Overview
overview
8Static
static
7201b3ddbae...18.exe
windows7-x64
3201b3ddbae...18.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3CCleaner.exe
windows7-x64
7CCleaner.exe
windows10-2004-x64
1Microsoft.mshtml.dll
windows7-x64
1Microsoft.mshtml.dll
windows10-2004-x64
1cafw.exe
windows7-x64
7cafw.exe
windows10-2004-x64
3cladgenius.chm
windows7-x64
1cladgenius.chm
windows10-2004-x64
1decaptcher.dll
windows7-x64
3decaptcher.dll
windows10-2004-x64
3fbclient.dll
windows7-x64
1fbclient.dll
windows10-2004-x64
1holfix.exe
windows7-x64
8holfix.exe
windows10-2004-x64
8ibprovider.dll
windows7-x64
1ibprovider.dll
windows10-2004-x64
1icudt30.dll
windows7-x64
1icudt30.dll
windows10-2004-x64
1icuin30.dll
windows7-x64
3icuin30.dll
windows10-2004-x64
3icuuc30.dll
windows7-x64
3icuuc30.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 16:58
Behavioral task
behavioral1
Sample
201b3ddbaeaa3cc5f7480d8fe72fc567_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
201b3ddbaeaa3cc5f7480d8fe72fc567_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
CCleaner.exe
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
CCleaner.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Microsoft.mshtml.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Microsoft.mshtml.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
cafw.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
cafw.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
cladgenius.chm
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
cladgenius.chm
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
decaptcher.dll
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
decaptcher.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
fbclient.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
fbclient.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
holfix.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
holfix.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
ibprovider.dll
Resource
win7-20240419-en
Behavioral task
behavioral26
Sample
ibprovider.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
icudt30.dll
Resource
win7-20240611-en
Behavioral task
behavioral28
Sample
icudt30.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
icuin30.dll
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
icuin30.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
icuuc30.dll
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
icuuc30.dll
Resource
win10v2004-20240611-en
General
-
Target
holfix.exe
-
Size
256KB
-
MD5
53f0c95938fdb4b3f0f4814bc8b1b9cc
-
SHA1
08c2a4a3df5381f8f49a5ee2372728400bd24671
-
SHA256
6b3ed396381a68ca58a1f4c73f00b40e2c2f555d031690865a64f26d2c5ed7fb
-
SHA512
2eac3782b5c1e1f45c9492b17910b60f28d2ab69aa7ec1b3e39e3ccf628fe30226c2824309a87d1b84c288b6028b903d3085d01df762ba421c7a5d5a7ddd6f9a
-
SSDEEP
6144:wMWnwQaTtvIa5rD1U8x7Am6OoyFoLp1kvWlp2FN6A5B5dn01:pJQatIerRUAA0o8CTlkFN6Az5dn0
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
holfix.exedescription ioc process File created C:\Windows\system32\drivers\tcpip.copy holfix.exe File created C:\Windows\system32\drivers\tcpipreset holfix.exe File opened for modification C:\Windows\system32\drivers\tcpip.copy holfix.exe File opened for modification C:\Windows\system32\drivers\tcpipreset holfix.exe -
Possible privilege escalation attempt 27 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 8 takeown.exe 1516 icacls.exe 4380 icacls.exe 1424 takeown.exe 848 icacls.exe 3148 icacls.exe 3560 takeown.exe 1076 takeown.exe 456 icacls.exe 1280 icacls.exe 3932 icacls.exe 2124 icacls.exe 4652 takeown.exe 648 icacls.exe 2432 takeown.exe 4060 icacls.exe 3068 icacls.exe 4572 icacls.exe 3236 icacls.exe 2272 icacls.exe 5036 takeown.exe 3896 takeown.exe 4192 icacls.exe 4764 takeown.exe 5088 icacls.exe 3064 icacls.exe 3184 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
holfix.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation holfix.exe -
Modifies file permissions 1 TTPs 27 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 8 takeown.exe 3068 icacls.exe 3896 takeown.exe 648 icacls.exe 3932 icacls.exe 5088 icacls.exe 3064 icacls.exe 1076 takeown.exe 5036 takeown.exe 1424 takeown.exe 4572 icacls.exe 3560 takeown.exe 3148 icacls.exe 4192 icacls.exe 1280 icacls.exe 3184 icacls.exe 2124 icacls.exe 4060 icacls.exe 2432 takeown.exe 4652 takeown.exe 1516 icacls.exe 848 icacls.exe 4764 takeown.exe 456 icacls.exe 3236 icacls.exe 2272 icacls.exe 4380 icacls.exe -
Processes:
resource yara_rule behavioral24/memory/3116-0-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral24/memory/3116-124-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 28 IoCs
Processes:
holfix.exedescription ioc process File opened for modification C:\Windows\System32\en-us\user32copy.dll.mui holfix.exe File opened for modification C:\Windows\System32\uk-ua\user32copy.dll.mui holfix.exe File opened for modification C:\Windows\System32\de-de\user32copy.dll.mui holfix.exe File created C:\Windows\System32\uk-ua\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\it-it\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\uk-ua\user32new.dll.mui holfix.exe File created C:\Windows\System32\en-us\user32copy.dll.mui holfix.exe File opened for modification C:\Windows\System32\ja-jp\user32copy.dll.mui holfix.exe File created C:\Windows\System32\ja-jp\user32copy.dll.mui holfix.exe File opened for modification C:\Windows\System32\es-es\user32new.dll.mui holfix.exe File created C:\Windows\System32\uk-ua\user32copy.dll.mui holfix.exe File created C:\Windows\System32\es-es\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\fr-fr\user32copy.dll.mui holfix.exe File opened for modification C:\Windows\System32\fr-fr\user32new.dll.mui holfix.exe File created C:\Windows\System32\de-de\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\en-us\user32new.dll.mui holfix.exe File created C:\Windows\System32\es-es\user32copy.dll.mui holfix.exe File created C:\Windows\System32\fr-fr\user32copy.dll.mui holfix.exe File created C:\Windows\System32\fr-fr\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\it-it\user32copy.dll.mui holfix.exe File opened for modification C:\Windows\System32\ja-jp\user32new.dll.mui holfix.exe File created C:\Windows\System32\de-de\user32copy.dll.mui holfix.exe File created C:\Windows\System32\en-us\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\es-es\user32copy.dll.mui holfix.exe File created C:\Windows\System32\ja-jp\user32new.dll.mui holfix.exe File opened for modification C:\Windows\System32\de-de\user32new.dll.mui holfix.exe File created C:\Windows\System32\it-it\user32copy.dll.mui holfix.exe File created C:\Windows\System32\it-it\user32new.dll.mui holfix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1916 msedge.exe 1916 msedge.exe 4320 msedge.exe 4320 msedge.exe 4464 identity_helper.exe 4464 identity_helper.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 5036 takeown.exe Token: SeTakeOwnershipPrivilege 3560 takeown.exe Token: SeTakeOwnershipPrivilege 1076 takeown.exe Token: SeTakeOwnershipPrivilege 4764 takeown.exe Token: SeTakeOwnershipPrivilege 2432 takeown.exe Token: SeTakeOwnershipPrivilege 8 takeown.exe Token: SeTakeOwnershipPrivilege 4652 takeown.exe Token: SeTakeOwnershipPrivilege 1424 takeown.exe Token: SeTakeOwnershipPrivilege 3896 takeown.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
holfix.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3116 wrote to memory of 4736 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 4736 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 5108 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 5108 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1056 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1056 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 820 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 820 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 4108 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 4108 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1168 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1168 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 824 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 824 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1208 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1208 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1356 3116 holfix.exe cmd.exe PID 3116 wrote to memory of 1356 3116 holfix.exe cmd.exe PID 4736 wrote to memory of 5036 4736 cmd.exe takeown.exe PID 4736 wrote to memory of 5036 4736 cmd.exe takeown.exe PID 5108 wrote to memory of 3560 5108 cmd.exe takeown.exe PID 5108 wrote to memory of 3560 5108 cmd.exe takeown.exe PID 4736 wrote to memory of 4380 4736 cmd.exe icacls.exe PID 4736 wrote to memory of 4380 4736 cmd.exe icacls.exe PID 1168 wrote to memory of 1076 1168 cmd.exe takeown.exe PID 1168 wrote to memory of 1076 1168 cmd.exe takeown.exe PID 820 wrote to memory of 4764 820 cmd.exe takeown.exe PID 820 wrote to memory of 4764 820 cmd.exe takeown.exe PID 4736 wrote to memory of 5088 4736 cmd.exe icacls.exe PID 4736 wrote to memory of 5088 4736 cmd.exe icacls.exe PID 1208 wrote to memory of 1424 1208 cmd.exe takeown.exe PID 1208 wrote to memory of 1424 1208 cmd.exe takeown.exe PID 1356 wrote to memory of 2432 1356 cmd.exe takeown.exe PID 1356 wrote to memory of 2432 1356 cmd.exe takeown.exe PID 1056 wrote to memory of 4652 1056 cmd.exe takeown.exe PID 1056 wrote to memory of 4652 1056 cmd.exe takeown.exe PID 4108 wrote to memory of 8 4108 cmd.exe takeown.exe PID 4108 wrote to memory of 8 4108 cmd.exe takeown.exe PID 4108 wrote to memory of 3064 4108 cmd.exe icacls.exe PID 4108 wrote to memory of 3064 4108 cmd.exe icacls.exe PID 1168 wrote to memory of 456 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 456 1168 cmd.exe icacls.exe PID 5108 wrote to memory of 1516 5108 cmd.exe icacls.exe PID 5108 wrote to memory of 1516 5108 cmd.exe icacls.exe PID 1356 wrote to memory of 4060 1356 cmd.exe icacls.exe PID 1356 wrote to memory of 4060 1356 cmd.exe icacls.exe PID 1168 wrote to memory of 1280 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 1280 1168 cmd.exe icacls.exe PID 4108 wrote to memory of 3068 4108 cmd.exe icacls.exe PID 4108 wrote to memory of 3068 4108 cmd.exe icacls.exe PID 820 wrote to memory of 3184 820 cmd.exe icacls.exe PID 820 wrote to memory of 3184 820 cmd.exe icacls.exe PID 824 wrote to memory of 3896 824 cmd.exe takeown.exe PID 824 wrote to memory of 3896 824 cmd.exe takeown.exe PID 820 wrote to memory of 648 820 cmd.exe icacls.exe PID 820 wrote to memory of 648 820 cmd.exe icacls.exe PID 1356 wrote to memory of 4572 1356 cmd.exe icacls.exe PID 1356 wrote to memory of 4572 1356 cmd.exe icacls.exe PID 5108 wrote to memory of 2272 5108 cmd.exe icacls.exe PID 5108 wrote to memory of 2272 5108 cmd.exe icacls.exe PID 1208 wrote to memory of 3932 1208 cmd.exe icacls.exe PID 1208 wrote to memory of 3932 1208 cmd.exe icacls.exe PID 1056 wrote to memory of 3236 1056 cmd.exe icacls.exe PID 1056 wrote to memory of 3236 1056 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\holfix.exe"C:\Users\Admin\AppData\Local\Temp\holfix.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://half-open.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabe0446f8,0x7ffabe044708,0x7ffabe0447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5544 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5afc1565dde920d0818f4d86822b89168
SHA18cc34419b0c846ded7b03a83b78d252f23e555c1
SHA25669bbccfff19ffeeb3e993373d88f9f7409d85ec6d96c7c5556a732ffd0350f2f
SHA51217cb542a44616ae0c292c185a79cbe1967d5d26ff6bfdd8a36a61c91d5978cf2a0e57b98ebc8629739023dc1b7df0628cb34c1521a16637bd969e94879e7e6ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5b3636fd09e4cdf221662df3d176c42a2
SHA1ee9964491509a596007c5b26e11b396510c9bfc8
SHA2568260b8b12c3aac8516a34842bb766bf6cec40efb3fa4fefb5a43187f0185a56d
SHA512391ff2610ce4ee34bac809f5f73c28a83e6f7d5160cf7297ad59d61d812b0d7b919e5beaf4f70a9bd7fa69f45a425d839c67bd0ff7b54112d4e5933f656455dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD544c502709f99b8389b5ddbcf49c11865
SHA14cbce8e99fe2816134c9c81c57dcf5a5cb23f175
SHA25683b8a5d7774541a77b492d5350ede6cb4516926530831a1b76563a80163011a3
SHA512f5d835f35938fd6466f7caead29bcc2e5a7611c39f8219e4a2447ae9e59682dbac70b2f927d5ed11151d3ae971935820bdf5a9b2c7fc14858f5c67af63d2e5cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58fa62fede32216e0a4113d259982f89e
SHA1b53c005a9d75289b698b15e4c853f9c2b6cae5ad
SHA256ef0943c95eae441209447db9b229d89eed1599cd8e66166c8d584bef39e15997
SHA512313c173af97f93f0ca09b2ab0f4f13cafcc8e540ae2ca29497fb06e089726284a313ad736ed0f5f2a380600e285199ef8e90a29dfebfe7c62771c8fd752186c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e33e35f71221d8b8f5827d8d951ee176
SHA118903c3a3d9e7e4e96385b9cb0d78ef087ece1b8
SHA2566e921610f7c39a9db45c25f1d5d59906b449e82fb5d0a2fcbc4f8dbba32d7e7e
SHA5127b7fb3522e0daca459a17857d93a2f6ab4c69b9b3b8a8ce922cc8c3cd6144a2593ed456988b8799616a9398fafeb1be14611d22a39b7be82c575fa8fd084d128
-
C:\Windows\System32\de-DE\user32new.dll.muiFilesize
19KB
MD5f8d6dd4349b7f240c6cd4d04d21657f7
SHA1744e7220be770ddce55fc6242fa3c5547725fcd7
SHA256bd2c70e7e8720942b4bc3020929b894bfbe5e9d97082a821272b73f5d480e9b3
SHA51296f3e427b735a63b49c07e7f14754b996324a58cc15cf99e55c1ba1555dfdbeb7734719b06d4a95c322b3a9bb31c0bb192d78b06981c03ba0678538dd4890f4f
-
C:\Windows\System32\en-US\user32new.dll.muiFilesize
17KB
MD590b43ec7eb2e379561b0efd0d93342bb
SHA1efdc5321144229a02e2347ae71ef1e9a869d8d3c
SHA2566921a8d82bd3586df770d2854dc9c538f6de996a64c63c29e31b1e84be040f4a
SHA5125cc5f9045c90e8fd7d0ddbc242ef64df71b10e36c3a6e5d25db8dbc2608aa3ec48b2a6b71686fa4646e40eefec700e0b2c324e8bde7da9239be98f1416a58e4e
-
C:\Windows\System32\es-ES\user32new.dll.muiFilesize
18KB
MD588e058f2f65a9ecfc4023f5d6512bfee
SHA1c3a86890e1560d33309c0e019d573855028a811b
SHA256a0fc551bc1fe60ecedc79c387a3311f9879d1f69509e61c6a6e472534d7b4448
SHA512e51ac8a044bd5a0de3eb5128efccaa04ee54c5578c698b00bef3ffd9094e51e550b757916af4e7992407019614fd816dd9d78231b6821813bf3e9b4e217f807d
-
C:\Windows\System32\fr-FR\user32new.dll.muiFilesize
19KB
MD53996e9a5f0cc85e93aa7ade49a892c5e
SHA1fa2b4d88bc4b2efb7acd13a83003ec23c44c2664
SHA25639519ade42cac753b5fd8586786e292ada3c4910041353b31730fa3079801c21
SHA51299a84f565c0c730472ebb7940c260460f54b1c88c446c3869ce5e889f4fd14230b40c6267de751d93a3e1882d6ac6cd29a6026591aebb3600caa7b508bd5d414
-
C:\Windows\System32\it-IT\user32new.dll.muiFilesize
18KB
MD5c99c413b13017aa89431469764aab8cd
SHA1a556fc89f96414c3d2b262841b207065a5e205c9
SHA256da174e40ddc8260b809f6331a2d3aa37daa108acd09aef38048432bd1ca283f7
SHA512da93ae0f081900c612c66967c27baf19b2d2054462971887d295b3db3ca5c1e5dbfd92bd258c4acc683b7ea3414466ded4d6ae85464a4eca7e08029fb4c1d615
-
C:\Windows\System32\ja-jp\user32new.dll.muiFilesize
13KB
MD5e69bdd36a3eb328b1af034c72f160495
SHA17615ada4ae284c46dd7ae5212e336aef597814ca
SHA2569c8c73bd07a703b1561e611e8e0754e3070aca9780069016061986550c3da772
SHA512f6fb9b3936b856548d2a728506898556048e0708be7803b50a12063db39943f9ebb5013a8f670e3e1c2ce1f4865b7cc6470c3b87bc01957b8749305cc4cc2ec8
-
C:\Windows\System32\uk-UA\user32new.dll.muiFilesize
18KB
MD5aa12a3301c30a46acd35972b04c0a71f
SHA156a6a8b5f74e1bddb382f70e8fafa84d2313e364
SHA2564d8dadf1c2659434290a2e304f9e87a1bd7de443ec8c7599d44d6f9e1636e77e
SHA512cd64db81fcc2129b73c864bc63f987b447b7c1cea3194bd48f9aa34fb905617e72c585885f3dc071063a08b760bb75ef57f0ae2bca261435c567b4ce8e6f80c3
-
\??\pipe\LOCAL\crashpad_4320_HLTKBFDRBXUQPHTEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3116-124-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3116-0-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3116-1-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB