Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll
-
Size
145KB
-
MD5
d7f039531ce2db4f604ca2a40f8ca828
-
SHA1
6c1c739d5d6fd0c04eac220b46646d3a5d5736c8
-
SHA256
45fe958019227f7a5e96d36b522178cd3ab24a99decfe517e5a2e91806c83016
-
SHA512
d095e6185ca9aa60df80066c8476604f1815ee9a4be3dd6c4fb8c4809f33974bb277da97d74fed11dbf7c9843ab6f48bb1312e2afefa148ecbb06d55bf551af0
-
SSDEEP
3072:t9T7LiXhC06rUwo3ueS8uYGEx8r8npU5f4rAFy/Vruanzg:/O0XrUwo65YGEeepUItru
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_WHAT_is.bmp" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4532 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WallpaperStyle = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\TileWallpaper = "0" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 4520 msedge.exe 4520 msedge.exe 4560 msedge.exe 4560 msedge.exe 3268 identity_helper.exe 3268 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1748 vssvc.exe Token: SeRestorePrivilege 1748 vssvc.exe Token: SeAuditPrivilege 1748 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe 4560 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemsedge.exedescription pid process target process PID 4120 wrote to memory of 4028 4120 rundll32.exe rundll32.exe PID 4120 wrote to memory of 4028 4120 rundll32.exe rundll32.exe PID 4120 wrote to memory of 4028 4120 rundll32.exe rundll32.exe PID 4028 wrote to memory of 4560 4028 rundll32.exe msedge.exe PID 4028 wrote to memory of 4560 4028 rundll32.exe msedge.exe PID 4560 wrote to memory of 2368 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2368 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 3096 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 4520 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 4520 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 2940 4560 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll,#12⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_WHAT_is.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a29046f8,0x7ff9a2904708,0x7ff9a29047184⤵PID:2368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:24⤵PID:3096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:84⤵PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:84⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:14⤵PID:4804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:14⤵PID:2536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:14⤵PID:4120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2495522309340188513,12227373281623269019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵PID:4028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All1⤵
- Interacts with shadow copies
PID:4532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1364
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A64CD22E-7976-4E35-AF61-1C7DBC1F5743\en-us.16\_4_WHAT_is.htmlFilesize
8KB
MD51f4de7cdec21c5b376626abdfd248ada
SHA179cd3d16fcb3a9e30b76ad95e9c397fcab3bc0e1
SHA2568b2597f9913ac68ce1d9c9f1b560057ad4118ae039ae1c236d9ae7eef7843ce9
SHA51245f20880890f89a0d22f40c136ecee5c99d899259b979a98185073d454e7c8b35cd894b5390fdd02667a4d1f8ab4411e06cb1e318ea92e0561919eb76240457b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5078ca1089f055a0616937960b23fd7e8
SHA131ff41986d5a0c333e14cba2e7f5bcaaab7d8288
SHA2567acd7ae96965d94c0977dfb13e16e37f1b4eb0206ffcfce872437794957d984d
SHA5126f4c40eb577a41a189c8045a8fefd24d5429cac11e3c7f8a0200adc3cfa4898f72876e055698a58ccbef992f0f9545790e8e9ef446bcd0e7720aeda051a12f2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5edfbc8dbacddec93c37b5e0615dd2838
SHA1f2c474c9a8bbe5bc299ec85f00d51ca70766adaf
SHA2564b128af3feee45166c5e28c5d6a8dc5d28346de4e261b1d54c4f2df8ceabad11
SHA512cd27a49d0bd34ea12ceb295daaa4ffcb091cb7a73de253196f9f058d6b6a1a431b182d209a8640e4c86f268ae4a8cb5a9fce1b2e5604710f452cff2d17f02267
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD55ff6c75971aab77efb7dc32bed52170e
SHA16a79ec4cd01e95d44a618c5c72a9d4b7ecd15ba1
SHA25622091d6d83e7f697bbf62952a5617ac87f54ba4e3bab1b262e00fa3e8fd4dbd5
SHA51243836213f604452e08791391f070f3a12c643f3f80538ac140cdba03823e0042ff0291793fbf25bf2a0c612ebf932b753a4589e623c64f34db8499109983e8c9
-
\??\pipe\LOCAL\crashpad_4560_NWDOVCHHVIFAISIXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4028-5-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4028-4-0x0000000074D90000-0x0000000074DB8000-memory.dmpFilesize
160KB
-
memory/4028-8-0x0000000074D90000-0x0000000074DB8000-memory.dmpFilesize
160KB
-
memory/4028-2-0x0000000074D90000-0x0000000074DB8000-memory.dmpFilesize
160KB
-
memory/4028-1-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4028-0-0x0000000074D90000-0x0000000074DB8000-memory.dmpFilesize
160KB