Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 07:10

General

  • Target

    5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe

  • Size

    141KB

  • MD5

    5385bc77d15ea3cc312e6b096cc1db49

  • SHA1

    d62e03afacbb767a5611819e7fc763e89e5ac7af

  • SHA256

    70db66462514a8185655f31284029ec4c49ecc38ad2bb6ff0cfb17f4e35ceff1

  • SHA512

    453ecfef449dc3c20c462dc8943092038f979d2bc89332dd1f146535d8aef81ab9b348c8f7d6405daeb8775b006ec2dd39d9c4bb86dbac093cced224b0b979d7

  • SSDEEP

    3072:DLyk7G0MseogKoyGjrndJM94IXcoApIxwDjLfA+IehhyKdOTF:DL9G0ocoyGjM94IsDVDjLGT

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1 | | 2. http://cerberhhyed5frqa.slr849.win/404F-2305-2DCF-0063-7FF1 | | 3. http://cerberhhyed5frqa.ret5kr.win/404F-2305-2DCF-0063-7FF1 | | 4. http://cerberhhyed5frqa.zgf48j.win/404F-2305-2DCF-0063-7FF1 | | 5. http://cerberhhyed5frqa.xltnet.win/404F-2305-2DCF-0063-7FF1 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/404F-2305-2DCF-0063-7FF1 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1

http://cerberhhyed5frqa.slr849.win/404F-2305-2DCF-0063-7FF1

http://cerberhhyed5frqa.ret5kr.win/404F-2305-2DCF-0063-7FF1

http://cerberhhyed5frqa.zgf48j.win/404F-2305-2DCF-0063-7FF1

http://cerberhhyed5frqa.xltnet.win/404F-2305-2DCF-0063-7FF1

http://cerberhhyed5frqa.onion/404F-2305-2DCF-0063-7FF1

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1</a></li> <li><a href="http://cerberhhyed5frqa.slr849.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.slr849.win/404F-2305-2DCF-0063-7FF1</a></li> <li><a href="http://cerberhhyed5frqa.ret5kr.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.ret5kr.win/404F-2305-2DCF-0063-7FF1</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.zgf48j.win/404F-2305-2DCF-0063-7FF1</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.xltnet.win/404F-2305-2DCF-0063-7FF1</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1" target="_blank">http://cerberhhyed5frqa.xlfp45.win/404F-2305-2DCF-0063-7FF1</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/404F-2305-2DCF-0063-7FF1</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Contacts a large (16393) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\autochk.exe
      "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\autochk.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2360
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:756
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:812
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2208
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2068
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:406530 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2012
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1900
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:2288
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "autochk.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\autochk.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "autochk.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:328
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:1644
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2448
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2232
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2504

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        2
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          0e9255fc07cee0edad474b10d56649f6

          SHA1

          8ff017fce7fc1ac4de8386473459497585e74423

          SHA256

          33d25dace91c4edf44d466ec1baf252d839c67ec0a65b60c63402d26aed7d705

          SHA512

          d04f10dc1ba2d541769fa081eee7ef79956f679ab909e2c888f36c5c3ff529d19379fbe47de108c18fa6786bead82fdfd6cc7594f78f9207e81992da4ebbd92b

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          d6cd92dd327ce77e5b1d42f2bfabcca1

          SHA1

          878561601af989d423e399e63635324f88148fe4

          SHA256

          7b7c8f45fe25cbb2c439593cd3cbdc733050aeb89072dede45dc7b4544a73895

          SHA512

          5d1332452e023c921eee6c4262acee4e8bdf93281bc4c31f41c3fe375cea0ae8239c2ad5478ea8a470da684c8f3c5792e28e4bda84503b389148750a02c7cd36

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          5a97d9fd78601f3e8bc4ecc92292b258

          SHA1

          ed8edd1ae371e4877f8fe5f2966a1bf78560e926

          SHA256

          3cbcfd06a3748b956526bd4e10bef22b600288645a143bf88fe848685b3f1547

          SHA512

          eeb6f2049a82fa67763b80a82d1f60f3d42286afb571806c850d46540c20198fd89502fca3a84d43286a7fc7b45af59c81707f6c25d360cbf7332f33d0eac752

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs
          Filesize

          219B

          MD5

          35a3e3b45dcfc1e6c4fd4a160873a0d1

          SHA1

          a0bcc855f2b75d82cbaae3a8710f816956e94b37

          SHA256

          8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

          SHA512

          6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
          Filesize

          914B

          MD5

          e4a68ac854ac5242460afd72481b2a44

          SHA1

          df3c24f9bfd666761b268073fe06d1cc8d4f82a4

          SHA256

          cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

          SHA512

          5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
          Filesize

          252B

          MD5

          5a7c9f5ae931284f5b56d95b104cd13b

          SHA1

          504c25a6ef5f7ca73aee6e8c099126eb5d6b4a99

          SHA256

          b24d72cfdb64117d56b9593a2de8260a5531ba125c914e8464a3608f03d501af

          SHA512

          82c63da710adc495eb1cd8c82f470356925a6dcab9bfd5959b09102533d64cfcaed266a828946bcb0f2c27cc856a5ec3e98e1e59ca21ea2a20588222d3e07cbe

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          483b0558764e2d912f48e39e3f83e2ee

          SHA1

          3283617f1bf93f0c4b55153e494476af38eba928

          SHA256

          bd480a8061982e1ddc8a1dcf7f765c4edddc937e9c0cf6715afea32ed248a5f1

          SHA512

          56eb652e1a49d2c9fa6998090a9da5952e2c1c313c1b1d6c622fce089dac8778fb16d96d21d805f6698517beeb9878bfb1780748addb64fb2445582ba2fb6b5d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          82879ff16e6c5cd17e0a00940afdd7ad

          SHA1

          2fed58ebd9674ea0d0e3a4c40ba02a9630f17f7a

          SHA256

          b234433ad3daab4d74780d75e511ac5595e6a6deae6e908fbb45cbeb96c74573

          SHA512

          4d88cc2d309c59a92c9f89f6b1d0b629a4b34f6e674319c9653aa7179c81e73a74ca20137521a1f0063b671c4f628c9d8d6e2a177da1df98585faeedbec80606

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d5664cea96c6d4077b0f4f8d0073aeab

          SHA1

          038c3e5acf27391cd4b89d300f93c1a09fcfcb6d

          SHA256

          79869e8393820090834dca11ff726bb61a06af0d491a09b9ddb7195ce84ef2ba

          SHA512

          78a132292df671366a08251b4976ec5eb1b39637b4a27c7fc1abc0ba16c67501bf1a0c59f49267db88c568bdf3fce98efc7d5e7fc92236e224eb00ba80e91210

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ef325c6aab20cc1a69926b4daae3e66e

          SHA1

          0b43956ae1d80d1115da5b5eebb8eff7b6a5ab87

          SHA256

          adb096feabd7373d335df95ec92a6a3ca0e6d3229914fb8cce08a9e29322fd9e

          SHA512

          fcc66279f8fb8ef9147811f30dd802157202daf0393d82712aeb93de9f9c9bd9ffafe9e988b8f5f757af65e634cab2fb23c46103da2f2506b5d677b1d082f89a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d00a0badc2c3e6a3d66b3d34652f53e3

          SHA1

          61b8e256875c9835553db7bf876f5e065de13656

          SHA256

          d7373df1df4864110cc946b725dec88705d9b590d35e38dea04c0da9b9ba7e6a

          SHA512

          42d4a034097bc55229d3cfdbeb647906de66aabdb1044c84660353ffccf3958caef9690e72f4ecf8abca0cdb055219890f635c60ad29bfc5b1d62a7d2afd391a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          bbee6a06ca6503932d983ad86b0b37f6

          SHA1

          975c88d6291568871e1240a2e2d03986170e96d8

          SHA256

          fa14aaa24950f0f4785a5ce0e1e229dd202512652141abadafc5af86d591478e

          SHA512

          b7c1664abee66b82cc2111a86d61d7a197c9549e6b406ef183a8b9cd10edabe7a3b322f22439f895ccfe8b7b8aa9b64579379d3aa8d0775954034ad7623397d6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d455b2b079670d4b3c2d689883fc3a22

          SHA1

          e0a7d9aba59c5b8f23906c5b313101119e7e3992

          SHA256

          b84fbad3228c6e449e5717e15262ec61f6f16c0b35c2c5765f536674ed769137

          SHA512

          eff6d11c650aad69fde760f19f190c6bd862b0dc7305c90799c2fb1464a4fb81f7d4c4f89189b9a26bfb7dcb7ae4cc5fc2c5df5c6bf3748a9efde4e3e241ae93

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          f6612e0a0347d7426d2a1130e7715fcd

          SHA1

          ff1fe13ce53653bf368f60c6c2982e58518d9233

          SHA256

          36206fa09722746fd01a08163d4694270bf671c5f115030c6524839e836b1b66

          SHA512

          f8a984e0cf61b40806af0280a5d4bc8c460dbf90a036ff5e39c000851d6e9b26ff3862293870d785ddd79c6d18fd912bd0a838aa8686af29845e9e522dbf4823

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          093b6f54f47ce6059f2f5218fafacd53

          SHA1

          9f4e9fe71d170a0ad7ab862889416d02b2e7b010

          SHA256

          9641d079b9a3b35a1119888f0b49a1a7b68aacbabcffceada645b981cf87d0ec

          SHA512

          8ae24a0ae3620b0f836d1054933f6d6f33bd9c600874db6e051c72283739c146ac6771317fb55d827c47e40fc6bc6ea110d894c0d408110223535fd052e01c5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          409ac9fbcf1fb5d046ffffa7ea8bf6f6

          SHA1

          3eaa855e186306481bedd999e546e553f5671ad0

          SHA256

          49264bbb8ff1b694a9eeb58beb3d9048877dce28aa4e316f820ed42182a78c8f

          SHA512

          10e2e75a342dddec7b3a2477c11df76d08982d3c331ebf206ff7c2e6d8fd211702ef8eca081194128f79803cc8eaa97bd803643de99c794a6420961c9e8fb906

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e0010678171c49ed6d36a007c031f42a

          SHA1

          f08ec514289c83e6ba94c596929e87dbe1e0998e

          SHA256

          fdd5ae6e05295b582463bbd7cf666584bafc733496c6b5dd42564f62bb32b945

          SHA512

          6cc36a57449a36bfa1826d0bcd6a470ee56e7593abb64d612416a628445013160257cd5fd4ec886a3960b56214bfe0382ec544a59e3521170ba9846897de14cf

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          51c4f428b685569d6ea5a98820b2cf40

          SHA1

          07274bd553dc308a8d50eca7844880f7588420a7

          SHA256

          1f663bb8f521e978e95524c75ff95acf40442d4721309bf79065846156c301ea

          SHA512

          c6b631522d5dd6bdd05201dbf95182c6f5a7cbe5ebd14f65103862034214a91fb1c4612514aecc0c8febb138668fa1c489acac475e50d9d0311ef097c105e1be

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          35788953d88fbfe052a9b0914fcd2019

          SHA1

          9e1a5611a6daa25398232542126d0688d322eca6

          SHA256

          90e9d622f6974fce79543e491cc33f007a13def3c123f4a6effdad025362e41d

          SHA512

          f55c2e082de750719bcebf773868cffc62be27b15e241791ee05aaf46f98f860879d2db92f4e07829fd70db87a303704e28b78f93902aa8609c2115d0a113aff

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          4e20d300abd1192bd10da81fdcc295da

          SHA1

          affba6dee1cd70e0e89f70b4448dcdb01782794f

          SHA256

          64fc5a5dccfd4e26d93e8e154fd43293b1de637530473804fe5b7839a897cd41

          SHA512

          6a246f10981e48b26ba4ecf4d9a83af9c7b3eb0cad97e2bbe76ab58d4248bf0213a8b81486334b9c530528280610583d1bd581148388e878bc6ea680e7bfe3f7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b77a51351f0ec8e3ca66700bed29c9f5

          SHA1

          391834d249ba4d1f0023372f0fde7003b416c851

          SHA256

          9bc39afd2cef87376711f2fdd581c1befb469b38ad55b123173fb0c23fd1cba3

          SHA512

          c0db9fd2d73fed0a2b9dfaf4fc8d91758049b107542718ed1c10ccd116fd83fdeaaaeecc1185e0eaa41058586e90d49d6b53c87c2c258774b5b9a8b47b6ef357

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d37e0dd5c1dc3c58ac2a5d1e3f6ab293

          SHA1

          868892e4c2bb85412db649fb34979cb5097b0446

          SHA256

          43653419e2420e6b0dc74ce60cc12bf5ba46cd5724b0fc176ecd0797c6fb7517

          SHA512

          b020720a1857968901e3e9e0b2ddc55c87fefe583d6a8173a1990ed562ef841f70cb6dea2fb5e87f542f287e0817859d56ffd9662691d6a365927bb267286204

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          844e41f8cfddee356333f504bdafb586

          SHA1

          8e36947685a1a4bbcd858dc1a3407ecdf5723ef1

          SHA256

          f143a659b83c6de1fd86ccac9e2dff38a1b60a6b9526fdad18512c40a3ed41d1

          SHA512

          013f9f85a9e86a072998a5a22da59f7bdb87be53d51589a7d34b7deab0e79ad508b6441c1dbaa74c63251efd3b51c3cfd6e406a07de9e346d5184153f6ef29f5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b84e238d914d8b7fb4f46eeb41e1039a

          SHA1

          fdb745e3d3e193d0ba9d6f9118d6e7575ca755ef

          SHA256

          c545920bc9cc88e3c323ee6b3c801bcdc9684371e4a159a382f652d2ebc1cf78

          SHA512

          cf7245a6dffdc8e4605ff301fbc8c9b28359b8c4e35695e94a1f35c6a9f49899483817b6f41f72742a1110e8b125f486b9ea24100f6dcbacef0bdc916f3d9979

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
          Filesize

          242B

          MD5

          118acd9b0b3256e0412ad9f1facdd8fc

          SHA1

          ea2c98347d27296d8644aad68d0c050e12dfb36c

          SHA256

          a707bc6953a1567eff66a82b41d1aaccea11aeccab3fca4f72cb44092981a772

          SHA512

          60bce51998f4f3723c37ae8e6f4020a188602c7beec3a3cdd594b9e879a9396c0c071534483f2d2d43b70ea30d004e47fe231815c248662c9ae1fb1af6b269a4

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8803F81-14E5-11EF-8221-D669B05BD432}.dat
          Filesize

          5KB

          MD5

          dd51ce17c5b3dfa31d17973d45085450

          SHA1

          427d5acde2ab6826ec420e8474492400f69dc57d

          SHA256

          4477170af09b45d8be08bce75a0acb943efe4c01be6b722e4c7dc1e084daa151

          SHA512

          d8890ff6ad3cf2d2fadce27f55b0cf25a32dee7f77f0d2476903acdde6ac9bd0dd64e906f88686754b587c79b4e797b40e0b489a7661d0dcfab3fcfafd81c881

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DA8WR3QW\favicon[1].ico
          Filesize

          4KB

          MD5

          da597791be3b6e732f0bc8b20e38ee62

          SHA1

          1125c45d285c360542027d7554a5c442288974de

          SHA256

          5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

          SHA512

          d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        • C:\Users\Admin\AppData\Local\Temp\Tar106B.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\autochk.lnk
          Filesize

          1KB

          MD5

          dc67c1206515b7cb47d1f943daf9112f

          SHA1

          69603a383791d58187c3590f47cfa4c160e686ac

          SHA256

          8e8a4212b624b564f4b736f4694148537e3fb0071484b7c21161ad0ea38c4703

          SHA512

          edf0677819d6607ccd178cb841bbc839c86576e67b6b3820e69bf9e3b3c8ceaf6dbd9c84f311c636930cef7914eba6a551ceff8dc6c457547016e6b67d01f95f

        • \Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\autochk.exe
          Filesize

          141KB

          MD5

          5385bc77d15ea3cc312e6b096cc1db49

          SHA1

          d62e03afacbb767a5611819e7fc763e89e5ac7af

          SHA256

          70db66462514a8185655f31284029ec4c49ecc38ad2bb6ff0cfb17f4e35ceff1

          SHA512

          453ecfef449dc3c20c462dc8943092038f979d2bc89332dd1f146535d8aef81ab9b348c8f7d6405daeb8775b006ec2dd39d9c4bb86dbac093cced224b0b979d7

        • memory/1196-1027-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-17-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-26-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-29-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-27-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-420-0x0000000003C20000-0x0000000003C22000-memory.dmp
          Filesize

          8KB

        • memory/1196-24-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
          Filesize

          4KB

        • memory/1196-433-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-14-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/1196-19-0x0000000001DF0000-0x0000000001E00000-memory.dmp
          Filesize

          64KB

        • memory/3048-0-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/3048-21-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/3048-8-0x0000000001CF0000-0x0000000001D18000-memory.dmp
          Filesize

          160KB

        • memory/3048-22-0x0000000001CF0000-0x0000000001D18000-memory.dmp
          Filesize

          160KB

        • memory/3048-2-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

        • memory/3048-1-0x00000000003A0000-0x00000000003B6000-memory.dmp
          Filesize

          88KB