Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 21:26

General

  • Target

    8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe

  • Size

    112KB

  • MD5

    65977152d62265c0f46751874bd45767

  • SHA1

    3b6aaf8ab4eb82062780202248aad45b916376ab

  • SHA256

    8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

  • SHA512

    c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/865A-5B5E-921E-0006-4B9D 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/865A-5B5E-921E-0006-4B9D

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 12 IoCs
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe
    "C:\Users\Admin\AppData\Local\Temp\8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe
      "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe
        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe" -watchdog
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:3940
      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe
        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe" -stat 103
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1048
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3524
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb34b946f8,0x7ffb34b94708,0x7ffb34b94718
            4⤵
              PID:808
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
              4⤵
                PID:3808
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3588
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
                4⤵
                  PID:4040
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
                  4⤵
                    PID:3620
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
                    4⤵
                      PID:3092
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5228 /prefetch:8
                      4⤵
                        PID:3760
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
                        4⤵
                          PID:452
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
                          4⤵
                            PID:2304
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:8
                            4⤵
                              PID:3624
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                              4⤵
                                PID:536
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,3159452198369262273,5010143174866947578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:8
                                4⤵
                                  PID:3604
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                3⤵
                                  PID:1052
                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe
                                  "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe" -stat 103
                                  3⤵
                                  • Adds policy Run key to start application
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Modifies Control Panel
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1860
                                • C:\Windows\system32\cmd.exe
                                  /d /c taskkill /t /f /im "mcbuilder.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe" > NUL
                                  3⤵
                                    PID:1408
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /t /f /im "mcbuilder.exe"
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:828
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 1 127.0.0.1
                                      4⤵
                                      • Runs ping.exe
                                      PID:2220
                                • C:\Windows\SysWOW64\cmd.exe
                                  /d /c taskkill /t /f /im "8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe" > NUL
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2144
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /t /f /im "8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2508
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping -n 1 127.0.0.1
                                    3⤵
                                    • Runs ping.exe
                                    PID:2480
                              • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe
                                C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe
                                1⤵
                                • Adds policy Run key to start application
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Modifies Control Panel
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1260
                              • C:\Windows\system32\MusNotifyIcon.exe
                                %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                                1⤵
                                • Checks processor information in registry
                                PID:988
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -p
                                1⤵
                                • Drops file in Windows directory
                                • Modifies data under HKEY_USERS
                                PID:3200
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:204
                                • C:\Windows\system32\AUDIODG.EXE
                                  C:\Windows\system32\AUDIODG.EXE 0x41c 0x4ec
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:624

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\json[1].json

                                  MD5

                                  0aa762bb10362f552b6144794a0d1888

                                  SHA1

                                  750eba61c566f9d0c9b2dd997c77f35a95c515b2

                                  SHA256

                                  5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

                                  SHA512

                                  01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\json[1].json

                                  MD5

                                  0aa762bb10362f552b6144794a0d1888

                                  SHA1

                                  750eba61c566f9d0c9b2dd997c77f35a95c515b2

                                  SHA256

                                  5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

                                  SHA512

                                  01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mcbuilder.lnk

                                  MD5

                                  d43cbeee7e4a0eefc127c59fc9efb645

                                  SHA1

                                  336a36c5d362d3d8412da146cee53203d01c25c6

                                  SHA256

                                  9affa8832557b0d3d6439f8432cf037078baf5a5d5df3813e45d18c822e904a9

                                  SHA512

                                  4b09cc362017f9d89629194e7a02f2e0d0a513a949c8072eebd4fd6330f2e77812fe7be874080e00eec327455efd32028da992b5899b0bbd77841a52fd79a69b

                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe

                                  MD5

                                  65977152d62265c0f46751874bd45767

                                  SHA1

                                  3b6aaf8ab4eb82062780202248aad45b916376ab

                                  SHA256

                                  8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

                                  SHA512

                                  c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe

                                  MD5

                                  65977152d62265c0f46751874bd45767

                                  SHA1

                                  3b6aaf8ab4eb82062780202248aad45b916376ab

                                  SHA256

                                  8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

                                  SHA512

                                  c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe

                                  MD5

                                  65977152d62265c0f46751874bd45767

                                  SHA1

                                  3b6aaf8ab4eb82062780202248aad45b916376ab

                                  SHA256

                                  8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

                                  SHA512

                                  c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe

                                  MD5

                                  65977152d62265c0f46751874bd45767

                                  SHA1

                                  3b6aaf8ab4eb82062780202248aad45b916376ab

                                  SHA256

                                  8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

                                  SHA512

                                  c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe

                                  MD5

                                  65977152d62265c0f46751874bd45767

                                  SHA1

                                  3b6aaf8ab4eb82062780202248aad45b916376ab

                                  SHA256

                                  8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

                                  SHA512

                                  c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

                                • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\mcbuilder.exe

                                  MD5

                                  65977152d62265c0f46751874bd45767

                                  SHA1

                                  3b6aaf8ab4eb82062780202248aad45b916376ab

                                  SHA256

                                  8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

                                  SHA512

                                  c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

                                • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

                                  MD5

                                  20935e94c458119a4e2e2970d03f7f93

                                  SHA1

                                  d78dd763056c34777d826c0746d0b79a2cabb317

                                  SHA256

                                  82c0fa282f5e14d2facfefcfca07b3d4cad960b9ce16bd1f8fbae0663ebecd95

                                  SHA512

                                  52b122b16452f2beab7d44b207bc7f5f55cc70823f444d2bd79b919644467f584255b755d94d861059902a737046eccf7291391d546c1d6a601d9e7076235d26

                                • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

                                  MD5

                                  0f7a25fafa2210f3b4316a2eb8754c5c

                                  SHA1

                                  e6a00f76a03157aff9c6a44b6df10b05f9accda5

                                  SHA256

                                  6b950fbea7a76c5c219bee60b6a036454012cfccc22e44ded43310c239234cdb

                                  SHA512

                                  135a25970e6cc570b2fa6d7e8c13945b8ba5eb4c107fe20871f5d8f90db528270360aa1835f9ffd840c82f563d09836baac1488312bb0f28c2c71d5c830549ec

                                • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

                                  MD5

                                  e9ffd9f618cbf36ad6c910c161bb8080

                                  SHA1

                                  a702b4220bbded577b4b699611bb73593b12ae71

                                  SHA256

                                  020ca4b4574a40418b8aa4c2d74b0488e9d150e8d3f5e56e5c6dcca6f7dfaaac

                                  SHA512

                                  ee87264e384579df7b74d7ac08e9a490495efa34f1a99e2d4949cb76b839c165fbb281aacae25f4ab7e911401c7bfa3fba4b0e59dd492566985fb8dbd1cf1bef

                                • \??\pipe\LOCAL\crashpad_3524_WQWHLDLBTRYOYNKK

                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                • memory/4040-149-0x00007FFB53E10000-0x00007FFB53E11000-memory.dmp

                                  Filesize

                                  4KB