Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 19:47

General

  • Target

    3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe

  • Size

    170KB

  • MD5

    3bc88ab2dae5dd7dc924b64e45a5e831

  • SHA1

    abae00114caf6af0927deae70295a62adb8737e7

  • SHA256

    22b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186

  • SHA512

    96e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97

  • SSDEEP

    3072:t8Dsp+FNX1dFOvDlXJulh1l5Hw1PaxwJSY3pS7q/y/Ds1xZ0TAxiFK2HkoHd:t8dNXSElh1lxq7ZpQqa/ExZ0WiEQkw

Malware Config

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.cab/DF75-50A8-BD93-0291-1DB7</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.nu/DF75-50A8-BD93-0291-1DB7</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.link/DF75-50A8-BD93-0291-1DB7</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.tor2web.org/DF75-50A8-BD93-0291-1DB7</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7" target="_blank">http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/DF75-50A8-BD93-0291-1DB7</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7 | | 2. http://cerberhhyed5frqa.onion.cab/DF75-50A8-BD93-0291-1DB7 | | 3. http://cerberhhyed5frqa.onion.nu/DF75-50A8-BD93-0291-1DB7 | | 4. http://cerberhhyed5frqa.onion.link/DF75-50A8-BD93-0291-1DB7 | | 5. http://cerberhhyed5frqa.tor2web.org/DF75-50A8-BD93-0291-1DB7 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/DF75-50A8-BD93-0291-1DB7 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7

http://cerberhhyed5frqa.onion.cab/DF75-50A8-BD93-0291-1DB7

http://cerberhhyed5frqa.onion.nu/DF75-50A8-BD93-0291-1DB7

http://cerberhhyed5frqa.onion.link/DF75-50A8-BD93-0291-1DB7

http://cerberhhyed5frqa.tor2web.org/DF75-50A8-BD93-0291-1DB7

http://cerberhhyed5frqa.onion/DF75-50A8-BD93-0291-1DB7

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16397) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe
        "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe
          "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:4696
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3364
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3012
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad4f646f8,0x7ffad4f64708,0x7ffad4f64718
              6⤵
                PID:1736
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
                6⤵
                  PID:4992
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2952
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
                  6⤵
                    PID:3596
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
                    6⤵
                      PID:4648
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                      6⤵
                        PID:3652
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
                        6⤵
                          PID:3972
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
                          6⤵
                            PID:2644
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                            6⤵
                              PID:4620
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
                              6⤵
                                PID:3452
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
                                6⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3808
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                                6⤵
                                  PID:3960
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                  6⤵
                                    PID:1080
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
                                    6⤵
                                      PID:5056
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14283747350895100090,9563778718805520441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                                      6⤵
                                        PID:4268
                                    • C:\Windows\system32\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                      5⤵
                                        PID:1652
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.onion.to/DF75-50A8-BD93-0291-1DB7
                                        5⤵
                                          PID:1848
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad4f646f8,0x7ffad4f64708,0x7ffad4f64718
                                            6⤵
                                              PID:5048
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                            5⤵
                                              PID:4932
                                            • C:\Windows\system32\cmd.exe
                                              /d /c taskkill /t /f /im "resmon.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe" > NUL
                                              5⤵
                                                PID:4352
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /t /f /im "resmon.exe"
                                                  6⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1432
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 1 127.0.0.1
                                                  6⤵
                                                  • Runs ping.exe
                                                  PID:4752
                                          • C:\Windows\SysWOW64\cmd.exe
                                            /d /c taskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL
                                            3⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4416
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:920
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 1 127.0.0.1
                                              4⤵
                                              • Runs ping.exe
                                              PID:4608
                                      • C:\Windows\system32\vssvc.exe
                                        C:\Windows\system32\vssvc.exe
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3720
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:3408
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:3740
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x4c4 0x498
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2700

                                          Network

                                          MITRE ATT&CK Matrix ATT&CK v13

                                          Execution

                                          Windows Management Instrumentation

                                          1
                                          T1047

                                          Persistence

                                          Boot or Logon Autostart Execution

                                          2
                                          T1547

                                          Registry Run Keys / Startup Folder

                                          2
                                          T1547.001

                                          Privilege Escalation

                                          Boot or Logon Autostart Execution

                                          2
                                          T1547

                                          Registry Run Keys / Startup Folder

                                          2
                                          T1547.001

                                          Defense Evasion

                                          Indicator Removal

                                          2
                                          T1070

                                          File Deletion

                                          2
                                          T1070.004

                                          Modify Registry

                                          3
                                          T1112

                                          Credential Access

                                          Unsecured Credentials

                                          1
                                          T1552

                                          Credentials In Files

                                          1
                                          T1552.001

                                          Discovery

                                          Network Service Discovery

                                          2
                                          T1046

                                          Query Registry

                                          2
                                          T1012

                                          System Information Discovery

                                          3
                                          T1082

                                          Remote System Discovery

                                          1
                                          T1018

                                          Collection

                                          Data from Local System

                                          1
                                          T1005

                                          Impact

                                          Inhibit System Recovery

                                          2
                                          T1490

                                          Defacement

                                          1
                                          T1491

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\# DECRYPT MY FILES #.html
                                            Filesize

                                            12KB

                                            MD5

                                            119538fe8983d8853943e9e763fe8b69

                                            SHA1

                                            8d62c4a6c6aad6bfb267d6fef083e4c691bc6ba8

                                            SHA256

                                            13eb49d8491294ff6606a2ab0a24a44df084bd1c741a7f78dde2b782e860aff2

                                            SHA512

                                            0db414516a6133d3e612a988757d65475ee53919566badf1050d76be176e6ba0cc27c94df3a83afdeae8becef938c20d3e738aee7b68e1e5205af00de76e6a6a

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            439b5e04ca18c7fb02cf406e6eb24167

                                            SHA1

                                            e0c5bb6216903934726e3570b7d63295b9d28987

                                            SHA256

                                            247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                            SHA512

                                            d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            a8e767fd33edd97d306efb6905f93252

                                            SHA1

                                            a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                            SHA256

                                            c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                            SHA512

                                            07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            6KB

                                            MD5

                                            732194467fe5b5aefaecc404598a9b49

                                            SHA1

                                            627db5ace90c1564c32a1125972ae06059cad031

                                            SHA256

                                            2c62e1e2000918d012a1a373af05b11818d4fd125a4fc5cc78d0749c9493f366

                                            SHA512

                                            cc44b34b0fd9e46047fe3dbb74939b3b52671bfdd80a90d01beaf2ae5369c5b7f036f2687ea8a3234e51648d0581c4598824519665334b6a7f81e20216c981a1

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            6KB

                                            MD5

                                            d8f32802126ed7a55f408258c18b0ef6

                                            SHA1

                                            5c607237743fa5c8d3982c42e3547928ba150295

                                            SHA256

                                            e870d1dff562bf0a369368f77e6a1884eb9f2611b0bd869e1ac92cec1b01f156

                                            SHA512

                                            5edc8edd53d681d81809f1a3f76636187c3da8037a1eaf206685d5286c9959c14e18ca25e3822bd960a9f561f6acb279873a54baafe041f64d701fe5da3a7c9c

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            46295cac801e5d4857d09837238a6394

                                            SHA1

                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                            SHA256

                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                            SHA512

                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            206702161f94c5cd39fadd03f4014d98

                                            SHA1

                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                            SHA256

                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                            SHA512

                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            11KB

                                            MD5

                                            b9771827900c4823b487a3b5e4390c16

                                            SHA1

                                            b830e0e6a7984fa6b9dbed307e01af9cbbf726f7

                                            SHA256

                                            2115326c4f744bc2db12e5708327d21e2e9e3ac76fff8ccb95120c15907618cb

                                            SHA512

                                            decb6949437e12dfb8fd1fd98a23bc55a3c26302571dd09dc185c98b8c19038d29fe4317b2373e1a752b4cfba51662c0af562e70831205bd7e808d4e666a3cbb

                                          • C:\Users\Admin\AppData\Local\Temp\nsm6497.tmp\System.dll
                                            Filesize

                                            11KB

                                            MD5

                                            883eff06ac96966270731e4e22817e11

                                            SHA1

                                            523c87c98236cbc04430e87ec19b977595092ac8

                                            SHA256

                                            44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

                                            SHA512

                                            60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

                                          • C:\Users\Admin\AppData\Roaming\CDRom.dll
                                            Filesize

                                            26KB

                                            MD5

                                            f65d5bc68f1fb11619ba6b464913dce2

                                            SHA1

                                            b67b2d285b64209eaa6a7011f244992f39509d22

                                            SHA256

                                            7b342d996d54d971e4910d0a53e7b120a926c01a3fd173d98bf00e8d52e32af4

                                            SHA512

                                            331eeabf497202aff3dcf1c8c9545b9ee60a6f02c3cb13cd827410a9b0fa63f2c29896db2ab50c06abef8a31169490dc487021ecd4c3ba51acc011af61f2e769

                                          • C:\Users\Admin\AppData\Roaming\Lustreware.29L
                                            Filesize

                                            1KB

                                            MD5

                                            7d198b33fbcc5c4ca09364a1d403ba26

                                            SHA1

                                            c98ee26d73ae6348354592aee7171ae0b9a8126b

                                            SHA256

                                            0e1c39c1b96dfd186e1656afdd6faa70473c4e4165ed4a822feffa9aba3107ff

                                            SHA512

                                            0c0063f01c9e6cedaafc11a8b97fabe9c88862570ffd0af9345bebf0f754bd549a486fc622089efb74b8835b7f5fc2759624f80ea2d49b731749c7ac7e0d1112

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk
                                            Filesize

                                            1KB

                                            MD5

                                            677d4c9d8ba74c0d2c98e81fe43df509

                                            SHA1

                                            57a64f4926611ae65d348a2d4515d98f911ba4d0

                                            SHA256

                                            387279029c271f5593519795e5caf3592298e1d71f599e62d3b316f02e833e53

                                            SHA512

                                            7e60f0d1a05cb792d58105927c88d1009a950560abc07587dc8ae537c9c7fe63c091f6e462ae54169be24a7d11b0bd632199c1c5e8e78e32c26499e63e27a575

                                          • C:\Users\Admin\AppData\Roaming\PuckBoutique.A
                                            Filesize

                                            113KB

                                            MD5

                                            ae9c23083326e229ecabc69c9dde7efb

                                            SHA1

                                            d3133eadcadc94c7bb769c6b12c24b2e5c505ba9

                                            SHA256

                                            4527c133c9538f24b59ee1a6923fe658f43e136d5d8132867bb7f2e4687058c6

                                            SHA512

                                            cae785eaa1c7b544942a06d977da62d580daf94df468eeea3128f8e0eb7ebbde4eb30e590452bf922cb86468ad40853c0b839f84afa788631e55e8cbae9453ff

                                          • C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\resmon.exe
                                            Filesize

                                            170KB

                                            MD5

                                            3bc88ab2dae5dd7dc924b64e45a5e831

                                            SHA1

                                            abae00114caf6af0927deae70295a62adb8737e7

                                            SHA256

                                            22b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186

                                            SHA512

                                            96e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97

                                          • C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
                                            Filesize

                                            10KB

                                            MD5

                                            23524fbf7c1fa1639fc0db71d88d5402

                                            SHA1

                                            854ea1c56c38a9e446bdda74e376f53d1ec5a7c1

                                            SHA256

                                            6f1078c41549e8ad4f828587e054df66ed35f1116e1ec0ce421e193db51b2ed2

                                            SHA512

                                            e1bb388715aed7d649be06e63e6f6b448ed2bbd3f7b92f73ce093a030b6781415af107116c91db2a5408c2a5ea3178122a78b0ad044ddf528a3499d8622c4ce7

                                          • C:\Users\Admin\Pictures\# DECRYPT MY FILES #.url
                                            Filesize

                                            83B

                                            MD5

                                            8ec15d70efc54263a62e73588051541d

                                            SHA1

                                            13f039ec56cd94cd6a0fa7f7ca5a0e7ada9530ab

                                            SHA256

                                            3f9931a00703152cefddcf3d04076b7ebed6fd6075ec37862e29f97a2d1cf824

                                            SHA512

                                            ec8affe36f89d4280e19019664560a4d724fe29897d9032d9b74710f4c258dc5e0db0d65d916dd0182fa9369f6106622220d652bf182adeda4715f058f785f95

                                          • C:\Users\Admin\Pictures\# DECRYPT MY FILES #.vbs
                                            Filesize

                                            219B

                                            MD5

                                            35a3e3b45dcfc1e6c4fd4a160873a0d1

                                            SHA1

                                            a0bcc855f2b75d82cbaae3a8710f816956e94b37

                                            SHA256

                                            8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

                                            SHA512

                                            6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

                                          • \??\pipe\LOCAL\crashpad_3012_ASMNCSOVCLBJEMWW
                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • memory/2056-31-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2056-18-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2056-17-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2056-15-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2056-11-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-373-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-384-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-370-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-367-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-362-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-358-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-355-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-352-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-344-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-378-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-63-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-350-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-62-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-376-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-379-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-60-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-55-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-54-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-52-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-50-0x0000000003D20000-0x0000000003D21000-memory.dmp
                                            Filesize

                                            4KB

                                          • memory/2288-48-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-455-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-47-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/2288-473-0x0000000000400000-0x0000000000420000-memory.dmp
                                            Filesize

                                            128KB

                                          • memory/4964-12-0x000000006C980000-0x000000006C98F000-memory.dmp
                                            Filesize

                                            60KB