Malware Analysis Report

2025-05-05 23:45

Sample ID 230203-p5cq8aah3x
Target myufn.dll
SHA256 c5701af10df111f738ed461f5b071c4165ad6e26446a21daea8accb769b55f26
Tags
qakbot bb12 1675161160 banker stealer trojan persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5701af10df111f738ed461f5b071c4165ad6e26446a21daea8accb769b55f26

Threat Level: Known bad

The file myufn.dll was found to be: Known bad.

Malicious Activity Summary

qakbot bb12 1675161160 banker stealer trojan persistence spyware

Qakbot/Qbot

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-03 12:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-03 12:54

Reported

2023-02-03 12:57

Platform

win7-20220901-en

Max time kernel

150s

Max time network

47s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1576 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1576 wrote to memory of 1692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#1

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

N/A

Files

memory/1576-54-0x0000000000000000-mapping.dmp

memory/1576-55-0x0000000075111000-0x0000000075113000-memory.dmp

memory/1576-56-0x00000000007C0000-0x000000000088A000-memory.dmp

memory/1576-57-0x00000000002F0000-0x0000000000313000-memory.dmp

memory/1576-59-0x00000000002F0000-0x0000000000313000-memory.dmp

memory/1576-58-0x00000000002F0000-0x0000000000313000-memory.dmp

memory/1576-60-0x00000000002B0000-0x00000000002E2000-memory.dmp

memory/1576-61-0x00000000002F0000-0x0000000000313000-memory.dmp

\Users\Admin\AppData\Local\Temp\EE944C6B.dll

MD5 53bb811ed12d2c867b354390fabf9612
SHA1 81b29c540c0e2a09385cf7e821639ff64fbffd91
SHA256 a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133
SHA512 5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

\Users\Admin\AppData\Local\Temp\23925755.dll

MD5 53bb811ed12d2c867b354390fabf9612
SHA1 81b29c540c0e2a09385cf7e821639ff64fbffd91
SHA256 a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133
SHA512 5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

memory/1692-64-0x0000000000000000-mapping.dmp

memory/1576-66-0x00000000002F0000-0x0000000000313000-memory.dmp

memory/1692-67-0x00000000000D0000-0x00000000000F3000-memory.dmp

memory/1692-68-0x00000000000D0000-0x00000000000F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-03 12:54

Reported

2023-02-03 12:57

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a96ae988-57f1-430f-b270-341cffb40e4c.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230203135633.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4648 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 2632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 2632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4648 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2584 -ip 2584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 624

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dmyufn%26form%3DWNSGPH%26qs%3DSW%26cvid%3D3c89bcd9ba264ed4ba31968d9a7c8a46%26pq%3Dmyufn%26cc%3DUS%26setlang%3Den-US%26nclid%3D9C0DA10A27A69B5F4DC9FC093B60234D%26ts%3D1675432578104%26nclidts%3D1675432578%26tsms%3D104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf15d46f8,0x7ffdf15d4708,0x7ffdf15d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3688 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x374 0x320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff678205460,0x7ff678205470,0x7ff678205480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
AU 104.46.162.224:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 r.bing.com udp
NL 95.101.74.148:443 r.bing.com tcp
US 8.8.8.8:53 t-ring-fallback.msedge.net udp
US 13.107.253.254:443 t-ring-fallback.msedge.net tcp
US 8.8.8.8:53 teams-ring.msedge.net udp
US 52.113.196.254:443 teams-ring.msedge.net tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
IE 20.67.219.150:443 nav.smartscreen.microsoft.com tcp
US 131.253.33.200:443 www.bing.com tcp
US 131.253.33.200:443 www.bing.com tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
NL 95.101.74.148:443 r.bing.com tcp
US 8.8.8.8:53 smartscreen-prod.microsoft.com udp
IE 20.67.219.150:443 smartscreen-prod.microsoft.com tcp
IE 20.67.219.150:443 smartscreen-prod.microsoft.com tcp
IE 20.67.219.150:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 s.bingparachute.com udp
FR 104.123.29.138:443 s.bingparachute.com tcp
US 8.8.8.8:53 aefd.nelreports.net udp
NL 23.72.252.129:443 aefd.nelreports.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:53 t-ring-fdv2.msedge.net udp
US 13.107.237.254:443 t-ring-fdv2.msedge.net tcp
N/A 224.0.0.251:5353 udp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:443 dns.google udp
US 131.253.33.239:443 tcp
NL 95.101.74.151:443 assets.msn.com tcp
NL 95.101.74.151:443 tcp
NL 95.101.74.151:443 tcp
NL 95.101.74.151:443 assets.msn.com tcp
NL 23.72.252.152:443 tcp
IE 20.234.93.27:443 tcp
GB 18.165.242.8:443 tcp
US 204.79.197.200:443 www.bing.com tcp
US 13.107.42.14:443 tcp
US 151.101.1.44:443 trc.taboola.com tcp
US 66.225.223.31:443 tcp
IE 52.210.115.48:443 tcp
NL 173.223.112.20:443 hbx.media.net tcp
US 104.19.136.78:443 cm.mgid.com tcp
US 104.19.136.78:443 udp
NL 185.89.210.212:443 tcp
US 76.223.111.18:443 tcp
NL 185.184.8.90:443 creativecdn.com tcp
SG 172.241.51.69:443 tcp
FR 185.255.84.153:443 visitor.omnitagjs.com tcp
NL 185.89.210.141:443 tcp
US 35.208.249.213:443 trace.mediago.io tcp
JP 35.213.89.133:443 trace.popin.cc tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
JP 35.213.89.133:443 tcp
US 20.127.253.7:443 sync.inmobi.com tcp
DE 141.95.98.65:443 id5-sync.com tcp
FR 23.39.244.146:443 ecn.dev.virtualearth.net tcp
US 131.253.33.239:443 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 117.18.232.200:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:443 dns.google udp
FR 23.200.87.20:443 deff.nelreports.net tcp

Files

memory/2584-132-0x0000000000000000-mapping.dmp

memory/2584-133-0x0000000002F50000-0x0000000002F73000-memory.dmp

memory/2584-134-0x0000000002EE0000-0x0000000002F12000-memory.dmp

memory/2584-135-0x0000000002F50000-0x0000000002F73000-memory.dmp

memory/1064-136-0x0000000000000000-mapping.dmp

memory/3144-138-0x0000000000000000-mapping.dmp

memory/2632-139-0x0000000000000000-mapping.dmp

\??\pipe\LOCAL\crashpad_4648_AQAQDUICARGNUMTR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1208-142-0x0000000000000000-mapping.dmp

memory/100-144-0x0000000000000000-mapping.dmp

memory/5032-146-0x0000000000000000-mapping.dmp

memory/4848-148-0x0000000000000000-mapping.dmp

memory/3036-150-0x0000000000000000-mapping.dmp

memory/3308-152-0x0000000000000000-mapping.dmp

memory/5276-154-0x0000000000000000-mapping.dmp

memory/5292-156-0x0000000000000000-mapping.dmp

memory/5464-158-0x0000000000000000-mapping.dmp

memory/5552-160-0x0000000000000000-mapping.dmp

memory/5616-162-0x0000000000000000-mapping.dmp

memory/5632-164-0x0000000000000000-mapping.dmp

memory/5824-165-0x0000000000000000-mapping.dmp

memory/5872-166-0x0000000000000000-mapping.dmp

memory/5956-167-0x0000000000000000-mapping.dmp