Malware Analysis Report

2024-12-07 17:30

Sample ID 241112-hq6mesxdrj
Target 5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c
SHA256 5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c
Tags
discovery remcos reborn collection credential_access persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c

Threat Level: Known bad

The file 5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c was found to be: Known bad.

Malicious Activity Summary

discovery remcos reborn collection credential_access persistence rat spyware stealer

Remcos family

Remcos

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Uses browser remote debugging

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 06:57

Reported

2024-11-12 07:00

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 528

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsyCB0D.tmp

MD5 5555876f2521b3ae2424dd9d6ce983aa
SHA1 5dd9296584980764dc0bebb55e721e6f9aacc86b
SHA256 0ca259e86b73dc8d2f375e3860b6bf91b78b3680b5b90c262fdd82432492a77a
SHA512 71992459867bdb629a697d2f1e750390983fd752fe46f3c753eb0671d8e7498850320145b5662c714229cfcad6f0a2fbffac4c5a6ff40c87a90701bfa69763dd

\Users\Admin\AppData\Local\Temp\nsjCB4D.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nsyCB5D.tmp

MD5 19bb0d4e0dbbeec8ba11676faf173020
SHA1 803ec505ddf82c03af6de9ea9bc483d709f01b08
SHA256 9c719d5b57ba39eeac8bb3dc66e5e4116e6df0d13708c46dbb0df2a89b50467d
SHA512 5c10165a0160b4ae90ffb637971daa4086d6fbe2c4cb771050c6736ece6332cee843629ae2ce98139543e099cd439a730696e5c6c2fdbcca449ac9803a6e4df3

C:\Users\Admin\AppData\Local\Temp\nsyCB5D.tmp

MD5 34d32f9b446e46883ec3157794403748
SHA1 e797e81a28e395ea751871b21e638e43d62d0f61
SHA256 a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e
SHA512 48b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 25f205f6839d0787565c29c38a66e75e
SHA1 a2fbad8a011fe9e90a71727905ab119dd3c39b0f
SHA256 e2b210499b723d06146d7e4b169a4ae664b9f157a7ce9fdf76f763acad5163b2
SHA512 24b55c8bc4a2a7cd3e4360e0bdbd9dfdb8c81a5cc8b8e8205916064ebbcb9e83ffb86e6d42dc1325c93539625b66540353180119469b31d2a01b6c7300e9e495

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

MD5 d5f1458e5d902ac7ad80c68d24774d42
SHA1 67ff9152ddb4dd68d86a15b36106e938466364c5
SHA256 7ca2dfdf8dc94f01a7b20ee482d7abc1a60c33b1787fe3c7e431dfb6f6717a01
SHA512 4532f426a42030df2a4cd3c9e61411b7a24918e1854af3a1b4b4b9d3199cdebebc42f8c7d1336319429c9208fc2235f0844cbf95b0335ac67d180609549f338c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 06:57

Reported

2024-11-12 07:00

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Achroite.exe" C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
PID 3416 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3416 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3680 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3680 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3428 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3044 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 3044 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1768 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe"

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe"

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe" /stext "C:\Users\Admin\AppData\Local\Temp\otlriwsfkwxwzlqazlwttmgqovhz"

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qnqjjgdyyepjjrmejvrmerbzxkzhbdgt"

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe

"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bpwc"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefd79cc40,0x7ffefd79cc4c,0x7ffefd79cc58

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3572,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4400,i,3919290510955190345,16153162855051595204,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffeee8246f8,0x7ffeee824708,0x7ffeee824718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6729754088723014925,11723260222550012738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6729754088723014925,11723260222550012738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,6729754088723014925,11723260222550012738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2044,6729754088723014925,11723260222550012738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2044,6729754088723014925,11723260222550012738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 kinltd.top udp
US 172.67.216.75:80 kinltd.top tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.216.67.172.in-addr.arpa udp
US 172.67.216.75:443 kinltd.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gerfourt99lahjou2.duckdns.org udp
US 8.8.8.8:53 gerfourt99lahjou2.duckdns.org udp
US 8.8.8.8:53 gerfourt99lahjou3.duckdns.org udp
US 8.8.8.8:53 gerfourt99lahjou2.duckdns.org udp
FR 194.59.31.40:3487 gerfourt99lahjou2.duckdns.org tcp
FR 194.59.31.40:3487 gerfourt99lahjou2.duckdns.org tcp
FR 194.59.31.40:3487 gerfourt99lahjou2.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 40.31.59.194.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.180.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.180.10:443 ogads-pa.googleapis.com udp
GB 142.250.180.10:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nssC0A2.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nsiC0B3.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nsiC0B3.tmp

MD5 299751a30a50b5a6b62371c27fc4e478
SHA1 2a016fdba9876a7aade76bff3c4780633d5e6ef4
SHA256 0d4b1effa5ab30d5f6d9e6b1bd6de429d4a25075dbdf2f28d67beab72f6bff0e
SHA512 6917664885b34990ded6171ea01bfb2e1ff67e38455bee9d75e80d3905db7e7199679ae3761e290062e679ccf2555804b0ec1a59a5fd74c5069857c3326264e5

C:\Users\Admin\AppData\Local\Temp\nsiC0B3.tmp

MD5 bebdffa37358b59c6d03d4e3947c6f6c
SHA1 bb3d6a0095f4d6d2dac15bb64ffd4775952bf547
SHA256 3e3573216f1f8de74e0c00566b297b31f2c5b0e1015114d370fb84cfcdbe97d3
SHA512 651f98e9cf38c74647806c574f807c6a84d3b60c25aa701c00ad0cac409ff99fa490169ee033ba4ab1aa97dd8010c887d21d1dd1219bbfe5ae81ab39991efdbd

C:\Users\Admin\AppData\Local\Temp\nsiC0B3.tmp

MD5 a736abcb9380cc3122c530302f713c8b
SHA1 04b4d0d386bd0ade20409730e8160c5c713fb36b
SHA256 5e8f7f2bad61bc10fa2f647e1367a29053166799244128a74508cc3c3a760c08
SHA512 234d99b774a992d86762c9d298dc62d612219234db760a259d6e21ed9d1f10dd810aefb4d9c82af254ceb7d64ff2811772dfc4350ccdfd4375f01a7b801cc333

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 2ad5c23f715f52698d1ea9aa4d458778
SHA1 219e69a643dd195a31165a3a9c3a6a4acc175c51
SHA256 5f11e5fe0756dcee805d4f21f3544a23723373110f2aa37db45ab5e594dd339c
SHA512 b2f7e9fe904fca93b0f6b7753dd2dd6c1f011f5a84c392dc58cca70052e1ad18f8aebbc052ddbb065a7bebded613374c7e4a9619635237d87525c16d86e1a141

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 8574f798c3bf77c738c665a1a283f1fa
SHA1 7f7930b7c54eaa9438894873070c177ff05d3c7d
SHA256 5a9d3954c0cdd618e9322fa39b27a57a16b809d3c745bcf97fa5af6d5dabe676
SHA512 c45d3360501d28bbe2b8325eaf380c5a98e30df703e98ffb77bb009167bb8841d837255f49d96062e2797332a8a08db5d09ab2ed5581d8f18882cfb6d7431d50

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 760020743c52fe0baaae9d890ec53ffa
SHA1 08d448017834e5b5104e8e91259f20824ab1c055
SHA256 9cb5384eb2e5edc01319484639a9ca8f43f63de8f2b8753a1a595e7ff575a336
SHA512 a73b914120d789d3c1a119d4081b31bdacb6809779a2b6ae16d3ebec2b6f458d9b3dc4a880213c0519b7dda93a89c550e881730948f8a6ae216573928f894af3

C:\Users\Admin\AppData\Local\Temp\nsiC150.tmp

MD5 94d50858f536d0b073217deb807d181a
SHA1 deaaf25f8ec263928644fceb69dcb199a06cf8e7
SHA256 2e191ac2589e939929565cf8bd27d1caa964a008e0e3601d3aa868232881439d
SHA512 f7ff9d549378b002cb9abe8c2cc826d3df1ff15f66bcf06ef0c0c55ecf70560e0c0b7951cefd8c94a7687fd38ca8b6c19668074772f1aac5e8a42bebbd6c2534

C:\Users\Admin\AppData\Local\Temp\nstC1DE.tmp

MD5 1b13d97f62b4bd11e107b8c9a50afb74
SHA1 733b892df27693fa6a8d7cb3a084f807f55e039f
SHA256 9d50ff85fb2ee94e1c137e64edeaf35f2d216c21410522010b2d5cabe8e2d8bd
SHA512 fe20e0e85e8bc42a81df0d68d84495527aca62136abdf51919e5d1831fb2629e2f3e677beb0033b325dce33fa87b81305a4828fb70d3f986192c0e5178736b8b

C:\Users\Admin\AppData\Local\Temp\nstC1DE.tmp

MD5 d5f1458e5d902ac7ad80c68d24774d42
SHA1 67ff9152ddb4dd68d86a15b36106e938466364c5
SHA256 7ca2dfdf8dc94f01a7b20ee482d7abc1a60c33b1787fe3c7e431dfb6f6717a01
SHA512 4532f426a42030df2a4cd3c9e61411b7a24918e1854af3a1b4b4b9d3199cdebebc42f8c7d1336319429c9208fc2235f0844cbf95b0335ac67d180609549f338c

memory/464-565-0x0000000077141000-0x0000000077261000-memory.dmp

memory/464-566-0x0000000077141000-0x0000000077261000-memory.dmp

memory/464-567-0x0000000073FA5000-0x0000000073FA6000-memory.dmp

memory/3416-568-0x00000000771C8000-0x00000000771C9000-memory.dmp

memory/3416-569-0x0000000077141000-0x0000000077261000-memory.dmp

memory/3416-571-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-578-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-582-0x0000000077141000-0x0000000077261000-memory.dmp

memory/3416-583-0x0000000000493000-0x0000000000494000-memory.dmp

memory/3416-584-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-585-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-586-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-587-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-588-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-589-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-590-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-591-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-592-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-595-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-596-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-597-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-598-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-599-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-600-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-602-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-603-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-604-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-605-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-606-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-607-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-608-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-609-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-610-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-611-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-612-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-613-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-614-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-615-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3008-621-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3124-623-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3132-632-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3132-635-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3132-631-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3124-630-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3132-628-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3124-622-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3008-619-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3124-620-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3008-618-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3416-641-0x0000000036CF0000-0x0000000036D24000-memory.dmp

memory/3416-640-0x0000000036CF0000-0x0000000036D24000-memory.dmp

memory/3008-646-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3416-639-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-650-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-636-0x0000000036CF0000-0x0000000036D24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 a0b00443f5a134c95ca43dc41e6dd095
SHA1 3f734b453265ecacf1f661ba4843e3f3f739225b
SHA256 0b66864d5e1709fd9163da7627a422a43856e8b3251dc571df9f6a3993947b7e
SHA512 8460158d0d0220aef1ccb1c68f956bbc82734bdb959b620fe38375526890a7f3c8a92777fdcfc1a40e1101209820e01d344b89348227bea16d10e9ae1af73f7f

memory/3416-653-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\otlriwsfkwxwzlqazlwttmgqovhz

MD5 ac300aeaf27709e2067788fdd4624843
SHA1 e98edd4615d35de96e30f1a0e13c05b42ee7eb7b
SHA256 d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9
SHA512 09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

memory/3416-659-0x0000000036E60000-0x0000000036E79000-memory.dmp

memory/3416-658-0x0000000036E60000-0x0000000036E79000-memory.dmp

memory/3416-655-0x0000000036E60000-0x0000000036E79000-memory.dmp

memory/3416-660-0x0000000000460000-0x00000000016B4000-memory.dmp

\??\pipe\crashpad_1768_QYPETBBYKDZPEGSL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 ebc04efe08c5b479d966dcc4098ad9fd
SHA1 982c038afc8f5c796145ad9f244dd630ed49ed85
SHA256 0cff7fb1fa385668dd0006c0ae569a42ade53e94f948aef3092a176482374144
SHA512 a8d8f13c25f0c8c3e2576043c84aa4224a188483dcef98d8edb9bc0c83d4232e74e444aba2565a7c76192fc3ad71de2ed4c6b9ec68426f16eee788d065bf143b

memory/3416-682-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 85a49cb6adb7ad380c03bdcc102b8db0
SHA1 c8b0a4d5b66be12fcb95981cb66928ae79252eb0
SHA256 9362aa1676a0b68c0d31ed2748a1c3fd93ce7ecccd17386b1a1a05dcc74f3e90
SHA512 646cce6f899bfc9abf514090332133223058d34f10f31432859aafba10faad6eda6c0b9b5ecddd619c521bbfa9dc096d5a9b5b2b1ab94fa0a53418c4ab2c1a0a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/3416-662-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-705-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-733-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/3416-766-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3416-782-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-788-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-789-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-790-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 473574ee164117561d8181d641802f08
SHA1 30d4fb1fcf6ae9c6a2b050a96022d2bd34f1a9b2
SHA256 0714a7f58bb3603c25a4eb79348b8c3c05f08cd3e89aef6194e59946e3d9a9a2
SHA512 6f721a5139184e57e850ae0bd5a40bd0d18045d9c0f10d4f2a12581c2567e0bf41536c59dc0747c94ddf084e878837fd2fd793f5af425d85ddb38020d2d0ffa6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 125adec2fa355fe0128e1102c2e4289d
SHA1 dcf226ad6f54f6ffee1dcf64dfda4cb61759e017
SHA256 26dc38dd309bb5ddbd5a5b55bd9bc988f2c97f95172972b299f2dbd54db7e316
SHA512 57f7559788128cd7b52d85a138ff8d0d25576fdaef690ef4c66ca83e52d623caaa3c1588a0f6e037821355166eff7a255cd5071362085e3a60d44c999548c8e7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences~RFe58e923.TMP

MD5 03f5b0d0cde36047423d3f5744da6aec
SHA1 76afd3c804078639efd8db85925aaff22cd7eabd
SHA256 9047f92d0844c71ca1e579e82ac66980b998ea13606175c4094b37dd4c515745
SHA512 b4958125b5bda3be2b898ea7cf4580c82585f41ebdfb8859575dfc0bdd851cd206d12c268bfe2b0cd29b3a32415c012a03040a17800c14ce525188be61def59f

memory/3416-796-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-807-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-808-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-809-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-810-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-811-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-814-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-815-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 b1547bdc461c70a7ab84c344b8ea728e
SHA1 e696b7a1d088061bc1adb878cbcb24812ceed8ba
SHA256 94751b9116c4a117f2124d29e2e96ecb5b40163aae41dd99e1262dd1ec7b0128
SHA512 80932dc396fd04a8c95c3b71dd0b142969764b9e6a79b5bf488cb1e0f940cbe8dfc1cc892f6652681799990ace0002c0fd3108a7078e27071bb81d10e8497ff7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 fb356291c5d731df82ecad7255676c7a
SHA1 1e1b4235d71b9d07801d9e9645554d4dc8ae05f9
SHA256 e40264bf5895d93445f0ae89ff0714be563ecc20e371caa356b276a6aaa917cf
SHA512 934d9f172b080f217ff10a15e9f628036198c0fc07d718e48cfc4ec5a4b7359609c005d6e140eff6cebc0b96811874b7e2da5c3a23cd5e3d12ccd1c049f92866

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 7520956b737e2ddcbbf4585661df8657
SHA1 b04b79181f63f6bef16a09c0ddcb00cef50ca9d4
SHA256 a921e2dbabd5d15f0080ea3517db28e1599c2cd1de4559f567f285cc463741f4
SHA512 44f5bb4bb4eb1d2736f3c32bf067d708de1c9d01f2d5506d5c80a98a1632de8897d58ccb7166d15f720d63b56d3e9bdea0ac6fa5c9f1fef74f52e3a241b6b3ad

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 72fb8fdc79e886886d9cc89b88ef11db
SHA1 b602840b49b5e657eb4f9cab689940c94179ebc4
SHA256 623fb553bc909b8b591b994a232f3361b993a75d89d3374fa433af91ce63dfea
SHA512 0ac23f265781a01f7ab0434e4dbb9e1af441cd0227d317af3f9ab436a44585321b209e167bbabc7461e28407dde3ba3519d67c44d6f1762ad0fa4f151dd82f92

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 0bea086e8d1c013b80499a63afb7f561
SHA1 5475698d7825face2c899dd46a45851643e0b525
SHA256 435305e24b4e0c641c5c84c77c191fb473acf9c607a263ab0170c3bd890a13d6
SHA512 ec8b526ff9f3e5ae3d9f5a1b94064930db95e59484f302937ae8c1b13abcf84c0f726141f52b85d01efb5d341ef14784513cffd4428cb5ba1b087503fd4343b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 839a62190fcfa4f3da0503ec22578b15
SHA1 75b115ee14f7a5c5519baed8025cd6175854e294
SHA256 8add6f81160c674f0fec1171cb37319c91630cd8ee8abfcc84e2c2f1b33289af
SHA512 cf65af29239071105cb1a127fa9e86fcbd38435dba1511cd68ba37a4c974d3c98b9765c5046c58c0378dc930fc46b0e6fcef66bcf1b0c764652677c46867c383

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 c6a457e645c2618ddd7a6ea7d5804cc1
SHA1 1cd234a689038e7a89852924b275a7e9b5a4ce9b
SHA256 2179fd13eea9c0ee3022087d7f30fdc7b96bf57a5882bec7faaf3eba91e3091c
SHA512 7f7a392bc14a804e265951a4792be3ce00a55b1fb36cf29d7b33a4817d053636b885e979a8d038c06477d14fbcdd0edb5d789dcf798bc1bb4dedf3e284c30d70

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 f4ec4ca332b3d9a75813733436bf2096
SHA1 226ba39ac42f4144e1d204071375f40ecd52c4db
SHA256 d1e368eb7a51345f2c4d38b03ef8825e5897aee6ae376a257a0eaaea743ceb57
SHA512 ad7d9276dbdcbb19194da0cf3f03b85137f226bfbc46c83d145420645bdd15bb392012f38d7ef3bfe2fdad513d8a221399764337c240fc010dfef36906fcb3bf

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sessions\Session_13375868328505813

MD5 c5c0c92265e61e3aa09a301ee37d8d60
SHA1 c1d6cd4c0e80bcbcc3037f4471dc35cb2e8a8938
SHA256 d56890163a53f0c5d896ce7742e93f3df210c578f98364659045cb9a6b240b11
SHA512 06327383c33096570822f3b0fa52c03fe140bf1da692107b5e80d43d843819f3e22d56d54d9ebd73a2f6e9be6c3acdaf9eedeb9821a9eb0b2762a3ddc3945804

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 4bff0da3646e63b98cd5acc4483794d4
SHA1 88dc937c5fbdae7e044979716dd7fca50f9bf3b5
SHA256 b9096f27cfe5a7082ede7e9355051c25f385df9b9bc0c6048a78f1a4140e28d2
SHA512 29949114adb6c3221cf82ff65cf4328734887c8c41e667e346d917a97f2efa674d28df7c57858f23c8bed009dadfa8a702dae580a9d3f43bea7885134cbd19ff

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 6a8afac1bb62454ac1148b49c82826e2
SHA1 277843332474953162147ae5a9fcee98d7e675f3
SHA256 be777a9bfec733c93e6a29dee540dc9b8ebddf59059b62fd042d4c8b9696028f
SHA512 3fd621d67f079c71b2f19bf95e9d4e59adcf825732d74a9b92bdfed7b1f316345849984e3dbbcd6b1d12adb3f286f9cafde741ef13e97162b4443043cf004f8e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 404acaac9673c8d7a162f4a28ccd11b7
SHA1 8825a0e0c321c76f104771ee3223afb48ab49c82
SHA256 c79a94ac847e849044a92e86860151de84846de70e42eb1ef4814d920e83bb07
SHA512 d5344fdd772c7394a72ded611e35516eaf57a4f2eb0de1698a523a19776a6c749193340d5ff3b13adc80e6ff6cbc19d52902ef7237b5eb2f0210385da2a83f91

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 f2d1d1ad4089dd951242295f15f10fae
SHA1 e743289139de2ce8ca6fc88fafba477ef9ab2d13
SHA256 c6a7dffbc95704c6cc719a48b48c8fa3647f86afb24a10f500724f734479fc5e
SHA512 b83bea13da5968ad6c2cd919fa7f6ab0d05c331c7b9b8452b91e66b112157c2e0179e0e550aa27d081eee802cef9a8ff65187e07ff0683fde9c22bb0389f1e93

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 48d27bbe313b276bc5caf9413f1a74eb
SHA1 0edd31a71ea2bc997fb2af65d2fd1531e62a73a8
SHA256 6a8dce3897baa7cbe37a26fe866e11cce1df23dbfb2f4765cb82515750b408d3
SHA512 c0181fbe6d568fab5370fde62e0878748415922f37f74174f4cd74061b115dac58dba2340425133db757e81394a31f146cff416946237967885ac67cd1b99603

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 6be62cb0a59bcfd65b81ee94a593909d
SHA1 8e2533f1da548f71eceebadeee1305a6482a37dd
SHA256 984c5f28b35c6eabeecf0579f692532d21bd3bdc82d8cf38364fcfd12484751f
SHA512 f23d6ab3804fdc1edaed7c2ef45cf53adfefe8290d17dd3c3d48e15e41df6982eadfe25e5002e14cf396f018140bfd055cbe2d70b907eea7f6698ec3502705f9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 ab540b170893925c762c353abf148ca8
SHA1 2c089a523295194f01d7cdd6b953719599518d1f
SHA256 17559b7558bc293ad9ce4ddc720402c8a4b05a9758649458aba0055359015305
SHA512 6d8fd33041af69cd000989a1361917a152aaffc5932313615072f3a1de127e74e3d0890d9d6a01f3ea32bd7096276351c5d97171c0538d66eff4f7754c819324

memory/3416-913-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-914-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-915-0x0000000000493000-0x0000000000494000-memory.dmp

memory/3416-916-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-917-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\metadata

MD5 00aa74781edd62ca7dff3ff4cefca8d0
SHA1 ae5294945eb2445e62c918973268db42584a2ffa
SHA256 186ff7cb7f4d74bf2a2572dfa15421831a88f0a7281e4400592ee55449dd650a
SHA512 1c1c44037179d22227fece38f596146523d5fb70949d4214270bb7ba70f52a91b8dc0da79d7dde3a1bc4b7122769c55f02e4113c576474ccf5889ffd6dd696bf

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\reports\2f5fb0b2-fc8b-43d0-b242-329e04c9eaa6.dmp

MD5 7be872eef663fb08bcb61a5990c083bd
SHA1 bfaaba73fb178db40f01a576bc581ac180b6a501
SHA256 098b6efa7e75d7c84528d7addc4bedc88b7ec6ada22ceab5cf3501d909888ee1
SHA512 810dde8a17cd0f7a0df5c6ecfef31f05e7f58f129c2b77d195c82491bc88a8245d1e41f01c6122dfed549b8feee722876f7c74922b57b21f24145508385c512a

memory/3416-976-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-978-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-979-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-980-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-981-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-982-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-983-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-984-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-985-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-986-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-987-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-988-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-989-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-990-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-991-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-992-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-993-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-994-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-995-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-996-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-997-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-998-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-1000-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3416-1001-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 4e6fe32b153fa292cfec20d77a721aa7
SHA1 3e4d4036f87481ceef3615086907a16f51c8bda8
SHA256 ef662ecbdc2a031584b424853e807d4d2f4d6bba18808d7b506c721e42f5bb70
SHA512 c124e4127942b315a6a813fc8ba9af3459c5d1dabcdf8604de29e5422623c1d05fdd72e30ea45d968da76b6ce9df18786cc4192f996c5b99fbbad7f3c4f10e5b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\watson_metadata

MD5 51feb06441f199e48d32d09252eca2be
SHA1 e5ae14e089aac9e439475ba3f9b6417cb5dc7d9a
SHA256 1ad3628308c6a9d049b52a62a3cdb548efbb2898180eb3241f7c764fad07f89a
SHA512 d5f6d029d21dabd197a9f40c5476c17ec4d942049a55df06ef41f38d3401500cb745a5545198add843a0c55fb9266b5313b15d80b23f584f53fa0fdde1eee5da

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 06:57

Reported

2024-11-12 07:00

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-12 06:57

Reported

2024-11-12 07:00

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A