Overview

overview

10

Static

static

3

ca85eb1996...18.exe

windows7-x64

10

ca85eb1996...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca85eb1996d4db468a69cc4cc43a598e_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    ca85eb1996d4db468a69cc4cc43a598e

  • SHA1

    2b6ffcb70c4482e8c90c6a4b05891f8db98eb062

  • SHA256

    468950756d28331ea2f2f87e1fbfeda4da535f911170daffc47da958f6289d1a

  • SHA512

    dd7502797d24965f14c5a22dc1146121b3ce7cfeea901d88a635e7bdf8761f020a098e2fdb921ac841dc32ce65820379efb9d5f7134650ecc8eb8ce64c945cba

  • SSDEEP

    3072:y9U6q94HVacKvR1Pk9LB4MaodiA8v1QSmUJ8TX+:y9U3GlarodiTxmUIu

Score
10/10
cerberdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4 | | 2. http://cerberhhyed5frqa.45tori.win/6FEC-A386-4201-0063-79D4 | | 3. http://cerberhhyed5frqa.fkr84i.win/6FEC-A386-4201-0063-79D4 | | 4. http://cerberhhyed5frqa.fkri48.win/6FEC-A386-4201-0063-79D4 | | 5. http://cerberhhyed5frqa.djre89.win/6FEC-A386-4201-0063-79D4 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/6FEC-A386-4201-0063-79D4 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4

http://cerberhhyed5frqa.45tori.win/6FEC-A386-4201-0063-79D4

http://cerberhhyed5frqa.fkr84i.win/6FEC-A386-4201-0063-79D4

http://cerberhhyed5frqa.fkri48.win/6FEC-A386-4201-0063-79D4

http://cerberhhyed5frqa.djre89.win/6FEC-A386-4201-0063-79D4

http://cerberhhyed5frqa.onion/6FEC-A386-4201-0063-79D4

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.45tori.win/6FEC-A386-4201-0063-79D4</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.fkr84i.win/6FEC-A386-4201-0063-79D4</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.fkri48.win/6FEC-A386-4201-0063-79D4</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.djre89.win/6FEC-A386-4201-0063-79D4</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4" target="_blank">http://cerberhhyed5frqa.vmfu48.win/6FEC-A386-4201-0063-79D4</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/6FEC-A386-4201-0063-79D4</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Contacts a large (16390) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca85eb1996d4db468a69cc4cc43a598e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ca85eb1996d4db468a69cc4cc43a598e_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Roaming\{DD459DAE-5E5E-3671-9AE2-982F791F22E2}\wusa.exe
      "C:\Users\Admin\AppData\Roaming\{DD459DAE-5E5E-3671-9AE2-982F791F22E2}\wusa.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2604
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1832
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1028
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3360
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3452
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:537601 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3608
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:3372
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:3736
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "wusa.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{DD459DAE-5E5E-3671-9AE2-982F791F22E2}\wusa.exe" > NUL
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "wusa.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3928
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1764
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "ca85eb1996d4db468a69cc4cc43a598e_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\ca85eb1996d4db468a69cc4cc43a598e_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "ca85eb1996d4db468a69cc4cc43a598e_JaffaCakes118.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2104
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3544
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:3804
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4f8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3876

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Network Service Discovery

      2
      T1046

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      3
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
        Filesize

        219B

        MD5

        35a3e3b45dcfc1e6c4fd4a160873a0d1

        SHA1

        a0bcc855f2b75d82cbaae3a8710f816956e94b37

        SHA256

        8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

        SHA512

        6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

        Download Submit

      • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
        Filesize

        12KB

        MD5

        93b41b9522f531fa8a37dd0f1e051c20

        SHA1

        e6c354e77f7b986029fbe4ca568600da9f5063ac

        SHA256

        56e14b016a86f2f56a70edd9e8ccd8c16308cabb3d50bd8a9595d5d46678082a

        SHA512

        9084fff656929da2b3b7ec1722b78460d0a25e3ebdf93a6972637c78f229efa53380ff2f0bae15143dc3601ffbf0728a3fcaf986e6bd8b32894e506fd745bd0f

        Download Submit

      • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
        Filesize

        10KB

        MD5

        6aea2a67df7ded3060a52ae7ff831938

        SHA1

        6b6fb0417a292c31be7e5454bacf1e7163b8b3c0

        SHA256

        07ec9e356daacaddd300dbe99fc4092f4661c3ac0bbfd7008fd175f6308160f4

        SHA512

        9b09f3c8611e3c90253e0d59b1b2d628066de4c67725203bff102696ad76e66cc4810ee5c1bbd4a09a67d49053f78ead794794101232b3d42a1c56cf5f725443

        Download Submit

      • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
        Filesize

        85B

        MD5

        1eb0a3389fb9c1a49f182a769e7c0dc6

        SHA1

        f2fc8ae233fa706a20fc6e17635c3819bc897cfa

        SHA256

        75fc3d80f940c2726f576ffe5a6cd57cb62edb15f1004a1f6ffd048093a82aa2

        SHA512

        ccb373dc9fa99cb9c2fceece12dd4cfe15ba688f0724b920661cbe1600108b78cee7134448a664dd6753dc842a228b855c84b210358b699c7583d029d314cc17

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        f56447b4262947e0a12c097eaee63f0b

        SHA1

        04bf83d4a0735e1423ad50242c371ea0808f28bd

        SHA256

        4a978124ab2dfc9f5ebec8504a196dacc2fa432b852faaeb868dba96a09126d6

        SHA512

        259c5ae36ce826aad70d63b4656f53436ea78f73b3cd17b0277f70aef1b322f9abc2e49725356fcb4efa01b1f987d12d8e984523f4b737f27baca1a94408ea25

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        29bf6766dbd69b417a9d92af55cbabc0

        SHA1

        309d0c47e07e92a0dc907e53119fc1d0968954b6

        SHA256

        fcaf407cd516f5f65bde3ae39c23fce17fdefc27ee0c4ba9db5604ce83a0a902

        SHA512

        3c7fa5c5e6dbae4e2c2ed93135b2c44f8f2b71f2c5ed53dd0e1d851cada29e9e4f99c6e2af60c667e6a8fe8e4951a2448ed5c8c144485274bb8f1d5c15983000

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        bd0ca81504529b925e39b151e959e4ca

        SHA1

        392f6b111bc9fb7db3dcecfbeed64c7b45a4da3e

        SHA256

        74a338af591c3ed5d3bb0676a2e5b60390a78c588efd754d4f6e594f41e3b728

        SHA512

        c830ff771791c8a415717f3d43713449c497bd17ae10da18eec5a2111ef9502e6728454e44fc80a3a0370f2207161ebba5526722a597cccff84a60500a0b2e9f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        ab87344fb15a58f5fcd8ea4bc606636e

        SHA1

        3eea80aad047e51bba30d1d50353ea3068b22b57

        SHA256

        edcb030925e01ebcebf01241e4de1e1678569638eff37430fdbd96e9b633ad1e

        SHA512

        5ffb48c002d518b4406b428ecc62e178b67c0578bd2dd6760b62cd3f9436a3e239af55bd20aae8e68f366525059aec85071e57380069aec22a98cd697ae3a2bf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        063f1e3ba195e93629fa99bee638f1af

        SHA1

        dabab24eaa5cbcc99747f8f87221e13d1748a72b

        SHA256

        aa767ca99e1e9bdc336b8e6f40c71d08bc1c31539613ee670ff295925da102cd

        SHA512

        4ccdfb15f81eea33eb0415f1a90fee377af6538b8f403397fd15f3699ecf09fa07e371a8e5c43f8b0d3d0fb80f9e2087c8e17b480a175eee0cd540898d5f7860

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        84e432502acc8d176e71bb0e55907f25

        SHA1

        a78b265b2e6445641751bea217185cdbf943de17

        SHA256

        44d8ba66811db06669dfb1dd349b95630a331c1191053bcd0719b527af318049

        SHA512

        87dcce9392e70cc97f6292e6182c9cfe195516c971546bc1388109fbeded37c5760518f997f4af28247f6295e17a9e094c5ab4b10602133b352632f23f3d7c40

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        6456b280080d7eab77639deefd52f922

        SHA1

        2bfb9a4e3ad9afe1eafa27a9fdb2621a39270cb3

        SHA256

        31860a71d1e419f4cfd2e265c32a0de3ad86dc1a995770ca9de4f0abbf0ca11b

        SHA512

        0f4ac7d5fa082faae7e2e829782e8a205154140f884e390b48187072df6016c0a0eee95a046a643cefc2616f60e50e76e3de5c29caed99ca6dfb0f7874b44a17

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        f9400f75e41d8c87b87b08a033c29e6e

        SHA1

        f1dcc740d8e183eb2d0c0a50feb2511205f1f333

        SHA256

        312621d36c1fdadbff04ab47c88de81eade2b1be8848b596df62cc286b09e159

        SHA512

        78b10957cf71037f47795cc83be4e5936e45cf001760e7aafa27b87c102888c31bee89878da9e79315dd188497b441992429b1f25d1efa30cd69272112ab232c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        1e2ac9289cf9fc8f0ed9ce44a869fe6b

        SHA1

        b046e3fd3a07c008bb6f77664fce301734430bae

        SHA256

        544807329625d9089145c5e8a46ed743f4104fda090f2013f1668095aac6b61c

        SHA512

        f76fb17a1b2d87c4ab86a0317827134da1cecf91e77c78c473e770f2c9f189ba6c22327be1431f621c6f7f24744129a48f611f930aa92fe116e700cc2799a7e0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        72d188fdf18194d27d32c641a3e85f54

        SHA1

        032b7446a0f0cc2fe434661a6697a00b02337f94

        SHA256

        f9799a7503e5f2b8eb1fe39b584c0478f235dd17c0dc26967db8d2e0f13a9a2c

        SHA512

        45cf712e78bf963ef6216dfa6233a51ab7a5e0d61bc768e5ff639d54a737d386629617b6affb605e4540f42807437cb610acc6df500503c3a3c0aa87c14ccec3

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        39c2230ffb5a159ac5efe8cb2cec7b7a

        SHA1

        82de0760802cc4ac147b48c1360cda30b21881c6

        SHA256

        bf65d2b6006bf2084384cec1eff32dd172270c9e7d036abfee529b71ac629180

        SHA512

        bdf8233577227c9bd73d6c9e8a42fbd9b96e027d961aa20bf67447ac32a6818883ef4544564845966d389f632eec00342131c245e136d944bcaa0435d147f253

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        06152657d21562577826ffd99fc39dbe

        SHA1

        925888170571528c0dee156f600c0a63fcd4a2d8

        SHA256

        a71700004330bef6c4737740cf176d7a865e5661df96320a5f1dfdb602e53b60

        SHA512

        626ea4b410e07a8026072aea385ab9554eb3d1bd3a0c1ddfb4b48979dc35474515dc853e1d8084081e207d61a100b729bc7156675a7fdd24732dff8be7707a8f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d35291884b3bf763a93c3c680ae8c577

        SHA1

        50e13f658175bcedaacd42b17ca7fe37561ffabd

        SHA256

        7696dfbb436ccf2e2ca2f57ffffa1415f334342ffd93fc3052aaf9c310e502f2

        SHA512

        d5656d775922ec27a2921aaa35ef3869fbf580176b3502f9f0ad20b5173b25524b1713a91ac872e80bb923f570faa0a3bd84537a0cedc387db8f1d76d92633f2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        825f06894313b340f9c1592fbdb6ac60

        SHA1

        3ae846f7b7424d2c167d1cd6b8fa60cbeef1c1f8

        SHA256

        724e909b889433742aa163860c1975cb93d4374fd299b29b0ab674929260f1a6

        SHA512

        6a2696ab4b3471f0dfccd3fb54f2137c8f1699cc936cb4f1ade9277c2ac627d818db3c839a122fef4a2876d605144324ac6d7ac204436503cd5b435e66644d0a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        22cb50a18cf5e77e0384fe75f300ffb9

        SHA1

        746e338e410eb3909fec877a355efcc5512f4c7c

        SHA256

        f6ffdd0e4d7d09c195d04535ce0430e1dc32d5bfaeff1c753d582464ac56a04f

        SHA512

        4a0c605a416122e2764fbe7debf1d6d2e19c0edd9bb8b58cad620de90f40c4bc2a35dd4ea2810c98b49772a80449140922b50c6778392d25050c2886b630ece9

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        626795e108ecabfe695b9c062ef3efdd

        SHA1

        a44f151265b717966e2be7282e7e3c1b063c699b

        SHA256

        f952fbf269ca28dfff4d49d2064def2dae9421c861025fa924629425f1ca34a3

        SHA512

        774e697da28658d1027c46a363c7a4b282891efc4a018b0b99fb812b2b5cc73ad7832c615e70ddd885668cf2ee29cc1b9b46934ede8ef33b9e98126adc3d1f9b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        c8cdb554ad03358c16408be44d0d7402

        SHA1

        e51c614993bec8ef8bc29d0fdec6fa01f36ccb18

        SHA256

        57c6885a9023a735f0b85333aeb38f3130b6680139cb01a4799d63edeb8d7455

        SHA512

        ee52947f355491dd22d75dddf90fd4f398481e912cff237605bd9e8d92254c1b5b6f386616aa8ff6ed70ae9f01abf791a13055e8bd1521a8a297e3ac033fb0bc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        4a322c835669aa0e9f4aa0865ac1f548

        SHA1

        660593ccd54ba21dc26c0c50007a1b1f4b814327

        SHA256

        7adb470a5c1226e9f74246fdd0b0779135661c5f8690c00434f9779996ebc64a

        SHA512

        b20c6f246204cd722977d83c8c5c8f68900a1f9e79f53c81ac6745c8a3170a11dfa5dd9ae018ee9a2eb631083e3782c5c7383379b9797e4d489b85e62e6c10b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE6D5471-B376-11EF-B4E2-F64010A3169C}.dat
        Filesize

        5KB

        MD5

        35dd11947271b86816c09e8e75918f04

        SHA1

        bcc77b7c9e58e65a16b8dad78c3dd48e6871192e

        SHA256

        23fb327d01e008de963c4b6ce134dde54511a78e711573dfade0884979b40a35

        SHA512

        020af7fcfb43406dafd1a7eba640659c29e404a63ef64610a90d4a5b8c83bce58decd5409064b06655c31ada44b5464ecd99956782c495094e1cf260f9de33fc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabFC89.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarFD49.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wusa.lnk
        Filesize

        1KB

        MD5

        2004ffdf8000c55213282e7eae19ac3f

        SHA1

        04a2283c3c974fdfa6e226cc5fbc84c228d5f968

        SHA256

        449ea97d20206713d39e8056101ac5c05d596033228c0ef21cf6ae14357953fe

        SHA512

        295d7d949870ff2185e12bc1911143138895bf3cadb7ae0cae9947a161f958e504db3fb8e78ddef6ad5e96595542ac7d30c46b439fcc8f1f76e4c24d37ae98cb

        Download Submit

      • \Users\Admin\AppData\Roaming\{DD459DAE-5E5E-3671-9AE2-982F791F22E2}\wusa.exe
        Filesize

        356KB

        MD5

        ca85eb1996d4db468a69cc4cc43a598e

        SHA1

        2b6ffcb70c4482e8c90c6a4b05891f8db98eb062

        SHA256

        468950756d28331ea2f2f87e1fbfeda4da535f911170daffc47da958f6289d1a

        SHA512

        dd7502797d24965f14c5a22dc1146121b3ce7cfeea901d88a635e7bdf8761f020a098e2fdb921ac841dc32ce65820379efb9d5f7134650ecc8eb8ce64c945cba

        Download Submit

      • memory/2712-467-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-480-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-490-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-488-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-494-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-514-0x0000000005DA0000-0x0000000005DA2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2712-496-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-501-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-504-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-498-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-486-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-476-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-478-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-492-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-482-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-465-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-954-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-14-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-27-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-26-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-24-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2712-22-0x0000000004790000-0x0000000004791000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2712-16-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2860-19-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2860-0-0x0000000000130000-0x000000000014E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2860-2-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2860-1-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download