Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
CDRom.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
CDRom.dll
Resource
win10v2004-20240226-en
General
-
Target
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
-
Size
170KB
-
MD5
3bc88ab2dae5dd7dc924b64e45a5e831
-
SHA1
abae00114caf6af0927deae70295a62adb8737e7
-
SHA256
22b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186
-
SHA512
96e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97
-
SSDEEP
3072:t8Dsp+FNX1dFOvDlXJulh1l5Hw1PaxwJSY3pS7q/y/Ds1xZ0TAxiFK2HkoHd:t8dNXSElh1lxq7ZpQqa/ExZ0WiEQkw
Malware Config
Extracted
C:\Users\Admin\# DECRYPT MY FILES #.html
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7
http://cerberhhyed5frqa.onion.cab/DF75-50A8-BD93-0291-1DB7
http://cerberhhyed5frqa.onion.nu/DF75-50A8-BD93-0291-1DB7
http://cerberhhyed5frqa.onion.link/DF75-50A8-BD93-0291-1DB7
http://cerberhhyed5frqa.tor2web.org/DF75-50A8-BD93-0291-1DB7
http://cerberhhyed5frqa.onion/DF75-50A8-BD93-0291-1DB7
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16397) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeresmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" resmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
resmon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation resmon.exe -
Drops startup file 2 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeresmon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk resmon.exe -
Executes dropped EXE 2 IoCs
Processes:
resmon.exeresmon.exepid process 4864 resmon.exe 2288 resmon.exe -
Loads dropped DLL 4 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeresmon.exepid process 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 4864 resmon.exe 4864 resmon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeresmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" resmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" resmon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
resmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4DD8.bmp" resmon.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeresmon.exedescription pid process target process PID 4964 set thread context of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4864 set thread context of 2288 4864 resmon.exe resmon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4696 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 920 taskkill.exe 1432 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
resmon.exe3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop resmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" resmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\resmon.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
resmon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings resmon.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
resmon.exemsedge.exemsedge.exeidentity_helper.exepid process 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2288 resmon.exe 2952 msedge.exe 2952 msedge.exe 3012 msedge.exe 3012 msedge.exe 3808 identity_helper.exe 3808 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exetaskkill.exeresmon.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Token: SeDebugPrivilege 920 taskkill.exe Token: SeDebugPrivilege 2288 resmon.exe Token: SeBackupPrivilege 3720 vssvc.exe Token: SeRestorePrivilege 3720 vssvc.exe Token: SeAuditPrivilege 3720 vssvc.exe Token: SeIncreaseQuotaPrivilege 3364 wmic.exe Token: SeSecurityPrivilege 3364 wmic.exe Token: SeTakeOwnershipPrivilege 3364 wmic.exe Token: SeLoadDriverPrivilege 3364 wmic.exe Token: SeSystemProfilePrivilege 3364 wmic.exe Token: SeSystemtimePrivilege 3364 wmic.exe Token: SeProfSingleProcessPrivilege 3364 wmic.exe Token: SeIncBasePriorityPrivilege 3364 wmic.exe Token: SeCreatePagefilePrivilege 3364 wmic.exe Token: SeBackupPrivilege 3364 wmic.exe Token: SeRestorePrivilege 3364 wmic.exe Token: SeShutdownPrivilege 3364 wmic.exe Token: SeDebugPrivilege 3364 wmic.exe Token: SeSystemEnvironmentPrivilege 3364 wmic.exe Token: SeRemoteShutdownPrivilege 3364 wmic.exe Token: SeUndockPrivilege 3364 wmic.exe Token: SeManageVolumePrivilege 3364 wmic.exe Token: 33 3364 wmic.exe Token: 34 3364 wmic.exe Token: 35 3364 wmic.exe Token: 36 3364 wmic.exe Token: SeIncreaseQuotaPrivilege 3364 wmic.exe Token: SeSecurityPrivilege 3364 wmic.exe Token: SeTakeOwnershipPrivilege 3364 wmic.exe Token: SeLoadDriverPrivilege 3364 wmic.exe Token: SeSystemProfilePrivilege 3364 wmic.exe Token: SeSystemtimePrivilege 3364 wmic.exe Token: SeProfSingleProcessPrivilege 3364 wmic.exe Token: SeIncBasePriorityPrivilege 3364 wmic.exe Token: SeCreatePagefilePrivilege 3364 wmic.exe Token: SeBackupPrivilege 3364 wmic.exe Token: SeRestorePrivilege 3364 wmic.exe Token: SeShutdownPrivilege 3364 wmic.exe Token: SeDebugPrivilege 3364 wmic.exe Token: SeSystemEnvironmentPrivilege 3364 wmic.exe Token: SeRemoteShutdownPrivilege 3364 wmic.exe Token: SeUndockPrivilege 3364 wmic.exe Token: SeManageVolumePrivilege 3364 wmic.exe Token: 33 3364 wmic.exe Token: 34 3364 wmic.exe Token: 35 3364 wmic.exe Token: 36 3364 wmic.exe Token: 33 2700 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2700 AUDIODG.EXE Token: SeDebugPrivilege 1432 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.execmd.exeresmon.exeresmon.exemsedge.exedescription pid process target process PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 4964 wrote to memory of 2056 4964 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2056 wrote to memory of 4864 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe resmon.exe PID 2056 wrote to memory of 4864 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe resmon.exe PID 2056 wrote to memory of 4864 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe resmon.exe PID 2056 wrote to memory of 4416 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 2056 wrote to memory of 4416 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 2056 wrote to memory of 4416 2056 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 920 4416 cmd.exe taskkill.exe PID 4416 wrote to memory of 920 4416 cmd.exe taskkill.exe PID 4416 wrote to memory of 920 4416 cmd.exe taskkill.exe PID 4416 wrote to memory of 4608 4416 cmd.exe PING.EXE PID 4416 wrote to memory of 4608 4416 cmd.exe PING.EXE PID 4416 wrote to memory of 4608 4416 cmd.exe PING.EXE PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 4864 wrote to memory of 2288 4864 resmon.exe resmon.exe PID 2288 wrote to memory of 4696 2288 resmon.exe vssadmin.exe PID 2288 wrote to memory of 4696 2288 resmon.exe vssadmin.exe PID 2288 wrote to memory of 3364 2288 resmon.exe wmic.exe PID 2288 wrote to memory of 3364 2288 resmon.exe wmic.exe PID 2288 wrote to memory of 3012 2288 resmon.exe msedge.exe PID 2288 wrote to memory of 3012 2288 resmon.exe msedge.exe PID 3012 wrote to memory of 1736 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 1736 3012 msedge.exe msedge.exe PID 2288 wrote to memory of 1652 2288 resmon.exe NOTEPAD.EXE PID 2288 wrote to memory of 1652 2288 resmon.exe NOTEPAD.EXE PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4992 3012 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe"C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe"C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad4f646f8,0x7ffad4f64708,0x7ffad4f647186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB75⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad4f646f8,0x7ffad4f64708,0x7ffad4f647186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "resmon.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "resmon.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c4 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5119538fe8983d8853943e9e763fe8b69
SHA18d62c4a6c6aad6bfb267d6fef083e4c691bc6ba8
SHA25613eb49d8491294ff6606a2ab0a24a44df084bd1c741a7f78dde2b782e860aff2
SHA5120db414516a6133d3e612a988757d65475ee53919566badf1050d76be176e6ba0cc27c94df3a83afdeae8becef938c20d3e738aee7b68e1e5205af00de76e6a6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5732194467fe5b5aefaecc404598a9b49
SHA1627db5ace90c1564c32a1125972ae06059cad031
SHA2562c62e1e2000918d012a1a373af05b11818d4fd125a4fc5cc78d0749c9493f366
SHA512cc44b34b0fd9e46047fe3dbb74939b3b52671bfdd80a90d01beaf2ae5369c5b7f036f2687ea8a3234e51648d0581c4598824519665334b6a7f81e20216c981a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d8f32802126ed7a55f408258c18b0ef6
SHA15c607237743fa5c8d3982c42e3547928ba150295
SHA256e870d1dff562bf0a369368f77e6a1884eb9f2611b0bd869e1ac92cec1b01f156
SHA5125edc8edd53d681d81809f1a3f76636187c3da8037a1eaf206685d5286c9959c14e18ca25e3822bd960a9f561f6acb279873a54baafe041f64d701fe5da3a7c9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b9771827900c4823b487a3b5e4390c16
SHA1b830e0e6a7984fa6b9dbed307e01af9cbbf726f7
SHA2562115326c4f744bc2db12e5708327d21e2e9e3ac76fff8ccb95120c15907618cb
SHA512decb6949437e12dfb8fd1fd98a23bc55a3c26302571dd09dc185c98b8c19038d29fe4317b2373e1a752b4cfba51662c0af562e70831205bd7e808d4e666a3cbb
-
C:\Users\Admin\AppData\Local\Temp\nsm6497.tmp\System.dllFilesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
C:\Users\Admin\AppData\Roaming\CDRom.dllFilesize
26KB
MD5f65d5bc68f1fb11619ba6b464913dce2
SHA1b67b2d285b64209eaa6a7011f244992f39509d22
SHA2567b342d996d54d971e4910d0a53e7b120a926c01a3fd173d98bf00e8d52e32af4
SHA512331eeabf497202aff3dcf1c8c9545b9ee60a6f02c3cb13cd827410a9b0fa63f2c29896db2ab50c06abef8a31169490dc487021ecd4c3ba51acc011af61f2e769
-
C:\Users\Admin\AppData\Roaming\Lustreware.29LFilesize
1KB
MD57d198b33fbcc5c4ca09364a1d403ba26
SHA1c98ee26d73ae6348354592aee7171ae0b9a8126b
SHA2560e1c39c1b96dfd186e1656afdd6faa70473c4e4165ed4a822feffa9aba3107ff
SHA5120c0063f01c9e6cedaafc11a8b97fabe9c88862570ffd0af9345bebf0f754bd549a486fc622089efb74b8835b7f5fc2759624f80ea2d49b731749c7ac7e0d1112
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnkFilesize
1KB
MD5677d4c9d8ba74c0d2c98e81fe43df509
SHA157a64f4926611ae65d348a2d4515d98f911ba4d0
SHA256387279029c271f5593519795e5caf3592298e1d71f599e62d3b316f02e833e53
SHA5127e60f0d1a05cb792d58105927c88d1009a950560abc07587dc8ae537c9c7fe63c091f6e462ae54169be24a7d11b0bd632199c1c5e8e78e32c26499e63e27a575
-
C:\Users\Admin\AppData\Roaming\PuckBoutique.AFilesize
113KB
MD5ae9c23083326e229ecabc69c9dde7efb
SHA1d3133eadcadc94c7bb769c6b12c24b2e5c505ba9
SHA2564527c133c9538f24b59ee1a6923fe658f43e136d5d8132867bb7f2e4687058c6
SHA512cae785eaa1c7b544942a06d977da62d580daf94df468eeea3128f8e0eb7ebbde4eb30e590452bf922cb86468ad40853c0b839f84afa788631e55e8cbae9453ff
-
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exeFilesize
170KB
MD53bc88ab2dae5dd7dc924b64e45a5e831
SHA1abae00114caf6af0927deae70295a62adb8737e7
SHA25622b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186
SHA51296e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txtFilesize
10KB
MD523524fbf7c1fa1639fc0db71d88d5402
SHA1854ea1c56c38a9e446bdda74e376f53d1ec5a7c1
SHA2566f1078c41549e8ad4f828587e054df66ed35f1116e1ec0ce421e193db51b2ed2
SHA512e1bb388715aed7d649be06e63e6f6b448ed2bbd3f7b92f73ce093a030b6781415af107116c91db2a5408c2a5ea3178122a78b0ad044ddf528a3499d8622c4ce7
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.urlFilesize
83B
MD58ec15d70efc54263a62e73588051541d
SHA113f039ec56cd94cd6a0fa7f7ca5a0e7ada9530ab
SHA2563f9931a00703152cefddcf3d04076b7ebed6fd6075ec37862e29f97a2d1cf824
SHA512ec8affe36f89d4280e19019664560a4d724fe29897d9032d9b74710f4c258dc5e0db0d65d916dd0182fa9369f6106622220d652bf182adeda4715f058f785f95
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
\??\pipe\LOCAL\crashpad_3012_ASMNCSOVCLBJEMWWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2056-31-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2056-18-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2056-17-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2056-15-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2056-11-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-373-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-384-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-370-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-367-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-362-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-358-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-355-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-352-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-344-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-378-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-350-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-376-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-379-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-55-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-52-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-50-0x0000000003D20000-0x0000000003D21000-memory.dmpFilesize
4KB
-
memory/2288-48-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-455-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-47-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2288-473-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4964-12-0x000000006C980000-0x000000006C98F000-memory.dmpFilesize
60KB