Malware Analysis Report

2025-04-13 12:23

Sample ID 250320-akf6ksxxhs
Target build22.exe
SHA256 3c62a4a3091cd0f0a91da1e92bf88c96e0da5f81dd0b434ffb5fb55948928158
Tags
stealerium stealer collection credential_access discovery persistence privilege_escalation spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c62a4a3091cd0f0a91da1e92bf88c96e0da5f81dd0b434ffb5fb55948928158

Threat Level: Known bad

The file build22.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer collection credential_access discovery persistence privilege_escalation spyware

Stealerium

Stealerium family

Uses browser remote debugging

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 00:16

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 00:16

Reported

2025-03-20 00:16

Platform

win7-20250207-en

Max time kernel

16s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

Signatures

Stealerium

stealer stealerium

Stealerium family

stealerium

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\build22.exe

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f7923a57-ac19-4520-8f21-9cee4e2db2b6.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1952

C:\Windows\system32\timeout.exe

timeout /T 2 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1952-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

memory/1952-1-0x0000000000D30000-0x000000000143E000-memory.dmp

memory/1952-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f7923a57-ac19-4520-8f21-9cee4e2db2b6.bat

MD5 a9cb5eb64e6b3f8196529d3ca03d17e6
SHA1 61e884c71b035dad241931f87cb2c8b52d05d0a7
SHA256 50435555b1ee4641d2e2fc8e2619458e29a27db338a4054ca6c953b5e3c053b4
SHA512 1053a71583646411d19c40890a8c9191cf5840ce0ca8503525ffdf404cf3900450f2521c90a8feb09d0039a247fa3906a8a724f7f897588a56b4050d920b9b92

memory/1952-5-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-20 00:16

Reported

2025-03-20 00:16

Platform

win10v2004-20250314-en

Max time kernel

30s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

Signatures

Stealerium

stealer stealerium

Stealerium family

stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869033869342564" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1044 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1044 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Windows\SYSTEM32\cmd.exe
PID 1044 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Windows\SYSTEM32\cmd.exe
PID 2492 wrote to memory of 920 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 920 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 1320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2492 wrote to memory of 1320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2492 wrote to memory of 64 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 64 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3320 wrote to memory of 2636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 2636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 4720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3320 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\build22.exe

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbea40dcf8,0x7ffbea40dd04,0x7ffbea40dd10

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2920,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2916 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2888,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2880 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2996,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2956 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=3064 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4168,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=4164 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4504,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=4440 /prefetch:1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5160,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5360,i,7961182525095065872,3147551916505948965,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=5356 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffbe8a1f208,0x7ffbe8a1f214,0x7ffbe8a1f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2164,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2220,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2392,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4500,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4516,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4544 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3620,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5132,i,14145811008808466150,17791530453398588568,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=5124 /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a37dee5d-8b26-49ac-a893-2cee5c3943e0.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1044

C:\Windows\system32\timeout.exe

timeout /T 2 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.14:443 play.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.46:443 clients2.google.com udp
GB 172.217.169.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 142.250.200.46:443 clients2.google.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 13.107.21.239:443 edge.microsoft.com tcp
US 204.79.197.239:80 edge.microsoft.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
GB 95.100.153.183:443 copilot.microsoft.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 95.100.153.183:443 copilot.microsoft.com tcp
GB 95.100.153.183:443 copilot.microsoft.com tcp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
GB 2.19.117.68:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 104.16.184.241:80 icanhazip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.16.184.241:80 icanhazip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 udp
N/A 52.149.20.212:443 tcp

Files

memory/1044-1-0x00000204F9A10000-0x00000204FA11E000-memory.dmp

memory/1044-0-0x00007FFBEE1D3000-0x00007FFBEE1D5000-memory.dmp

memory/1044-2-0x00007FFBEE1D0000-0x00007FFBEEC91000-memory.dmp

memory/1044-20-0x00000204FCA70000-0x00000204FCB22000-memory.dmp

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Process.txt

MD5 da5698c72d3c326538a9594aed16d777
SHA1 118b6e7c5e5131a3cedb51746e816302fdf1a586
SHA256 4d52a6bb0878a076bb70d227cd613b5d6d1b3f8bd95193945f3551b468234273
SHA512 a1f906e5c1235ebf6959acd6de6ed057a4f899875b0b28693cc8970c31f683b47b920a5cb4eb464433edd82aa6472a966e3ba41625933e0623ed2ae60456a129

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f693e00e2c30d7bbfbcb6fb0c0ecf2d6
SHA1 cd851f39f3b34c584156221a545e080e03b9a636
SHA256 3b5be385976b5fa6a5db4282d4c800db9d8da9a2fcd1e2dbb862260def71f287
SHA512 ad228d23811107d42f906beaae476fff98416284303fbb2eb44c291d6c3975a6e32d0124cff307f065f5bd77b25e94bda20cc7348c006c8073dd95f87b0013b2

\??\pipe\crashpad_3320_TBCPPKCGVXXEDWFO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Process.txt

MD5 9e16c289f07b9c8e14836c2538b79d10
SHA1 11fbeb5a548b1f5e8646749c52ab9f3168fdf08f
SHA256 09bb34c915287a09ce24705f3fe5be90f45432911b134798730f8f159c5ef2ef
SHA512 43b8feda019289ac8661032f8632174e28f0e938647fa68ed1bd3e656f317864ac0469545bfb28c8ecb1c3b7054eb0ceea2c8fddc0d2f0db4b9e1878a15d4117

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\39608079-1bf7-4d32-bdf9-b3e1550e420a.tmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Process.txt

MD5 7f7286ea671ee8b34bc48a1c959961de
SHA1 cbf73c57b3056be35a9fd59e769ff565880d509f
SHA256 f3b10921708d9c5afeb3ea0369ab453cd13f9f7608e443740a74abe88f0d1878
SHA512 049a203260c3425741dafe800f3de1810f13eb733255645ff8a02c57120c54b0b13b06b34d9c401828ec9e61b502427890b454c0c4e74f742f6b01510cec2080

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Process.txt

MD5 7ae0700171f8b45e7c64fd54a5f1697f
SHA1 f8ebe8650b9fedeaf17f0c4e0ef2aebcd21de1a1
SHA256 7731da1c18a79b9dc64d8e62b09be5c19bbfa4663a92c9ce1f823e27c84c1c69
SHA512 758a2f7390c60f84c2e0ad436adbcfa74e6f42d67ac356f42e62a7b1cb0e5d228480a5aaf4ef672676b98c66e19becb36b1fc871b06643c1ed08ffbf093676ae

memory/1044-157-0x00007FFBEE1D3000-0x00007FFBEE1D5000-memory.dmp

memory/1044-158-0x00007FFBEE1D0000-0x00007FFBEEC91000-memory.dmp

memory/1044-162-0x00000204FDD90000-0x00000204FDDB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8734b4a181214bb62f91cfa36c7e2c98
SHA1 9cff323f10778a23d73ac3dcffc038d3bf661b78
SHA256 e06afe980fa56c8dad3e7c6b8d0d8f1e7eb9a4860ac715e966026fb7631c3ba5
SHA512 e8648a54da9aa24b6cba1f0377a0ce33979ea097554bb6347f252cad894ad4134e1fe839abc80eb48e2510061d5c6937e80374d32f95afd4cc8567b57694ac36

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a391b32b7752918c765e6fe24cf60db3
SHA1 9c1a57e367db75a4e74d3a05bad8096cb2f00199
SHA256 56131a6fba5bd423ad18748d6b92729cdd004d751d8e59bc86f61dc0b7ab882f
SHA512 f423a97f173415a4e80f2d3068c7c2ace411a5b9ded9e44c1a6d00242a3e14d1fc2aaddaa5a1e095c5b0c29442adc2a6ec0b9b03b8041edcfda57f8fa337b2b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9f015074359b6541b4de5bbd233f5035
SHA1 ba4d45764340b3bf141ce55a50f47ab2fbaea67e
SHA256 8263f6612c65f5bae7503d447432481e90c738144a86ac066682ecf239757ccc
SHA512 e3054753669af342a5038444a2d697fa7d13eff7e6f8c3f7ed024daf708b4697474c594fc4fa3d7a17650bc115256bf97f11c96774cd4f076f43be1ef07342d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0db1d88802048ff847bfcf47035335bd
SHA1 bb54059e5b145da464f6521ae67353889ce00771
SHA256 416525d2bfeaeab0950175c0eab55ad35e84518ef5299f10565023800788cf9a
SHA512 32c5b42febdb38c3a30eb5179b8aa20a5e731b0e83aab16ec73d27b4108bfc89eb6316f71a988388cb5df19267ba823f6d0220fab5584667ba0adb0da1152a30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\564f2dcc-19ba-47c1-ab9b-337426fce503.tmp

MD5 164a788f50529fc93a6077e50675c617
SHA1 c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256 b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512 ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\Browsers\Microsoft Edge\Cookies.txt

MD5 9f4f3b6085ef3aeb869bc1298330da0a
SHA1 0965c734d6ead16d3cd407711766c6b00932e399
SHA256 6758281d56e338fb59284f77037795e56c871e64737da421859db28e242dc791
SHA512 f2166533ddb3ac68dc4c487f897e01806a25c8dd645934e2dcb29f11499e2a7a0edd6aa7a94dd39d766863856ada85de6577f285bdc26842b7b877be8866c085

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Apps.txt

MD5 2d8a541571dcb2f16fc07676bff7aea7
SHA1 c9a233068b97845dc4a52612a4cd6d284745f1ba
SHA256 683a1cac2cdca1bed6d448d8681ff75c1ffd86290627313424530208a5835b11
SHA512 3e91e2d7510e55b1013459993633489991d8ab90e0ec60da0e36aa1514980e6ffe1fba7465f28949ea0d77ddf843383b6853a28d4b581a3368eaa82862d7b548

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Apps.txt

MD5 cb499444f2a7386daf360a0544518432
SHA1 ffd5bc9b9370f1c205b34984f7f85b6a1e643b20
SHA256 d6977cc1738ee682a8c3f6530e75580643fffb36c8346fcab84d6c62c7a60475
SHA512 903d0f3679a746e902f2f2a036446610a995bf3f3f0341922990a93392c1e11c575d017e95956746999cc2496f1a81c7070e4ba15aeba814012593dd738e8bbd

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\System\Apps.txt

MD5 b64258be0f03d4f4668dcf0a91b754a8
SHA1 713f36f478b1d93a5e7b15aa078a8d433e5fb9f1
SHA256 8045434c6bfc172d84e036ab73e37c8ac392427a40252d12850b56b1351f5dad
SHA512 ec180a1cc5e66821cc3c0ab0a157e83b1d23dc533fe93555c993fb347bdcd2962dce695409624d24009d50d663a400223845377953ff6585c0c245544ac1c8de

memory/1044-355-0x00000204FDDC0000-0x00000204FDE04000-memory.dmp

memory/1044-356-0x00000204FDD60000-0x00000204FDD7A000-memory.dmp

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\Admin@QJHNVQMW_en-US\Browsers\Firefox\Bookmarks.txt

MD5 70e1643c50773124c0e1dbf69c8be193
SHA1 0e2e6fd8d0b49dddf9ea59013a425d586cb4730c
SHA256 4fe3f09cb4d635df136ea45a11c05f74200fc6e855a75f9a27c0a0d32a2f632a
SHA512 664e5d9263c0137f841daeb3dff00010ffeb7291ed08ccf6d0483200cd6d6bd3c9d31ea7e67a9de6aac591397060d8f01e8469bbad67d8e2f1c3900ef24c3679

C:\Users\Admin\AppData\Local\d7d8d559d9b2175ca18bf0386b032e93\msgid.dat

MD5 8abfe8ac9ec214d68541fcb888c0b4c3
SHA1 5b1329f11769d8f4915936ad063125dcc2bfad71
SHA256 4978f72a379aaa535c5bc1dbbadeb26807e3e821ed16889b498f8eb7274ce1a4
SHA512 098b2ef78e07619275606a7bb999fcd92151980c017a95b2a8158f2a6b0e8c8e0eb8da81cbbe4ca1a20eaff89920c3bad039b1f7702ea768e2532ce171970bb5

C:\Users\Admin\AppData\Local\Temp\a37dee5d-8b26-49ac-a893-2cee5c3943e0.bat

MD5 f14d44e1cbc696482dbec08f2f4c2f89
SHA1 b9f42dbbc3de9ed6523631e4d43e0d8735d77c6c
SHA256 b31e04c6a2ed9e57e85e872ba15808d074d1ef140355cf23a7131098f4b22cbe
SHA512 c30462aa5e1ef76bcc1f4a516d905db04a87960179d6e6f632f6f3c2cde975a8b1081b1faf337ad624012d04996f2446c2c83c49b2d041e2fd186ace6a3fc851

memory/1044-469-0x00007FFBEE1D0000-0x00007FFBEEC91000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-20 00:16

Reported

2025-03-20 00:16

Platform

win10ltsc2021-20250314-en

Max time kernel

30s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

Signatures

Stealerium

stealer stealerium

Stealerium family

stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869033880399258" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4392 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4392 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Windows\SYSTEM32\cmd.exe
PID 4392 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Windows\SYSTEM32\cmd.exe
PID 896 wrote to memory of 3876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 896 wrote to memory of 3876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 896 wrote to memory of 3984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 896 wrote to memory of 3984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 896 wrote to memory of 3004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 896 wrote to memory of 3004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 1696 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 1696 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\build22.exe

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff8771edcf8,0x7ff8771edd04,0x7ff8771edd10

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1992,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2144,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2440,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2436 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=3136 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=4376 /prefetch:1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5108,i,17388871595481926658,12806487847890770228,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=5096 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x308,0x7ff87695f208,0x7ff87695f214,0x7ff87695f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2520,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2512 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2460,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2452 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2532,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4072,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4088,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5072,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3604 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5256,i,12465868640205611982,15585589392323366243,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=5252 /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\67e8af48-495a-45bb-b6af-fadbbab14eb3.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4392

C:\Windows\system32\timeout.exe

timeout /T 2 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.179.234:443 ogads-pa.googleapis.com udp
GB 142.250.179.234:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.14:443 play.google.com udp
GB 172.217.169.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 142.250.200.46:443 clients2.google.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 150.171.27.11:80 edge.microsoft.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
GB 2.19.117.77:443 assets.msn.com tcp
GB 2.19.117.77:443 assets.msn.com tcp
IE 13.74.129.1:443 c.msn.com tcp
GB 95.100.153.131:443 www.bing.com tcp
GB 2.19.117.77:443 assets.msn.com tcp
US 150.171.28.10:443 c.bing.com tcp
GB 95.100.153.157:443 www.bing.com tcp
DE 52.85.65.70:443 sb.scorecardresearch.com tcp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
GB 2.19.117.77:443 assets.msn.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
JP 13.78.111.198:443 browser.events.data.msn.com tcp
GB 2.19.117.77:443 assets.msn.com udp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
GB 2.19.117.73:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
JP 13.78.111.198:443 browser.events.data.msn.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 104.16.185.241:80 icanhazip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.16.185.241:80 icanhazip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 udp
N/A 172.202.163.200:443 tcp

Files

memory/4392-0-0x00007FF87C0C3000-0x00007FF87C0C5000-memory.dmp

memory/4392-1-0x000001B5273D0000-0x000001B527ADE000-memory.dmp

memory/4392-2-0x00007FF87C0C0000-0x00007FF87CB82000-memory.dmp

memory/4392-3-0x000001B542430000-0x000001B5424E2000-memory.dmp

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 d5ef92b0ddf0ef311c45f7e90f77560a
SHA1 796eedd4871c62477de907d7cb6835fb51cde722
SHA256 4a4a666a553efbebe7ac2c82dc1d847baca15a0dbd1635b68ea0cb78cf9f44f7
SHA512 60b060ae780d6dea3c760322f2327cd1384a42d6b37791fe0522c21d1898a9a64b6d6b67b009764c40eedaaf0adb4d78f23d244fe13cd1391e2a4e6fa147e83f

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 d22b8c735b7a771000a3dcc8ff03561b
SHA1 d99eb8b03a9ff9a674a530447e91ee3af97811e7
SHA256 eecb838a62aebf597b7ccd8c0dd8660bf016114d0f267e6da49968d955774d7b
SHA512 0b11b5cec2bcab98a8f73024e931d63da82a85fa0b3ae34a0bcb95dd417230b73dfb0fb267ea95fd97b41a6db26c6cec0b7bda33bbd5f2010d58066d96bf98c3

\??\pipe\crashpad_2644_NNJZAXAKANBQIBBA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 dd54d39df5db4f91911498a905a4eb36
SHA1 015c5702767bca6876042c34a09f294bf9e9ae5c
SHA256 05f7815ca0c9176c117af1d29ba5e25b17d1fc787efb3ddeeed8931611df53c8
SHA512 ef41d7f18e955b40434c59acbb3022c3a864d903564e66c3debe8ca116d70809c19140a6d59956ccb2413b3d5505aeadfdeb6828c7292526fdf985ef28fe58df

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 13f511d662ced77a25ba804866afc15b
SHA1 5036e9d0c6eda56cd89ec205c659a2a7e04242d2
SHA256 3c8bb5bab50dbefde7234cb5150898f6ff29cc0a3024e8b3eb3c73fd923bb8b8
SHA512 be88ed3b3245b6dcfbab5aaf7e13c74a94a55745a91377cf2972ba7af9e961c8c02caa80809ac226b8e539d0786d0e88ed096b9e622ce4888473b2bad9595b96

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 bf12552d215aba8cc8a041bd67bd1c0b
SHA1 9cf6c798f9316e2c454b69031eedb9839243b8da
SHA256 3ac67ff7bf60c1cb0e4e3e4bb51bdd231d7af9ef04a21622662f28e470d462ce
SHA512 a8e86d64b461ac443b92d6c9313172f62c40a54ffe896a0687cde1c496eaa6312c1be53606c381e661dda41747a13aab06f4aa42ecc92a3e5daf48cbe69d8837

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 bf4444b53a5114e67f46b2bbd7b62eb6
SHA1 0f805cc80c674568c4e31ea3d115e69eb65f5254
SHA256 d90547e9e43a1d3b6e454e0b225971b034b81804387632749b7a6dc4343c8d98
SHA512 ef5849a927a1fb8a4bc0f3ac443d12322ede9dfe245eb772d3cfa8cd430fe24c5769898dd0a4c43a9967e215d2e11e63c5a9464ebf0a9578931c0f7791b51cce

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 3a862a349799bdd80c7bc623e9d2eabf
SHA1 100ecfbb89474d0ce1ef1df09fb915a83c36561c
SHA256 c8e0cbfdfa8393656900428bed104b45e71d5c446bb80a2a3e0da11a1c5e8449
SHA512 2c86ffc472bb1ae93a7aa67934a0825d9241169797809cb7abf12ba9a58d72c7ab60c03d99ec85ee3b3c00ca9686b507ebf2cd7f688bbc4da1dfc599915b235b

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Process.txt

MD5 5c305a5b5ebf819c3a267c0a8aadb848
SHA1 7a39fbda595cbfaee929095e9e9c5aa4da92a4de
SHA256 a60f124980e8409e7a8eeddd5e3e09cf384f1e9e468036e2742b850b53713352
SHA512 b35d8ad7926bfe76f2f46ba5a2019b8f1fcb896eb96bcf96bcb02e599ae9f3901d4598192372e721e3b938dd81d6aa73ec6fdfbd558a08cf178d7e14a95ccec6

memory/4392-128-0x00007FF87C0C3000-0x00007FF87C0C5000-memory.dmp

memory/4392-131-0x00007FF87C0C0000-0x00007FF87CB82000-memory.dmp

memory/4392-134-0x000001B542AC0000-0x000001B542AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 632acbd01044af3d96e0f44fb0f15691
SHA1 5ebb0fb12ab66a70cba8a11e2115a296126ff4e3
SHA256 40305632b5754f1dbe0b05dbc249cee00a2774abd2160d7c7a1612e5967039c9
SHA512 0876c300d769ee764886a2b1b542c7421129b1c796a18d220ff9cd7681ab0001f98b1420a685c9cae49a34f5b58586c6313ed27776b703763e978864f4b8eae5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2281700256fd7d2cd8b5a3b83f574035
SHA1 e84e6da2b538eee930142abafc3a70657ff82cb9
SHA256 fecef52b42f657323dcb0ca552024ab7cd5f203f89676c7c87a7da97d1144c21
SHA512 d42dc62e24af15b1a3b84eb5098440bb7f64a2a1eadfadf508b111eb275a6f3a001de3d0d9670ab9618c5233b828988ae6db7ab7c5d5ed5c4c35ab93a8f95744

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0db262d50edad023a84f8827bea797c4
SHA1 d1b5a154860ba963f88fa0864a4244ff4a29b7ef
SHA256 adac4813a8008c551cb493f495572cc87f7a8dd4169399042827a48ce418c800
SHA512 63e4a08cc2af4058d9d52d1563d5afced93fac6d96b6d3e7cc33c4bd61b5004a5bf530f2114308871f96f66b6034ae989d1f8e3eb90e53c15dbce9088dcd434e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5df6a0445942b5f7817d6658ccb534a6
SHA1 44ce1e163d04d8513faed7f85384783167add22e
SHA256 51e05249c6a2f4b0dfbdf04fc331b18deca176024c134e901e9319e1b54c6bba
SHA512 ec867d77c784e30e6cc163b3178d79af0383d2d50cd6f396fa52133a8227aa517d8e64d16b1083d58dd5810b8e47bd5b6356bd21a1b653b853c5624b5f18519b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 164a788f50529fc93a6077e50675c617
SHA1 c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256 b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512 ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\4ad0fc24-14c3-4a53-bdc8-24ae321a49ae\index-dir\the-real-index

MD5 ea65991c5ddeac9e7aeea8982fec4508
SHA1 d4453e21e9e6f1f3f6384e54bc186d955a18fede
SHA256 d0a9fd43999bc3c972dceb78a7daafd43d9e7c4c22028a05088e3d8f5e08eccc
SHA512 e36567166daed028eaf49f8874afc2aa82aeee7d8d82c5e73603998f1ecc8b600519b2a32c3087f9c8705a7dec5300342f93a13123a58acb14ff3adf2e9ada87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\4ad0fc24-14c3-4a53-bdc8-24ae321a49ae\index-dir\the-real-index~RFe57b5c3.TMP

MD5 647e4b1c571ab0736ad8345575730d67
SHA1 6037b70159ceb9de49cd5ba11454bccf678342aa
SHA256 813c1eec147b3c3a64fb6f8e8d8cf4b9c6678fefb729ef6dc490fd5ccd479a25
SHA512 1f9d0e1b153a593d2ed94de27a453e6947e52d49904dcf003901d5cb92ba3827429964a527bfbebf43aee21727ef82a0a195560c4e8ae998bd81320dee7e5274

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\Browsers\Microsoft Edge\Cookies.txt

MD5 02d949e63660e175153314e26124db9f
SHA1 4cc221212641b3dd0b51c9badd1bc05bb6124b7f
SHA256 4509fec21e46c6a9d88281d27c3422771b7ca6b94d54dbb6f0bc5d00085f76c5
SHA512 e96c9e089c7b8609fe79bea3daddfa14928cc88dc688e346333940b3afa884ee3dcc6ef18d9feb6067858186beae72aa237233aa46b2af101bab04bcb126e161

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Apps.txt

MD5 5910dd35339b766631033522caea88b5
SHA1 c87534522075568495ec691f823922d2a540e194
SHA256 d456ef7a1b3fc616b649e6352d46cf60ccf78049130c63ebac52c78472d5bcff
SHA512 dbf890cb1561df34c12171f3d21f9b6430c2a5666085c932f59b36b802f1d50e4072e3feeb082c0aa9a4c1b5f2a08e1237e21e5ef9f6f9def6e08825ffd90bb5

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\System\Apps.txt

MD5 e4ded193433bfaed46da466eefcc2c35
SHA1 56151b0cb50efcac84e88cb623af4fc10f82087d
SHA256 b5190a32744b506ceec36dcdade88886a20d999ff72c93f960665cb90defe05c
SHA512 2948192405d25b8b18258d8f30183d082ae5bd53cc2c17743b6cd48b499f98e0820df59ac99c03dfe719202f95d39e761b3881e79dcb1b07504971e0c6a9bcfb

memory/4392-344-0x000001B542AF0000-0x000001B542B34000-memory.dmp

memory/4392-345-0x000001B542660000-0x000001B54267A000-memory.dmp

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\Admin@FAJJWSRF_en-US\Browsers\Firefox\Bookmarks.txt

MD5 70e1643c50773124c0e1dbf69c8be193
SHA1 0e2e6fd8d0b49dddf9ea59013a425d586cb4730c
SHA256 4fe3f09cb4d635df136ea45a11c05f74200fc6e855a75f9a27c0a0d32a2f632a
SHA512 664e5d9263c0137f841daeb3dff00010ffeb7291ed08ccf6d0483200cd6d6bd3c9d31ea7e67a9de6aac591397060d8f01e8469bbad67d8e2f1c3900ef24c3679

C:\Users\Admin\AppData\Local\7d14b13b146bd92967f257c2552f5c25\msgid.dat

MD5 882735cbdfd9f810814d17892ae50023
SHA1 bb3e29ac93b725f6eefbfcf1bf0bee67783cd519
SHA256 0670783b46c5906cf84d0501e8a44dc5a1e446dad06a4b2f443d54242cb78054
SHA512 adb55476e0a049af61e2382c6dfcc512af68439dc4a7e92ccc4b54d36d3f1682b391e27f426c3749fd1add9fd92ee383545a6f6431ce19dbac14ff9f9dd023b6

C:\Users\Admin\AppData\Local\Temp\67e8af48-495a-45bb-b6af-fadbbab14eb3.bat

MD5 d620b0fbd6ab4049dee1c2fb3abc1cf4
SHA1 45104aafce5017f86ebaaf5f44bbc5190ca3d99b
SHA256 e90425bdccea58891bbfd4aa3450d34c7569174e0b7756ac922d68db23a62d1c
SHA512 9e3bc2ae7f85f10959f216f6d8d6ec3fc81e73841c0f30609123a8d7cd59164055097ca496c16fff76c98a9b5a34a305e6f45b058fcfe50921b298729578cd28

memory/4392-407-0x00007FF87C0C0000-0x00007FF87CB82000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-20 00:16

Reported

2025-03-20 00:16

Platform

win11-20250314-en

Max time kernel

23s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

Signatures

Stealerium

stealer stealerium

Stealerium family

stealerium

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869033865434217" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build22.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6092 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 6092 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 3120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 3120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 6092 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Windows\SYSTEM32\cmd.exe
PID 6092 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\build22.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 4684 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 976 wrote to memory of 4684 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 1984 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 3748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 3748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2724 wrote to memory of 2880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build22.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\build22.exe

"C:\Users\Admin\AppData\Local\Temp\build22.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffdac81dcf8,0x7ffdac81dd04,0x7ffdac81dd10

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1924,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2104,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=2100 /prefetch:11

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2416,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=2412 /prefetch:13

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=3144 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4132,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=4128 /prefetch:9

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=4580 /prefetch:1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5148,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=5144 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5184,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=5196 /prefetch:14

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffd9a94f208,0x7ffd9a94f214,0x7ffd9a94f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2076,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2072 /prefetch:11

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=1980,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=1972 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2380,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2372 /prefetch:13

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3428,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3420 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6c029a8c-afab-4859-9cd7-885684d2b928.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

taskkill /F /PID 6092

C:\Windows\system32\timeout.exe

timeout /T 2 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
GB 172.217.169.14:443 play.google.com udp
GB 172.217.169.14:443 play.google.com tcp
GB 172.217.169.14:443 play.google.com udp
US 104.16.185.241:80 icanhazip.com tcp
GB 142.250.200.46:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:80 edge.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
GB 95.100.153.132:443 copilot.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
GB 2.19.117.87:443 assets.msn.com tcp
GB 2.19.117.87:443 assets.msn.com tcp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
US 150.171.27.10:443 c.bing.com tcp
GB 2.19.117.87:443 assets.msn.com tcp
IE 13.74.129.1:443 c.msn.com tcp
GB 95.100.153.157:443 www.bing.com tcp
GB 95.100.153.143:443 www.bing.com tcp
DE 52.85.65.76:443 sb.scorecardresearch.com tcp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.19.117.87:443 assets.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
JP 13.78.111.198:443 browser.events.data.msn.com tcp
GB 2.19.117.87:443 assets.msn.com udp
GB 2.19.117.168:443 img-s-msn-com.akamaized.net udp
JP 13.78.111.198:443 browser.events.data.msn.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 104.16.185.241:80 icanhazip.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.16.185.241:80 icanhazip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/6092-0-0x00007FFD9EFF3000-0x00007FFD9EFF5000-memory.dmp

memory/6092-1-0x000001E2E0C30000-0x000001E2E133E000-memory.dmp

memory/6092-2-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

memory/6092-13-0x000001E2FBD10000-0x000001E2FBDC2000-memory.dmp

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 869770d91bd5fc00d7565cf6674d9f75
SHA1 3408435206996e4c308bd57d0194756dffd88a05
SHA256 d5cbeb801901c5137d2cc526c5daee870d41379514c462ca48201f1895937096
SHA512 c9d15f4cfea23483e9424de84faf57c5f606ddc10af0c2b773fbd71dac1ca44433ed41073395fb4b879337bb59d6c0c01355f91b854148c918f3eaa8818f08c9

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 44ae97b373f918e74a27a85fcd5ccde5
SHA1 bf436bc93c47775e56e1afac2311855a5a4869c8
SHA256 a570e2e40b94968bea06d36a0a8aadb3b6fc0bf548dde168afb69f1f21db60ef
SHA512 7092739e37df14d841aac74f24d8b6cd6d4c015934699033246dfb4a6403875a239a3244429d9793616e935b1b1ff447260cc52dfd733f1b9374b2bbc88143a9

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 764780dc41c32cfcffcda638b8e7e686
SHA1 65acd11ad72de4872e98e202dbbb5b4c8e33edea
SHA256 325ec926c909a4b96871138445038ff1566ba155d07b3ea927fbeefa175ddfaa
SHA512 27b681bdd530a21c2213dcbabcc9c7d2cb592e289fc716dbd9d49731726864c4d5990e106187a3e9647ad929649ac3a81e0efe24791e9179054abdd4e89b627b

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 ea7c69f70a77463dd5d23a08796b2da7
SHA1 8e846181fd9e4a1e9b9de257b85067b1956b858c
SHA256 dde7e77cdd65e5f8b7dc26560c42e292115997db37010b99bc3989c846b6ba18
SHA512 185fa47bc2fa56f3c4656c180b3a347c2e3b5d594f987dacb376acbd215e92441c0eae432f9aabe403a673418cee52014e587ec58f64bbfb5d56d2ca371c993b

\??\pipe\crashpad_2724_YVZCZMKCGBCXXQBL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 26488f56cc3c2fdf4f768747ff34307b
SHA1 9cec388380cf401f6fc8fc158f9db78eb5165f5b
SHA256 7a43971d46bc7fd7adf08aecbec58b6a8ad5982543cec8b54d1b2de16d2c3d77
SHA512 29638392083e742aa1b31a733b81ef7dec189bae5837f5558f6536d5e395aa7cd2359b0003e954a19716288bf38c70ff5ccf103641450afe850e853efa940ed2

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 3b06a67eb3991ea413f58a1edac5fcee
SHA1 4e5b11ecea85d62a84b272900910bfccd3c2d4c7
SHA256 0c117df36290929c8e53ac942e179c8c891ced83b28464b0c0c051021d8be44c
SHA512 c6251336d672d9fe89a79704bbbb33035e0862a17c45b8bdb90a363f8a65e5bc53258e0b6f51d1cad119ebd49f81542c7394f0342d56012825ef63735699c77c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 ba6622fddef12a0498e821efd7525673
SHA1 503c13614fb2ced91493a82494bf04f381d9240e
SHA256 dd30e721c388391c9900ca49473a5be78440f4bcb3d29dbf9a7fb1cddbd182bd
SHA512 e6706e34dac2c2da526c3cd62c861702beadc7f6791a25e0300a9ddc60135d1e2a41ac68f1c76cb3a3d9689de6d22fcb9002dbdb4f8dd26c3180489976969095

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

MD5 8ce8172529d664ee2e01a70dbebcb506
SHA1 b1c97d09342b09c809ed36285408c4648e8fe3df
SHA256 129e3edd7baa1023ffa2601a7358259f4c3acb144e510aa4cdd16a0489189d9d
SHA512 241fac8a272000f6f1c5011f351b3f5d0c8cd2f6745573b243ee8a82790c75cd19af87bf9083c1f7a95df7dd7bcda19375173ef457b3a08e4df9acef2ba08ae4

memory/6092-141-0x00007FFD9EFF3000-0x00007FFD9EFF5000-memory.dmp

memory/6092-145-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

memory/6092-147-0x000001E2FBFA0000-0x000001E2FBFC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 efa6d9d2cb2a3d7fe22e98ef4089dd52
SHA1 f9adc9a3300f76614ecda41b2a8f836ea32c2f85
SHA256 2c884998b6d6b4b5d668179a49d8e76264721eef8b42bb5bebf37ca69545b637
SHA512 85e0090474197cc26daecb23f1b46e14455d5e606fe28100513760f950dcfb6cbced76791f3848524ca18ecb4f355b071a42178f3f1c3532489b34dbcc38ab63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 509e630f2aea0919b6158790ecedff06
SHA1 ba9a6adff6f624a938f6ac99ece90fdeadcb47e7
SHA256 067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b
SHA512 1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

MD5 968adb0f581ffb23ac0a5362f18b65af
SHA1 71a2362eeed4f36caa927d106c9b7be6970a8347
SHA256 842bc584359d52d3abf8c62ec899fc75c9ad47bccd10b00ba6febfed77b1beb6
SHA512 e22b97ff29e1bd2d411f2638e215e6e25d2e63fcf91af7055b8cb649177b4b3307df07b31789debfa6efb4196bba7be287bcad834d2b2c02fdd6fe45d2582fc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index~RFe57a613.TMP

MD5 0ed71fb678fe0c2565b82c6a1bbec1db
SHA1 640caa8b48406ef1cbb8726734362e893811a0fc
SHA256 7853098169b7db5d11fa96d9ea38c702e9ab3047f54c3f1ab019a3caf836cfbb
SHA512 c4ae185596fb387c302df734003755615a9c4e7eb9b97fa3d6c0f958b6d00d6e5d614a8d080dc5f56760f756f3e1409909d0ef686929db7bca75d32a4a707da5

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\Browsers\Microsoft Edge\Cookies.txt

MD5 9bb74ea0d69df4570a5c51e9f79e65d2
SHA1 099024d2efcb0022aaa28f458c72cdbf57d977ff
SHA256 44bbe041830572889af7e68cda92571ae32d8aa75068a68dd786b6a8cce951a1
SHA512 418fe9b54d71eaff9f6e864c4478f09ed46218d8df8320012db62786b3394d48ca1e6a059e698302deeb23145ca170f36c14ecb2103a2ab128bf5c8df6a5e85d

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Apps.txt

MD5 e4ded193433bfaed46da466eefcc2c35
SHA1 56151b0cb50efcac84e88cb623af4fc10f82087d
SHA256 b5190a32744b506ceec36dcdade88886a20d999ff72c93f960665cb90defe05c
SHA512 2948192405d25b8b18258d8f30183d082ae5bd53cc2c17743b6cd48b499f98e0820df59ac99c03dfe719202f95d39e761b3881e79dcb1b07504971e0c6a9bcfb

memory/6092-394-0x000001E2FBF20000-0x000001E2FBF64000-memory.dmp

memory/6092-395-0x000001E2FBFD0000-0x000001E2FBFEA000-memory.dmp

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 70e1643c50773124c0e1dbf69c8be193
SHA1 0e2e6fd8d0b49dddf9ea59013a425d586cb4730c
SHA256 4fe3f09cb4d635df136ea45a11c05f74200fc6e855a75f9a27c0a0d32a2f632a
SHA512 664e5d9263c0137f841daeb3dff00010ffeb7291ed08ccf6d0483200cd6d6bd3c9d31ea7e67a9de6aac591397060d8f01e8469bbad67d8e2f1c3900ef24c3679

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\msgid.dat

MD5 d880067f879409df09ac50ba315707aa
SHA1 51482b4f798f84addc996e559ea54571a72642b2
SHA256 670b08a8750893e8ba690b1b11f3138c9c6935977a68486854a0a518ce4156ce
SHA512 97798c8f33e4c6d560e28a26de5bcf61ea641df4c4925c265cfd2f0ca1141667e4c55b423a5d73d57ac58bbb1954359978075ba811cde71e0b4991e759964b5d

C:\Users\Admin\AppData\Local\Temp\6c029a8c-afab-4859-9cd7-885684d2b928.bat

MD5 c8bd8a0674f95bf717a50ef931f1a811
SHA1 06b5500ce7685f14d20a56f6b57c25865acae7da
SHA256 2ea7a0d9e8785b7955cf29d87b9d00e81204442c99fc091917d34cee8056ae2d
SHA512 f6e4a783bc2f8bc21ee7e055f4af4e1a93d23b254a5ff3e3e3d7154af66562ff313a93c08527945d6c25dee0c83fef6866dab571523a4b88572555f6920a40d8

memory/6092-484-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp