Malware Analysis Report

2024-12-07 17:24

Sample ID 241112-n31vlavpck
Target DEMASI-24-12B DOC. SCAN.exe
SHA256 a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
Tags
discovery remcos reborn collection credential_access persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99

Threat Level: Known bad

The file DEMASI-24-12B DOC. SCAN.exe was found to be: Known bad.

Malicious Activity Summary

discovery remcos reborn collection credential_access persistence rat spyware stealer

Remcos family

Remcos

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Uses browser remote debugging

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-12 11:56

Reported

2024-11-12 11:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 740 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 740 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 11:56

Reported

2024-11-12 11:58

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 532

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsy8C97.tmp

MD5 42e9d16f22a223f11084f22b94b42210
SHA1 7f4dcba6193c831687f6a1cac9b60231be8a6a1a
SHA256 0717d3c2c8ad4b25752e43514cd4352de08c51bb9a8d153beb842dd421677b91
SHA512 a965c1381a0179e1bb1600fed3065741ebacc8c1e0a73db5d0db4eddbe5a45ec42cbd489a525d5c5151f52188daf367d0740e6555d9e41c1385a2fed4b7a6ec3

\Users\Admin\AppData\Local\Temp\nsy8CE6.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nso8D46.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nso8D46.tmp

MD5 30b38fdaf7aa2c5edee19516cf94ccc8
SHA1 c0b9a65702e427c1ff7cba4ead7567fff222d7ee
SHA256 cf4d212c34fad924ab772ed4ca1f3ca2feba5a25c35d9af1b71217df28041b45
SHA512 c41e107e3d59f6e96fa9a5ca3f49ace8ca8c2c7b46d0b34cdbc519bc8c30b44be3a1dd301988aeab2d936141736b8fde7797fb32901073bb99fd702a0ff087b8

C:\Users\Admin\AppData\Local\Temp\nso8D46.tmp

MD5 94d50858f536d0b073217deb807d181a
SHA1 deaaf25f8ec263928644fceb69dcb199a06cf8e7
SHA256 2e191ac2589e939929565cf8bd27d1caa964a008e0e3601d3aa868232881439d
SHA512 f7ff9d549378b002cb9abe8c2cc826d3df1ff15f66bcf06ef0c0c55ecf70560e0c0b7951cefd8c94a7687fd38ca8b6c19668074772f1aac5e8a42bebbd6c2534

C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

MD5 cda05fedfd1133dfc6439e441829b6ba
SHA1 e0dfbcfe83a13922d365506312212928871f9c0b
SHA256 27fad7aa07fb564d9f9e0cbaf6515fe34bb0f8647cd200fee1eaad0167523099
SHA512 1180a5fac7c9c8ce445b5966b45bda7d38bb65d2ae2b1bb096d01e09476622bb0bf745dfed3104cd7b5da766322653bb14720b3394e2cb87950191a66b94efaf

C:\Users\Admin\AppData\Local\Temp\nso8DE4.tmp

MD5 67bb7ef976d4ce39058a22b6174a0e72
SHA1 9be7c1328a129dfa8fbda22b646e803ff262c5ef
SHA256 97e5daf6f20df9ce038a539d8bcf4d7b9efc1058102c9ce7ce1e6e169200672c
SHA512 12192b1718b77b437b383bca40335944b6bcaa772ccd398eb4b92a5b7882e3159a65470141fb98d7911f96bd97d46e93955302a9f5a19059ebcaa2c1a3f915e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 11:56

Reported

2024-11-12 11:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Achroite.exe" C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4732 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4732 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4732 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4732 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4600 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 796 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 796 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4600 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 4600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 2516 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 4728 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 4728 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 5096 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe"

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91eb7cc40,0x7ff91eb7cc4c,0x7ff91eb7cc58

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bnywoffutccxbd"

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dhlppyqwpkukdjhtd"

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe

"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ojrhpqbpdsmonpvfuvoa"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,10000639644493333471,7769012742230519890,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff91f9c46f8,0x7ff91f9c4708,0x7ff91f9c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,15782882167112408121,7714783249866261407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,15782882167112408121,7714783249866261407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,15782882167112408121,7714783249866261407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1868,15782882167112408121,7714783249866261407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1868,15782882167112408121,7714783249866261407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 kinltd.top udp
US 172.67.216.75:80 kinltd.top tcp
US 172.67.216.75:443 kinltd.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 75.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 gerfourt99lahjou2.duckdns.org udp
FR 194.59.31.40:3487 gerfourt99lahjou2.duckdns.org tcp
FR 194.59.31.40:3487 gerfourt99lahjou2.duckdns.org tcp
FR 194.59.31.40:3487 gerfourt99lahjou2.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 40.31.59.194.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.16.238:443 apis.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd7502.tmp

MD5 9111ba1d1ceb4b7f775d74730aac363e
SHA1 c0af4968c775735be12419b60b257ed4359cb9b2
SHA256 0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91
SHA512 836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf

C:\Users\Admin\AppData\Local\Temp\nsd7502.tmp

MD5 5e884655c8f5685c77e96ab751afcc46
SHA1 438e7927bcb8633ab39b9e3b7dd7511e5806a93b
SHA256 d12006a59b2bcda77dc8bb9ffb174cdfc818c355a30c8a42fb16d13c0558ad63
SHA512 85c0174ee0d2bddc85d60fe340e409730825fd7b7d15a4456de500f8befcfbc6f47e6c84333f4649eef97d2ced0cc132d1395de744999117125b92abbf42b51b

C:\Users\Admin\AppData\Local\Temp\nsd7502.tmp

MD5 056fd9e747f45f72c12ed185db65ca8f
SHA1 96b9e5254b0c249a3393008a3fb160b18319532b
SHA256 b46a1b647cd0ac5d5ed27381e1559a8ed6244c5bb7a0d27a41ab1784c40bef85
SHA512 93f9577f9226d4c090034d81735a61a4505da2068e207d5885452637bfcf87f434278e58db281bce79d49e0d941bf3ead9550541b459fad386a7dd60e24c4446

C:\Users\Admin\AppData\Local\Temp\nsy7580.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 5b2357aa9ee8d93ebc8fea2a7da01fda
SHA1 3a5bb5ceeeb26ee649ce9c8fa1c47e45d8c8f00a
SHA256 f2b723416cc41c59b870a8fbbe8ecab3cd0cf2298902649a50668b1b88e6e835
SHA512 03d9cbca3d09de197530779f90b8864da4a34aa50a7dc87fdd964ac53a5a6a73f543fe5727fc2df29b9cf5b3646b1ffc60b90883148c1989fdbcee5658582fe2

C:\Users\Admin\AppData\Local\Temp\nso75E0.tmp

MD5 aba9c6a7426206031d94b11c485aa363
SHA1 2150ed9a7401167ff748ff622c35e0bc89db951e
SHA256 ad9150d3975743cd66f259fa05ef42d431cd68cf8120ab15e8457b424cba447e
SHA512 c053e1762e295ad644415828d8465cf2465e00077ec1765c95ac06ccfd14dc2091ab5e7b65ae9f98f55aae5820df2d6750dc8035be865181f7cb58b40d9dd3a4

memory/4732-565-0x00000000777E1000-0x0000000077901000-memory.dmp

memory/4732-567-0x0000000074645000-0x0000000074646000-memory.dmp

memory/4732-566-0x00000000777E1000-0x0000000077901000-memory.dmp

memory/4600-568-0x0000000077868000-0x0000000077869000-memory.dmp

memory/4600-569-0x00000000777E1000-0x0000000077901000-memory.dmp

memory/4600-571-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-579-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-582-0x00000000777E1000-0x0000000077901000-memory.dmp

memory/4600-583-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-584-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-585-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-587-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-593-0x0000000036130000-0x0000000036164000-memory.dmp

memory/4600-592-0x0000000036130000-0x0000000036164000-memory.dmp

memory/4600-589-0x0000000036130000-0x0000000036164000-memory.dmp

memory/4600-588-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-597-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/1824-601-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5012-603-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1548-616-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 b6b820b633d040d3e938c3b5e66372c7
SHA1 30ffeb4c5eaf14e65e0d9aa89d3e16c20b2b4e2b
SHA256 48e8216a68c44b7c374a8779cade587971266c1b47fb48c3637c09625f0e268f
SHA512 2e79840668eec5985e531bc6ab6779aac5436a5bc0b670c706b28322cb858877a1cffc1e39a47ec5770aa76e2de9d291f9691a22977f7e771fc279c510363aff

memory/1548-615-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1548-614-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5012-613-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 e2f6740589a4b570eae3bde32ad6e60e
SHA1 f480cb3fe10ff7338916edbea9ed63bd01175122
SHA256 56cf9ec20fd3892b742bf6518f974734d753e9fd5157b33199d8b82c8a09c318
SHA512 4148c0ab36f82aa31d3343eeae7c16e7c66b948aa0124efa207b76ae067b33c8b4495faa25f6f2241408bc400f45e86b3c33ec0d2c5323065b320747565ac42e

\??\pipe\crashpad_3376_JXTGFKFBCOBCBYLU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4600-632-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-647-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/1824-646-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 896870fb933c1d1eaf37df43bfd386cd
SHA1 1991f2b44b911409748214c5fa6bc3807dd33f9d
SHA256 b902cf2b117c3a2acf46a3aeb8bb50bdd9771fefde708b915af5a30547607eca
SHA512 2afc3ff40c194296c9874f8e6bdbc48491cde3b715436bd6504abb60d382fd65316223a9791957f31239e6dc91d15efaaad6f4f8bf33d515f3c338f3a053d25e

memory/1548-612-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/4600-659-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bnywoffutccxbd

MD5 16dfb23eaa7972c59c36fcbc0946093b
SHA1 1e9e3ff83a05131575f67e202d352709205f20f8
SHA256 36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c
SHA512 a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

memory/4600-682-0x0000000036250000-0x0000000036269000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

memory/4600-723-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-681-0x0000000036250000-0x0000000036269000-memory.dmp

memory/4600-678-0x0000000036250000-0x0000000036269000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/4600-610-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/5012-608-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5012-604-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1824-602-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1824-600-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4600-745-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-748-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-757-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-759-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-760-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-761-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-762-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-763-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-764-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-765-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-766-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-767-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-768-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-769-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-770-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-771-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-772-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-773-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-774-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-775-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-776-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-777-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-778-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-779-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-780-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-781-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-782-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-783-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-784-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 179a132675cddf40b7cc320dde67c63d
SHA1 7f0cb7fd99096d834b438c52c8707c925022f935
SHA256 edc6015fff0161293d451d9903580382b6e1202bb8008db1f2ba3aba7b16e61e
SHA512 580ad4de2416a47ebec4391c4dd73d8f500c6c67664ba9b676558971f42bd87f6fa4d3e9b4ca96175734385413caf011d9ad80fbe8f0b3dff6ffd3772406222a

memory/4600-799-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 229cf35d45374ac2c506f4ee7fc02075
SHA1 b4cb2faf38a2683ac6a531a56bbb08854871c4e1
SHA256 8c807334f912536fdfb839afe7aa952a25bd19a7906538b3eb7611c4b626ff2c
SHA512 dead906e9ff982b51785958c03f43f6cefacbe6ceff63146303c63388df5399ec6c1ee659ae9d843421448d5bf553200b60a85f80fcdd4ca885b2c2189a36a77

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences~RFe580923.TMP

MD5 5386b112fa0b22a45f72028ce295ee8b
SHA1 d3d2e5eed63f1a936bef8f91fd5cd7d428d97152
SHA256 292c54382483f19e3d6b68359299d9fb2a328d4545085dd1d0fe01fddb48eeba
SHA512 3f1fb663e1e7c04dc417f0c65db6de30acc3706f1a45c640fde8e64978db7a0229ed624f07914b6e25ced7a5a44145243036c4949a5f367e66969bf70d909819

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 9b720fa611d4161144e7ed45f468333e
SHA1 dd993825a7bd585c164f2363f5cc50799f314c51
SHA256 3a931e25c0d8b53787774a9d435ae9e7e4bac504f87c3883ca93817bd9f2b4d5
SHA512 704668f788fb4aaedc947bff83bf6aa984a07ed5e47ac642af5b6909f636c4d5fce18e8994e8f7d732448817f3a59f1eb5145cf881e4154bc867694a0d0efcc2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 7b800e4e5127ee98e87b23227572e18b
SHA1 bbde3907528d6b0d958a032f9f31b5e04eb3632c
SHA256 bef562909ba42c71ea66d455f683537f634eca9a74f269a870cb58c658f79e4b
SHA512 3cb5e0e1c5bf4226179bd1c5e539f2982e1dcb4c85e1c183d585b4ca78acb9ce5f4f872e6f8549a81d184b71a2406a0f3133931ca5c8df6c758c022e96bd12c7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 960669ac936f8ab59b591fa66ccbb1aa
SHA1 e80a682e1a79eb529f5a6fd319c47992cb3c3db1
SHA256 fdb7ff345d46a6a499c26b1f7ef87e6d41e7be218f16d2c06aeacd66cfbc17aa
SHA512 13616b7930660a0177629af4bd3304ad97af4d157893c31c4c7d9088ba992415a1b1c2b51c01335a040b5ea7714d6e47c8b3e4d137ea4bfd66b3971ea28fa348

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 b77ea8f4f39f687bb91b98585816ae12
SHA1 6986c2b0281638de9b37cc2895ef559c5bdd4a8b
SHA256 b89a086f314ecb9b8bffb1490691e92036657ccec856b6192487b92a1021bd99
SHA512 62f1fa2e5067be9328cddc59246f014a74f7d71f25b50369706de8175d89b01b77137846586404453abb0767f09e628c92722a66c8cca4aa0d53cbc5acb72121

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 fb9b644175d9cb9412afa02e5162aa36
SHA1 549e99099f845f414e650dc71c41a2165b29f64a
SHA256 ef5bacdc32263d63240194ea3cdf60c69dffb9544e0d59730d35fcf5d89fd6d8
SHA512 b021b24fac3cba795ea5165108a79853a9f2b1c3ba78359c4f251e3b1953fc6b1ab753658c2bc8d11dfcb2dd5b696d89240e8c99fd41a5146615c8553f8905f2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sessions\Session_13375886200079827

MD5 c4c65b3a880fdcdb8a139eb512524664
SHA1 92268a394cfac2b3d9d9959934a92caf996b6eb3
SHA256 0a281fa68ac8969d3dbd984dc0523d5b1c6f1259312259b7c32b5e9bd2afb35e
SHA512 63ce172aab4d47e08640d1fede0fc209c01d3cca8987f6d15ea841ee2a9879b0570be891ea700808fcdf07ae24b9a17313cbeb2eb8fcfb97487263d1e61798de

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 75a07d314cbf378768134d7dc79de859
SHA1 466553f2e61923e1aacef0e64df6f1273977a276
SHA256 a3cab2bc9191a9f68a986852320cb0c05d18198f2e5cfe0c1af8be922ed094bf
SHA512 1e176aa52f33840b9b19f64ee611996a474de2d5406c44b2935b9aafb7e458a4a43888430b08e5db9f205026ca1f5218c7e46ccfdb1ca870eba54d7d9c2d70e7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 54d606c5f716c1d1725029cd261fce5d
SHA1 81e3a92d6d9957838f2b139e458e6f4d952904d1
SHA256 1d2aa93d0e0a1fbbe3f6097a14265d87faea690d178188430f9ec138703d3d01
SHA512 57f61df9ba35220632842d08af655fdf4e1a9309e4c9667d87da48d07a8e3849d8fc1655ede1e7485cd1534f45ce3205539c38d11a28d8144d823a85015e980b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 0c820b6655af7d2d5435bf99bd0e46d5
SHA1 8823cbc1f490561140d061024c01f6d42d663208
SHA256 e442aa0d2079c4951bf247e97b90af907994c379f880d270cd6d7d412969efae
SHA512 e9bfbffe1462476cced9dfc6f615a99bac0185a9682ae9850f63f85f3a19c67bb8e290f57e0ee90408c11560089c53289977ca9201481498ead60593ef496917

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 4bc81160d7366d7fa833525c72886a29
SHA1 41a07bd06f3941d6096c9a0bcc787f430cc690d4
SHA256 bffb3227cd9cf467d713ac7c304260b2f4c69259dffc1f427df677d140d584ad
SHA512 48853db9ae7f4f0a05f65fac625f6b2d2312e97d3ff5154724b37e8488e21642113038f38f4e21b8f0407ec88f443b1d7136f4d05d1a8f66f24d9278f53c9760

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 fb6b09b09f6c7e09c57d52161e365138
SHA1 a6de4bacc681a352d490ce8a5afbd2537ceb7736
SHA256 1bf5b9c2e56035d7fcf9da6e9ab3b1528b09ecda2285b8984a024d53adfebb8f
SHA512 56b6473754e73078fa3924f90ac6cb2a617104dd1d89fb0a61e4576808b73bd930f858154160c516f279607e143e056bb2101feb1c8a84655d05879cf158ebb4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 aa093aaf60bfca61d6dc08015c03f0d7
SHA1 076b7dba0316f2d32d69c842a4d53cd8d70a266a
SHA256 407c724244ed56c4f1afcce07231023bb6ebdcba9f872f8c7ccb7c127da8d4be
SHA512 5030c43ed365b37f1c6416f1bcb5563cb6b1331e0756edbfb1c219e4eafd4740482253c3d9c9360d3ef913af5d315ba002a46b8534ae9d650ebd83e2e164a658

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 991e2e7f616a9a3787e035a8a243d5a9
SHA1 a9f5f25648b6ce1bc412eac815a7c0163a3bb4b9
SHA256 03c5648281c554ce18bda0930e35a066e4edde6d1d40d4d81e9052e796671703
SHA512 bbde1dc6d92560db832bea614e22338e1d14fa71cdf3502670be040eada48e83230a0ad069e8f78ec432725aae560fd0a22959ee1710259d5a3eae3e0ac4affd

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 ea45cf9be8e1695d39ebf5b3d49bac2e
SHA1 c006f82e5ec27de7bf996b1721fd6b9893e5905a
SHA256 58419333358c6edcbaa4a5a465b45fd0c2ea187e2c854f71c4e4ee7dd863410f
SHA512 4d7bfb7f4ed986bd4a7082a79c45b06ce85234be5fed0f3f3135cf072a4da1d684a00a8972a94a21fae5200b90fd7f25747c76270db0272a87083f4e222a5bc4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 25fd2bd054ca69126575a237ccbcbca1
SHA1 5144f617c391d22adf530e1df30e4b54195e7930
SHA256 71273c58fde997cfd4c4d055050f6201e76ffad20344cb0965847da18b7fa027
SHA512 2ecdefd3a3259fb82dc1c3272ec9110407897be84d6fb109738e0d490930ef1194b8bff11f6aae2e8372cdd3d1518a6e2e0404a651d4787974e06950c9cfc200

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 2bda17f13feebf7c56c6bbb5fd317228
SHA1 f6acb31557d220f829e801c35dea9947b99e4a9c
SHA256 95059717215c5e24299754c1df01d5f60270bae240026440935b4236c2d15eff
SHA512 169c71ff3c76cb1b039a21c3e735cafe07d131b9aa0dbbe3d8301bb4f9ea5337c084013718e9aebdf4730190b1901d0d2f5d40a44c158ef815fdb0ece36bc13d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 ef48733031b712ca7027624fff3ab208
SHA1 da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256 c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512 ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

memory/4600-891-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-892-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-893-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-894-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-895-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-896-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-897-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-898-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-899-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-900-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-901-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-941-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-942-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-943-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\metadata

MD5 0b31f687f2ed6b14bd5664960a742fc3
SHA1 ee650358d2b10f2d33fb3baa21306e807adb1297
SHA256 94537e0cf82191df94ed8680bfd0dae6e29ddaea315f00bc98fea15711678b94
SHA512 1a3859f7fe64bbdcf52de37dbaa6601a9f76ca51afb0374edaa7941dfc01501cdfadb27c008f15942858f7d5c306bc2df0a65be6fd0216b7c6b761d6b69bab44

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\reports\48d08f85-719f-4db0-b5cf-ec88e59a479d.dmp

MD5 f429df4e2eccd78721f869b569a4f9b6
SHA1 9188caf7868c670c44f7918c946def05503b397f
SHA256 a3239e78190a9a0189889e3eee76ed83b855bda285847c90a16d743d139e3913
SHA512 aea47705fef7c1faec5ea2a4428c0f14a9ef177a79a7b50bb52314a28dbd18bfcfc46b0a0b2390eb0e260487c6104a50e2bb302b6714232dbc1fa32f7df545db

memory/4600-962-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-963-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-964-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-967-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-968-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-969-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-970-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4600-971-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 fa6340ebca632baca969fd6749ae88d8
SHA1 ed1a9926c3cf07130a3d39a059105ebaa81571a5
SHA256 5f6d603e906868e9255543cd90d18a9c4cf49bed3e52d6b107362de2630caf3f
SHA512 34afe99447b9faa5c976ccc5fd3631d271033dd187e096677edc11685e7ec9bc347c469fa5a99a99cfaf2f83208256568898b1d04ae0572cd5264b51fbd79e49

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\watson_metadata

MD5 19dc434882a18fc73d515a91dd0d5f63
SHA1 3cdf42f302c07002b9bebb136f3257e416f3c73b
SHA256 0096e12a2992723aba4ba90743749015dd471caba8605edf04dc691837637159
SHA512 5d6c380efc73695fc3dd7434b34cde44cdbaa39f84f11d50a32d39ae278dfda175afe67d61adbb4e1b13820e5c23fd21041477a31898fccb0b24be8de5c96707

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 11:56

Reported

2024-11-12 11:58

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 220

Network

N/A

Files

N/A