        PID:2852
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
                                        4⤵
                                          PID:5044
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                        3⤵
                                          PID:4524
                                        • C:\Windows\system32\cmd.exe
                                          /d /c taskkill /t /f /im "fontdrvhost.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe" > NUL
                                          3⤵
                                            PID:3032
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /t /f /im "fontdrvhost.exe"
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2708
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 1 127.0.0.1
                                              4⤵
                                              • Runs ping.exe
                                              PID:908
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /d /c taskkill /t /f /im "4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe" > NUL
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:3644
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /t /f /im "4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"
                                            3⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1724
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping -n 1 127.0.0.1
                                            3⤵
                                            • Runs ping.exe
                                            PID:4912
                                      • C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe
                                        C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4400
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x300 0x424
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2148
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1112
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:5056
                                          • C:\Windows\system32\fontdrvhost.exe
                                            "fontdrvhost.exe"
                                            1⤵
                                              PID:552

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v13

                                            Persistence

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Privilege Escalation

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Defense Evasion

                                            Modify Registry

                                            3
                                            T1112

                                            Credential Access

                                            Unsecured Credentials

                                            1
                                            T1552

                                            Credentials In Files

                                            1
                                            T1552.001

                                            Discovery

                                            Network Service Discovery

                                            1
                                            T1046

                                            Query Registry

                                            2
                                            T1012

                                            System Information Discovery

                                            3
                                            T1082

                                            Remote System Discovery

                                            1
                                            T1018

                                            Collection

                                            Data from Local System

                                            1
                                            T1005

                                            Impact

                                            Defacement

                                            1
                                            T1491

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\# DECRYPT MY FILES #.html
                                              Filesize

                                              12KB

                                              MD5

                                              860424f79a5fe26ec6a3ebdd840ba899

                                              SHA1

                                              fe4241e4546e4856cf1a575bab02637dc94096e8

                                              SHA256

                                              ca50106a95f82cae2b8738c86fdc2968b20f97eededbf484f07461a7e71bc694

                                              SHA512

                                              0042d1dc4ee6d4a6f8f3b971c13a9f2a80afa8b6585c37730b5657ecc5b396c0487b89328f15bc756a60e525f802854d66c22fa5ab5a50136acbe7c4b04421a7

                                            • C:\Users\Admin\# DECRYPT MY FILES #.txt
                                              Filesize

                                              10KB

                                              MD5

                                              fdec26a49f63355bb1a9d56721828a9b

                                              SHA1

                                              2151c02fd466b21f92da5db1901463f7a755aa03

                                              SHA256

                                              806dc7096f6e1c572f569ee0750ba82acb39971abfed9927e5c33053fd7fa4de

                                              SHA512

                                              dc2913649696735c5a175f2ee5d75a39db7f0d601db5e7b578bf8165e7ff5f2f290495b6b23b7966442400fda5d19facfd351914c428aab9b60fee9ad4fcc2b7

                                            • C:\Users\Admin\# DECRYPT MY FILES #.url
                                              Filesize

                                              90B

                                              MD5

                                              b7d0e8d7e91159b51afe7bee9e91343d

                                              SHA1

                                              9e764dfcc69702316da6df4077b2318ae731eb43

                                              SHA256

                                              17170c1c243aaa5cdfe8fd2edccb0874e91dd48dadb1d695c49ebe9b4f9c1460

                                              SHA512

                                              d16a081f3491907f1ccd1e6047c021adc5cb0dfc3ed1cce1721c1eb0adc58286a4faafdceef5fc72911aea7eddbc598151ee52ebbab797481aaa3107ec0f5e45

                                            • C:\Users\Admin\# DECRYPT MY FILES #.vbs
                                              Filesize

                                              234B

                                              MD5

                                              6f84dbf74ef41dc3d861f5fb3e0f45ff

                                              SHA1

                                              3e5f17e9b9589f33ce6add7f2518a666ff2253a4

                                              SHA256

                                              df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

                                              SHA512

                                              9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              eaa3db555ab5bc0cb364826204aad3f0

                                              SHA1

                                              a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

                                              SHA256

                                              ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

                                              SHA512

                                              e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              4b4f91fa1b362ba5341ecb2836438dea

                                              SHA1

                                              9561f5aabed742404d455da735259a2c6781fa07

                                              SHA256

                                              d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

                                              SHA512

                                              fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              d1a51b5afb13f899a2fbfcfcd528c5fa

                                              SHA1

                                              023d6114fd05b6b99ce03bd963c2c165a82b9d12

                                              SHA256

                                              d4fd6a1313a357f0ebba7896e7accdbf8c733d16abda1edcf65416c905694cff

                                              SHA512

                                              069e00425507a6cd1128b60e95b9da8d9531e7ee4fbefea02671b082defba2cb0251b93680eb5c5acec4e0712910e75475328df09392938ddcb647d581ce2419

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb8dea58-d364-49f2-8522-094e15a4ec6c.tmp
                                              Filesize

                                              5KB

                                              MD5

                                              921334ccf9b932f12f82105d0a440ad6

                                              SHA1

                                              efa6ebfc7f05faf6eeaf706ced4010711883c573

                                              SHA256

                                              64145ff5711a14c98b16f349b7caa41349c46dc9fc7a4bc5bf477c7e6e89deb4

                                              SHA512

                                              b0226148b46777180a976dc8960c805ee99d85fcab20630b0426d14285c676186575dade3a3d3825b8b4ec04667aabb704f90f3a0a16b71a5082895cb05446c0

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              8KB

                                              MD5

                                              c42551f80d99434b3c493402d12ae4ad

                                              SHA1

                                              ae8f846bac415a111e38232179e92d2ebca05fab

                                              SHA256

                                              8203bc2e939d301a6bc4b13c228ed7eb3dfe30121234cf9e7fb3008d3e7476e6

                                              SHA512

                                              bcfa48a2016fd7b6d856c1602034dcc555108f3c1326bec2bc70c2315401b563a4f5e669b0161b33f3873995b0dbba2bc6c3d0862adb76ff0c3f0d65d3839d27

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              11KB

                                              MD5

                                              c9e71a3dbacc7932fccd9c3b2c08afb5

                                              SHA1

                                              6351de45ba79e672c3427282a44b7fd4047a70cb

                                              SHA256

                                              6e4b82569fc4e377226dd9058a40a6af6e09f58faf5bff28c950fd254f05e91c

                                              SHA512

                                              25315bb69b4b764cd4ce99be9d4b6c6f10ec0d78957a44d3d11c498d49ff43d2317d69690307203a0d6cd3a3094410692c95289b9fb0078b4adb7143eea6a37f

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnk
                                              Filesize

                                              1KB

                                              MD5

                                              7d3afb110a9ea4f45d0553048d0f7224

                                              SHA1

                                              e81acedad9b8cd161b2ec49d5d98d7c5c84bea53

                                              SHA256

                                              01bf6236ad48ebdf04ecc1e8c07f67ed65fb35acda85ad3053000e9ce4cad5e9

                                              SHA512

                                              31d244d9fc406c762c8b8beab05b8d1528882c91b4ba0295d96a32ff420d956c1e431e3dbb85e8d7ee6ae4ccbd8c5728b9c82814db81d669ff457898771509a4

                                            • C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe
                                              Filesize

                                              237KB

                                              MD5

                                              4a91d6952c9e040e6c17662cfc271b62

                                              SHA1

                                              09a6a44e25bd15841b97381c603fe3a16a0dd68d

                                              SHA256

                                              89990552456235fc80e303433ef6609ce137d9c74016bf9c14218125edbe8854

                                              SHA512

                                              ccd64aefbb628ae2c39cfc5ed685f5f4b8ea0d093484290c1ade7a4174b4e556791ff23db34c97f00eb21244e4990ea696402c0f72ced0292e1b9a5c20b08950

                                            • \??\pipe\LOCAL\crashpad_2392_FKAJHGMNCXBEIBTK
                                              MD5

                                              d41d8cd98f00b204e9800998ecf8427e

                                              SHA1

                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                              SHA256

                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                              SHA512

                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                            • memory/916-13-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/916-0-0x0000000000CB0000-0x0000000000CD1000-memory.dmp
                                              Filesize

                                              132KB

                                            • memory/916-2-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/916-1-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4400-20-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4400-19-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-342-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-316-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-325-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-347-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-355-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-353-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-349-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-351-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-345-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-331-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-328-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-322-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-319-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-334-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-313-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-306-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-30-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-29-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-25-0x0000000000400000-0x000000000043E000-memory.dmp
                                              Filesize

                                              248KB

                                            • memory/4752-24-0x0000000000400000-0x000000000043E000-memory.dmp
                                              Filesize

                                              248KB

                                            • memory/4752-16-0x0000000006790000-0x0000000006791000-memory.dmp
                                              Filesize

                                              4KB

                                            • memory/4752-430-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-432-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-12-0x0000000000400000-0x000000000043E000-memory.dmp
                                              Filesize

                                              248KB

                                            • memory/4752-11-0x0000000000400000-0x0000000000424000-memory.dmp
                                              Filesize

                                              144KB

                                            • memory/4752-10-0x0000000000400000-0x000000000043E000-memory.dmp
                                              Filesize

                                              248KB