Malware Analysis Report

2024-10-18 23:35

Sample ID 240927-j1bepswbjd
Target 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
SHA256 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
Tags
amadey stealc 9c9aa5 fed3aa save discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47

Threat Level: Known bad

The file 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 9c9aa5 fed3aa save discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 08:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 08:07

Reported

2024-09-27 08:10

Platform

win7-20240903-en

Max time kernel

67s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\5dd4e155bd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\5dd4e155bd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\5dd4e155bd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\1000026002\5dd4e155bd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9fedc44b36.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\9fedc44b36.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\5dd4e155bd.exe = "C:\\Users\\Admin\\1000026002\\5dd4e155bd.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b67ca5fa3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\9b67ca5fa3.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\5dd4e155bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2376 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2376 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2376 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe
PID 588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe
PID 588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe
PID 588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe
PID 588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\5dd4e155bd.exe
PID 588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\5dd4e155bd.exe
PID 588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\5dd4e155bd.exe
PID 588 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\5dd4e155bd.exe
PID 588 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe
PID 588 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe
PID 588 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe
PID 588 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe
PID 2084 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2084 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2084 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2084 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1216 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1920 wrote to memory of 1868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe

"C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe"

C:\Users\Admin\1000026002\5dd4e155bd.exe

"C:\Users\Admin\1000026002\5dd4e155bd.exe"

C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d19758,0x7fef6d19768,0x7fef6d19778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3252 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:8

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons3.gvt2.com udp
GB 172.217.169.35:443 beacons3.gvt2.com tcp
GB 172.217.169.35:443 beacons3.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com udp

Files

memory/2376-1-0x0000000000670000-0x0000000000770000-memory.dmp

memory/2376-2-0x0000000000220000-0x000000000028A000-memory.dmp

memory/2376-3-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2376-5-0x0000000000400000-0x0000000000568000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 6005662a18ecbc23f89481cb5ae9be73
SHA1 bc4ec29220c54fe2cec779f738bae8f0fff91c8c
SHA256 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
SHA512 e204c4b2f56616b5cbc222bf9bd111e4dd455ec32ad1d1dae833414e1945133f772f84a41cb0b48339245f6cc97bf1949523f4853fd42b96d5f77d8da62fcd1a

memory/2376-18-0x0000000000220000-0x000000000028A000-memory.dmp

memory/2376-21-0x0000000000400000-0x0000000000568000-memory.dmp

memory/2376-20-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2376-19-0x0000000000670000-0x0000000000770000-memory.dmp

memory/588-23-0x0000000000400000-0x0000000000568000-memory.dmp

memory/588-24-0x0000000000400000-0x0000000000568000-memory.dmp

memory/588-25-0x0000000000400000-0x0000000000568000-memory.dmp

memory/588-27-0x0000000000400000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe

MD5 2ff9d81435c7d755cb5a6b975ed50ce6
SHA1 a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256 162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA512 46688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235

memory/588-43-0x0000000003EB0000-0x0000000004559000-memory.dmp

memory/588-46-0x0000000000400000-0x0000000000568000-memory.dmp

memory/588-45-0x0000000003EB0000-0x0000000004559000-memory.dmp

memory/2632-47-0x00000000013D0000-0x0000000001A79000-memory.dmp

memory/2632-49-0x00000000013D0000-0x0000000001A79000-memory.dmp

memory/588-59-0x0000000000400000-0x0000000000568000-memory.dmp

memory/588-67-0x0000000003EB0000-0x0000000004559000-memory.dmp

memory/1688-68-0x0000000000ED0000-0x0000000001579000-memory.dmp

memory/1688-69-0x0000000000ED0000-0x0000000001579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe

MD5 cda0b8ef0af532cf29045c06142ce1f8
SHA1 39b7bd4dadc3172152d727dd9633916ae1a8fd7d
SHA256 3129cc8fa8430ac67ed710a05d4227d636612387b02125b8006117c40c79e5b6
SHA512 40f6209a1b41e952eb5b96cadcfa87bdc5a9ceaf7f1f438beff20378d620eada3031485b179ef58920d23d6563324269206a2243d0cfb3ad58811827d39071f2

memory/588-84-0x0000000003EB0000-0x0000000004559000-memory.dmp

memory/588-85-0x0000000003EB0000-0x0000000004559000-memory.dmp

\??\pipe\crashpad_1920_ALMYWZREVZGBJKRG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/588-155-0x0000000003EB0000-0x0000000004559000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe

MD5 2dbfc6089fd5e3b1aa8a004508a16a37
SHA1 20331e184251ff628c6e3593511fc6ab93349058
SHA256 99bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
SHA512 03f5390778ce28d28d6e4c60af50f0ee32f1e4adf1b0ea1958bd9897db919f63817f1a0df8b4b4ae03ac90d4e797a2a1db380f9fce9d6ef33575101c4a640629

memory/1296-170-0x0000000000D90000-0x0000000001230000-memory.dmp

memory/588-169-0x0000000003EB0000-0x0000000004350000-memory.dmp

memory/588-181-0x0000000003EB0000-0x0000000004559000-memory.dmp

memory/1296-186-0x0000000000D90000-0x0000000001230000-memory.dmp

memory/3036-183-0x0000000000F00000-0x00000000013A0000-memory.dmp

memory/1296-182-0x0000000006D70000-0x0000000007210000-memory.dmp

memory/588-192-0x0000000000400000-0x0000000000568000-memory.dmp

memory/588-209-0x0000000003EB0000-0x0000000004350000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9c6a296-1adc-4ba3-89e0-9b75f3eedcdb.tmp

MD5 28dd8170a0d23e83274150c39afbffa6
SHA1 d81ec21c17a1faaeb46b43d101c0339d8e2d2430
SHA256 b3273c0d4523bd68dcd1cb36b7c594ac85fc2e0c91bd82a4fc66550625dfe48f
SHA512 bbd40381443ae82b42aea5e6b08e34229bdc61adc9223f782098809c3c8852aa2c1953ee0245b5cbf57a24073f3929640b80e0ccb92a9291de5f97bff3af4572

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 61f4c8f9bbef8f3dd960043aa47d5842
SHA1 1e65de8ede719f5f2764259f6ebdb6b3246adbd5
SHA256 7e03e0d390f7cde356686e9cd72cb9f50d9fc544ca370ac6e8dc4dab56c5a9c5
SHA512 ff5e8ecfe68465a387409a486f3fabc69ca304a0fab9a1dd4ef8a312d16148a3ce719932e934588166b595f54ac037ba6666297549c5f00bef17a70d23fafbf5

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 08:07

Reported

2024-09-27 08:10

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\87b8aec53a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\87b8aec53a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\87b8aec53a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\1000026002\87b8aec53a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87b8aec53a.exe = "C:\\Users\\Admin\\1000026002\\87b8aec53a.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b7248cc43d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\b7248cc43d.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\87b8aec53a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718980969655976" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4892 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4892 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4352 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe
PID 4352 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe
PID 4352 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe
PID 4352 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\87b8aec53a.exe
PID 4352 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\87b8aec53a.exe
PID 4352 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\1000026002\87b8aec53a.exe
PID 4352 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe
PID 4352 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe
PID 4352 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe
PID 2000 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2000 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 4628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 4628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 4236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 4236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5096 wrote to memory of 1360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe

"C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1244

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 488

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1484

C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1432

C:\Users\Admin\1000026002\87b8aec53a.exe

"C:\Users\Admin\1000026002\87b8aec53a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1608

C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1572

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaf396cc40,0x7ffaf396cc4c,0x7ffaf396cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1840 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2112 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1756,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1420

C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1632

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1504

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 37.113.215.185.in-addr.arpa udp
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 e2c4.gcp.gvt2.com udp
JP 34.97.161.128:443 e2c4.gcp.gvt2.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
JP 34.97.161.128:443 e2c4.gcp.gvt2.com tcp
US 8.8.8.8:53 128.161.97.34.in-addr.arpa udp
US 8.8.8.8:53 beacons.gvt2.com udp
GB 172.217.169.35:443 beacons.gvt2.com tcp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4892-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/4892-2-0x00000000022D0000-0x000000000233A000-memory.dmp

memory/4892-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 6005662a18ecbc23f89481cb5ae9be73
SHA1 bc4ec29220c54fe2cec779f738bae8f0fff91c8c
SHA256 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
SHA512 e204c4b2f56616b5cbc222bf9bd111e4dd455ec32ad1d1dae833414e1945133f772f84a41cb0b48339245f6cc97bf1949523f4853fd42b96d5f77d8da62fcd1a

memory/3896-16-0x0000000000400000-0x0000000000568000-memory.dmp

memory/4892-17-0x0000000000400000-0x0000000000568000-memory.dmp

memory/4892-19-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4892-18-0x00000000022D0000-0x000000000233A000-memory.dmp

memory/3896-20-0x0000000000400000-0x0000000000568000-memory.dmp

memory/4352-23-0x0000000000400000-0x0000000000568000-memory.dmp

memory/4352-24-0x0000000000400000-0x0000000000568000-memory.dmp

memory/4352-25-0x0000000000400000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe

MD5 2ff9d81435c7d755cb5a6b975ed50ce6
SHA1 a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256 162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA512 46688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235

memory/4352-41-0x0000000000400000-0x0000000000568000-memory.dmp

memory/1120-42-0x00000000007B0000-0x0000000000E59000-memory.dmp

memory/4352-43-0x0000000000400000-0x0000000000568000-memory.dmp

memory/1120-44-0x00000000007B0000-0x0000000000E59000-memory.dmp

memory/4296-60-0x0000000000FA0000-0x0000000001649000-memory.dmp

memory/4296-61-0x0000000000FA0000-0x0000000001649000-memory.dmp

memory/4352-62-0x0000000000400000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe

MD5 cda0b8ef0af532cf29045c06142ce1f8
SHA1 39b7bd4dadc3172152d727dd9633916ae1a8fd7d
SHA256 3129cc8fa8430ac67ed710a05d4227d636612387b02125b8006117c40c79e5b6
SHA512 40f6209a1b41e952eb5b96cadcfa87bdc5a9ceaf7f1f438beff20378d620eada3031485b179ef58920d23d6563324269206a2243d0cfb3ad58811827d39071f2

\??\pipe\crashpad_5096_UWAGFTGVJEIOIAPQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe

MD5 2dbfc6089fd5e3b1aa8a004508a16a37
SHA1 20331e184251ff628c6e3593511fc6ab93349058
SHA256 99bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
SHA512 03f5390778ce28d28d6e4c60af50f0ee32f1e4adf1b0ea1958bd9897db919f63817f1a0df8b4b4ae03ac90d4e797a2a1db380f9fce9d6ef33575101c4a640629

memory/2944-138-0x0000000000C90000-0x0000000001130000-memory.dmp

memory/2944-151-0x0000000000C90000-0x0000000001130000-memory.dmp

memory/4040-152-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 481c123bde492e5b31174ae20c3128b6
SHA1 63105b908017f1ccaa1b5ecbf6c6fb1a0aaac5e5
SHA256 f0a7898fb9b68acbc9ec0ee83d8961c4aaf1a8ea0d5c67b7577c392880290cb6
SHA512 2f86b09455daf43604c56e9e04efa9224dab8e8aa88268890f155cab80ae844cca62c026a2fb48f16c332373c4df1676cff59c7b95327b9073dddcbc243fc970

memory/4352-161-0x0000000000400000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d3d6add8a3f19855464f269d19afba8d
SHA1 e64b643e6caf2451a481c580cc9bb0da7fb46d45
SHA256 213756a99c0d562f5a194b9f11b0f922e6f1b762dcaa4c4a3d57bfd32684c70d
SHA512 56ee080b8755f8c954d0c1e3d8fa7efd35d03ff2f514183a55bc7c715e4d0f3c139e6603c12cc5a0b51be640c95e9f27ff15e73534222279181b9a63cddefd33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dcdd784004e13668eb3474df58ffd3a6
SHA1 77067dae47eff54104cb3c20af70e9073720bed9
SHA256 6f5e0228c080e1ed7454d04404be6e5df991a5ed5df414f938f288245c03e32c
SHA512 ed8d0a481085ec0b4ab8184ac0f6160d1d760f63bc4e4c5760ddea7744d35ca6b4ba0b1ab45f59cba8e7038a3c4f42d14b726e0f1a50aa065117bcad69f121aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0e9795337f454494403df3ee4aa6fe96
SHA1 b54bb8a57aec2b437a549e7c5af82f897fe2734b
SHA256 5a14901726a0fa2113c36365126d6aaff43b72a4262388c26f6527a0506e80f3
SHA512 1963dd0d2af805ac044f88affb49daa39d9c4d95831c33cae8981ee022dfccada36582cdf9e59278a52ffec769a28a0cc1fb33243685af6f9a797908c7975eff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2922cf92ec775eb63bf4d1f0671ac69c
SHA1 8a96ca944ae0f917cb10c8a4c96ba233e9b5d25c
SHA256 47a504076384eb36e252516dca456500bf7914e83e5e17220a2964695b26c1d5
SHA512 3aed8274fa2c9b7b86a2b8b0a170edf748f6237cc2a2476cedeafc70fe1b8084dadbae3c3f3d758bc4c65c8bf5accc3976ec11540a5947bd1d01a21b539413ed

memory/4040-182-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5484fdc1348d1355cf4f11a9a11b7fba
SHA1 9c9248a051587f6fcf0c0cb683ad91de4d95395e
SHA256 d32271471765f5eeef1cb81a5636cbf8fe52f641b8f92a3e7fba45a8cf0b87d3
SHA512 f368a253258fed80a9e04e30cc53d45a8382f558492c7c4994f056b9e9d38d8c72ac78a27381590a410e3d0b176e96e31d7fa4dc81d6543c96f229372a6f19b1

memory/4040-189-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 647be029e7f06048bff5fd8a2b7ffb29
SHA1 11f9d411e0aee597d1b8df69b9bb361ceab89b63
SHA256 8833e99078b457119c7d2f59041cc7f57c0cfdf267041758497d46eafb516585
SHA512 ceba74596fd757659f5cfa152dbbefea2ca22f7cf02961cc09e8bb3270db882454a0e29298bf7cba7ab532c5158bfd0db9ccf2d5622e78c568cb8150756ffa0e

memory/4040-200-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5e95cc8b67853dfb0d67f1214321f81a
SHA1 81d48ec2f15470eaf7dd05339430a4e0d8216c8d
SHA256 48ad9e493ba69eda21c5c5d7196692c20560840a089c65046e1eece89b5c99d6
SHA512 c8a2f2fc8fbc929bddd99c38c11854974795f4ebd891b91e9a3339baca36e8193315a1bc15c7dad76be8c85c22b2d0fe3a3155513dd7dedf13ba0dfabab5842f

memory/4040-220-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/4036-222-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/4036-223-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/4040-225-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5cbe653fcab1f240efd0d1fa7b545980
SHA1 a0ad0615c11aedae111c12205ff6e0f0b31524ec
SHA256 a2154b1279f7c12fa9dae6e56882c54efa55b084164386425b9c9069cf9d7c7c
SHA512 f9c284b7c1d3756166ea8d58f64f2ffe7a9d4ef3bec0fabdd04cc28bb32fe5b507ae319c0d54214fb36f31d3e658131666d1d216168fd58c8c2b5034d664a3ab

memory/4040-237-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 52cb5196c0ce49b0e6aab5c478245db8
SHA1 3fbcf19987ae5ff3f3d230b00dcf6ff0f9c558a9
SHA256 88d3b9dbca15256030f253db8bd45446bc4ee9094d79e346bb634c4625fa5fef
SHA512 03157cc9c95d1acc7c85212126a8e22b86dc9c8d621b62e3fd4d6e16245b449986c4c9861ae610a10faa7289871e4b7efda7421fc9a470949c3ec0c5b065c7f1

memory/4040-253-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/4040-255-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bdf9866ece88148fe248b3f7fdf28ea0
SHA1 fc3967ce3550649e5ec89f4d89042f19a8b82253
SHA256 a2e93c26b5737a1ffa8aa0c5adab9ed061b49c19bedc324f4d9b22cbf9ede317
SHA512 612bb6d3d4065ca34fbdbef802019446bb29386e1ac6c19d64a180fd4ac971a9dd65d1af730245c55eaa97cc345347f1298c4bc17ec62681ada667ba2db2ca72

memory/4040-266-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/4040-268-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/1820-271-0x0000000000DF0000-0x0000000001290000-memory.dmp

memory/4040-272-0x0000000000DF0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fea64bf86a2add96c1063d4fb91e1e89
SHA1 7f1fbb29ee5278a7ce2bca928eba28a9e4b8c85b
SHA256 6ab88986e60bfe286f821cab43dd0ceea8a8037def27f3815248c089803b40fd
SHA512 a5f551ac54748aa16967071ca744f08129ae70ebab04dc77f410a2be7f7c050e93a62a02f9001e491fa616c594770be8cc4d287c560d90481c387dc82bf4305c