Malware Analysis Report

2024-08-06 12:48

Sample ID 240602-k7nt2shf26
Target Vision Builder.exe
SHA256 c9ff2801dded32de57dcfa9922c06fb72591040f1ed64ed228e5926f147544c9
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9ff2801dded32de57dcfa9922c06fb72591040f1ed64ed228e5926f147544c9

Threat Level: Known bad

The file Vision Builder.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium

Stealerium family

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-02 09:14

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 09:14

Reported

2024-06-02 09:17

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe"

Signatures

Stealerium

stealer stealerium

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2572 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2572 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2572 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2572 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2572 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2572 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2572 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2572 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp521E.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 3056

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp

Files

memory/3056-0-0x000000007441E000-0x000000007441F000-memory.dmp

memory/3056-1-0x0000000000A90000-0x0000000000C22000-memory.dmp

memory/3056-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/3056-6-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/3056-7-0x0000000000440000-0x0000000000466000-memory.dmp

memory/3056-8-0x0000000000970000-0x0000000000978000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar51B0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\tmp521E.tmp.bat

MD5 5c63028a720faceec8854f31e0990bc0
SHA1 e43460a8d9c9b502d0adc3ac34b7c9d898e44c47
SHA256 bcd1018fb07306254c28b9594ef411ce92e738ece626c0e5eae22c19660cbfda
SHA512 7e8c2acd495427b3091263eaa7b1d831c6dce7f12aa078fc0f9be1253a8a5f3c54be69c6f508f254706c3fe556e3571db6f174e4e235fbe6ff904dff5e32ff48

memory/3056-50-0x0000000074410000-0x0000000074AFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 09:14

Reported

2024-06-02 09:17

Platform

win10v2004-20240508-en

Max time kernel

159s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E22D12B8-20C0-11EF-BCA5-EAA3B7AF2FC1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617934010522439" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3832 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3832 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3832 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3832 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3832 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3832 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3832 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3832 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4564 wrote to memory of 1148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 1148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 60 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 1288 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 1288 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4564 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Vision Builder.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp66C8.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 1148

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9a7aaab58,0x7ff9a7aaab68,0x7ff9a7aaab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3636 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4148 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5044 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 --field-trial-handle=1560,i,8700787684199861653,2473717569359546514,131072 /prefetch:8

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:17410 /prefetch:2

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38d0855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:443 pornhub.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 ei.phncdn.com udp
GB 64.210.156.18:443 ei.phncdn.com tcp
GB 64.210.156.18:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 media.trafficjunky.net udp
GB 64.210.156.23:443 media.trafficjunky.net tcp
US 8.8.8.8:53 prvc.io udp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
US 104.21.56.52:443 prvc.io tcp
GB 64.210.156.17:443 media.trafficjunky.net tcp
US 8.8.8.8:53 18.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 17.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 23.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 52.56.21.104.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 ss.phncdn.com udp
US 8.8.8.8:53 eg-cdn.trafficjunky.net udp
US 8.8.8.8:53 ht-cdn.trafficjunky.net udp
PL 93.184.223.43:443 eg-cdn.trafficjunky.net tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.212.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 storage.googleapis.com udp
GB 216.58.201.123:443 storage.googleapis.com tcp
US 8.8.8.8:53 43.223.184.93.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 123.201.58.216.in-addr.arpa udp

Files

memory/1148-0-0x000000007492E000-0x000000007492F000-memory.dmp

memory/1148-1-0x0000000000010000-0x00000000001A2000-memory.dmp

memory/1148-2-0x0000000004B70000-0x0000000004BD6000-memory.dmp

memory/1148-3-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/1148-7-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/1148-9-0x0000000005180000-0x0000000005188000-memory.dmp

memory/1148-8-0x0000000005150000-0x0000000005176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp66C8.tmp.bat

MD5 6d5e4e6d96ca9dbebf1a7ffab0dd929e
SHA1 a2c184be5ccb606e879dec7887e9544d569c73c8
SHA256 672dd87dd77db73ba81fadace3308941696f3755c55854dd28c9935e0875161c
SHA512 62248f27f0b5ab584a01e7d75e261cfa96c1217a532caefe4dffba0aef99707a65995fc0309a32b9a52791142f2a73fe8cca504c78b22e25070cc2021d78f5e7

memory/1148-14-0x0000000074920000-0x00000000750D0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 81dccfb756b658f08183c7a7e9fa8dfb
SHA1 d72d8f0e31130c357cd5b29538b0ef05aa1a5004
SHA256 4c399deff3bda832f15507a19b603b0c7058ac74dece4eca082acb2cfa1bb067
SHA512 2f850f6fcd796bda19fdc0510a90c8f63a54da437383fb3b6448808cf6c3d1815e630af9075cb427696401d33daa64a24aef9281d78c1f34b21a512bef3651e6

\??\pipe\crashpad_4564_ECYZEWJDQJITVXZR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 fed4a06c25e0cf566e2c09f967766716
SHA1 0a51376fec86ff7e75a4bb9f0a5cb42f78c42596
SHA256 3fba5502bbcaf8d279345438f948086c30e866746b1642300a4cd787d55051fe
SHA512 0be95e8612d38363fc126619e13800cc0d111c8bf57fbf7a859852185b4b1e66a5b9013171087e221d599df95979dea5f2609952207fded761e54766be6989c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c10598ce5cf90f8a2d1c3e087960f27e
SHA1 4f12b663cc1e5b8db6332b58580c14b0d7e5e539
SHA256 05eb01a50b60f71d031338784338564c28a1185f80605b374c9b7eaa925be229
SHA512 2a406ce8d862530855c56c5127c6578eb94c21fc7f61521dd02eb2986102bf9c70f32801e77eae4e2ccbe80f7e988bf746cd7584e75c40fc43bfb0a246190dfe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c3828a8fa670760c14754a66462ee180
SHA1 1b32ceaa383be9d64552a8737d0ddd504928c619
SHA256 9502a9b8480290b61b15265d09712c0f04498f8f83f285384f85ca2ce4546218
SHA512 60201765e79a747575206d77718e5508d232f1396a720bfaa80d1af6b1d9291c891b48ea1119b72628d518eaef966ff04600d9c84ed943e7c35594d0c3133316

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2a1cba04edcefe06ae07784afd0c5fff
SHA1 229a9ad7ed925ebf971e2b901128fd2897a7b57f
SHA256 fc33bbbb81bec842f236aabcc882e975ae8903d20a11775ad6f652372f981fbb
SHA512 234db7c88895fc5e29afec0046cda8e355a09d27462db155745bbcb16381edb83727dd6ea0fb95b051a61dda87decbc60fdbde26a6e0ed28c202a71c4d512bd4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2a348ac81325f03be26880669b2dd3fb
SHA1 8e5193586de7225ba297e9d8b5c177b9c5fa6607
SHA256 7ddcd7ad50c24e76a3ebef99676a969399040a777b5276eeed313e7014090034
SHA512 4df9377ca2cc7b9fac37e9bbee885f6156d74547cb33dcbafe7f8c5012eac3da1ff4b4fce7e693dc6736fc2b7ddb3da081655fe8569a2f4e1ab3e77ca55e85a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2e4cc1991bade6cbfa8d1fd092a45db8
SHA1 4c591eaabcf19e52d2b49e71b8b58a49faa0a52b
SHA256 3f6535e33742142249ebb4f4b3c11d0a3d73c95f26b23c19a4295b459d30ecb0
SHA512 ae820bb35f129e67c8084f981a563d18d7db8ff2634a8d1a392bd8958dee503f223be7e700615afad2e263ad6c8e0711699bef81d52710f04347e5c317a947b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 022b8b7b298cb5024d38a0bf86765ae8
SHA1 7a9f1e44afb7421bf0673cff5822492c9ca71e6a
SHA256 e461c80cca46ebe895725d3fbf0c68f5a1e3dcba057cee37cb280e0e7ca0e4a7
SHA512 65626e192206f301a9e9dfbfc49e5da9964c6e1ec9210c41c1141703df2ce59b1e2cba3c7a0bb14ab043e4b9b5d0c2a77765d8b88ae9c93a20188f926e822ea7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 685f10d6f20d0e62388f79db47b7465f
SHA1 44cb808ef571402f9a8f8611d52d3e32d66cccfc
SHA256 75b3b5c5bd84d4e9d65599a7ac29481dc7a84c8e919e181de1bed4aeeaa3d3a8
SHA512 5b0c78a6360eda1e7cefdc666fc09ca4132f65fe408daabb06123f4afcebd19a49f1173d620f0394d8e9b05c259a5cca0f0a2e50b9f6909cba4baaaa248ad90c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59458b.TMP

MD5 5555cbae3ecd988da1464a447c18fb17
SHA1 4dc204aad0c01fdcdb8d3bd0f385207e21a0e0ef
SHA256 f86426b54200ae6b18b5a5bc879b2b32a3fec423d01e3ed5cd8b8041896f9df1
SHA512 5112e25aa294f0b1ce13171ed0bf80bd62b21370be488a9df7140504b4fe64c9f2b35f6ae6d2974a9971ac54bf295b3427ade4e9e62c6269bab2e688a7ef2515

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 f3f0a1d62dfcdb5bc45fe3c667f8999f
SHA1 9b5ecd665e5454f8c1191a637d7c411f7a6ac70e
SHA256 e0109a1865c39af722a06f5ea2e92aa5940088f367bb4c1ff4ba540cbab8e500
SHA512 36edab271b525d8e52df7dbe0c89a784b444bffcf98dcc9f4e4f256cd4274dd9b1d6019aaed4d2d803429743e4c5d1474145d6230f723b1e464e71a6e9f1e872

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5967c8.TMP

MD5 27a9c0d8f86ce389bd96034ade7477b7
SHA1 eb00d61ea857527c158cd4db31773e9383f05a9c
SHA256 4f13a80cc3d8d8199aa768228f1c2d7e2ee4200277df7194cb7262b5fed47f68
SHA512 faff367cb5ee3a053f4532c38e73418a7ba8039a54b531b4895c67af02f90295045742e269c76d41bd9f43ab7c31d0cc33efe9722bad1bfa9df7fb261f0b2df5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 19d4bb759068face19e059aead0bfdf5
SHA1 491d8e4bfea0dacca3fa27968ebb1909002deacf
SHA256 04c4d860d6daa37fc18812ce747065bc579bb00414ff86686b24bfe21e442684
SHA512 b424c523c57d7a83f14f70d5da2e43fbcc4ee76636ab136763939bef801e798ac076710180a8b51f10d017e1a5736cd284a2aa36ffb761bd18aea4029818a8dc