hxxp://usps[.]com[.]manage[.]inventec[.]com[.]hk/usps/

Analysis

max time kernel
68s
max time network
114s
platform
windows10_x64
resource
win10-jp
submitted
17-09-2021 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://usps.com.manage.inventec.com.hk/usps/
Sample

210917-q54qdafge7

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 5912 created 5752 5912 svchost.exe OneDriveSetup.exe
Executes dropped EXE 1 IoCs

Processes:

FileSyncConfig.exe

pid process

2692 FileSyncConfig.exe

description	pid	process	target process
PID 5912 created 5752	5912	svchost.exe	OneDriveSetup.exe

Loads dropped DLL 8 IoCs

Processes:

FileSyncConfig.exe

pid	process
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe
2692	FileSyncConfig.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS\ = "0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ = "IUnmapLibraryCallback"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\WIN32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VersionIndependentProgID\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\CurVer	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\ = "UpToDatePinnedOverlayHandler Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ = "ISyncEngineEvents"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\amd64\\FileCoAuthLib64.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\TypeLib\ = "{F904F88C-E60D-4327-9FA2-865AD075B400}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{466F31F7-9892-477E-B189-FA5C59DE3603}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\FileCoAuth.exe\""	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exeOneDriveSetup.exeOneDriveSetup.exechrome.exechrome.exe

pid	process
3408	chrome.exe
3408	chrome.exe
3716	chrome.exe
3716	chrome.exe
3196	chrome.exe
3196	chrome.exe
4768	chrome.exe
4768	chrome.exe
5752	OneDriveSetup.exe
5752	OneDriveSetup.exe
5752	OneDriveSetup.exe
5752	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
5940	OneDriveSetup.exe
4844	chrome.exe
4844	chrome.exe
1284	chrome.exe
1284	chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

OneDriveSetup.exesvchost.exe

description pid process

Token: SeIncreaseQuotaPrivilege 5752 OneDriveSetup.exe
Token: SeTcbPrivilege 5912 svchost.exe
Token: SeTcbPrivilege 5912 svchost.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

3716 chrome.exe
3716 chrome.exe
3716 chrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5752	OneDriveSetup.exe
Token: SeTcbPrivilege	5912	svchost.exe
Token: SeTcbPrivilege	5912	svchost.exe

pid	process
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3716 wrote to memory of 3636	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3636	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4368	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3408	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3408	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3532	3716	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://usps.com.manage.inventec.com.hk/usps/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffd4b5ea380,0x7ffd4b5ea390,0x7ffd4b5ea3a0
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 /prefetch:8
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:1
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:8
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable --force-configure-user-settings
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6bb0f6ee0,0x7ff6bb0f6ef0,0x7ff6bb0f6f00
3⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5732 /prefetch:8
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6236 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6952 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7100 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6232 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7368 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7380 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7520 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6156 /prefetch:8
2⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6744 /prefetch:8
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7976 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6796 /prefetch:8
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6504 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7792 /prefetch:8
2⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7888 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7816 /prefetch:8
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7844 /prefetch:8
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6516 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8608 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8624 /prefetch:8
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
2⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1476 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1684,3703861576813757077,2548779829268772662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5940

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:6056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
7eacab519c71e8de7f576582521f272f

SHA1
b0f999df0a5322204ec2b9cb77c56940269f1fd2

SHA256
7cfae26fcb26b983296b1dd7c40308f862fe0e42ba9141b423f6e39a5a558061

SHA512
b8801a03aea323f8c14f3c90be4720e78bec5f8d5ee7ec2f25707e18e1f285ba607760c4cb2e153c0e193d0d864dcc4f1b3f38874ace04c08f11b15d1f37469d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
MD5
482f6e8cdb127285f003a1e735a3791e

SHA1
24205c984f66bf5701e123f6b189699551553936

SHA256
a2e7f10da89bb038118a08699a32fe59861304ecd206d2d0f60f966514172559

SHA512
20e95b9e19d116239720261af25c66ffa9ae4eb1483af689e374f505d2e1af811bbb28f04f2bdd126f43180cb312375797ec0c193ce5d52cc3757d5a197daf5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.DLL
MD5
f5fe453d483dca5a85fdd74bbbb7cffa

SHA1
c7cd1089b520a7a21bdbe84a311b86f4c395a550

SHA256
5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

SHA512
6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\MSVCP140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\Telemetry.dll
MD5
7bfedf5e7dda62c9014fb4b07f8d7814

SHA1
b3bb93818b1c482cff1e965599678ae91fb5ffa9

SHA256
a6c2d9050758272d0b43a68f3e50925c65b11353776ec7b8a52a4095c9ba6b39

SHA512
de4a7596e4031e2cd91c4484ae3eba873ac96cc96ed54221d2d766010407d83211cd00ad49afb7a4cee1eafc4a3fc46ed0d92c2e30c32e0fe76ae9212e213a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\UpdateRingSettings.dll
MD5
5888321cc9a6abd980e76b8e359f5cc2

SHA1
8b0cf82d39f5c45d710f962bd305fe3aa89c30cd

SHA256
0be7e06ff418080feb0cda6d063ac3389028e7c539c88d7a2a5a4706c56f4d7c

SHA512
3e56b88f09eaf86b4e05746a1f228be472bd0f6e30b2a66f4319783d03dd21f0ece1d8eef9ca89018cc38117fa27cc6f01e1bebe1450b857205a998542a5390c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\VCRUNTIME140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
MD5
b84258c0bd43b91267160cfb2a311007

SHA1
2df854f9dc991f9f8820f1a390d6ec14c125e85b

SHA256
0bd9892466be1de329309e5014495eaeb231e383bdb69dd16a9c9854149b93b8

SHA512
4be214b710f6c1b3c0c72ebc66795c1d895b5c0c47fed20eacbd5c54024f276f26e8a5d40d016da8bf59bce4431b20fcd201f99faac92910663e333ad81ac2b4

Download Submit
\??\pipe\crashpad_3716_ZBUDYVUJMYOMOUPH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.dll
MD5
f5fe453d483dca5a85fdd74bbbb7cffa

SHA1
c7cd1089b520a7a21bdbe84a311b86f4c395a550

SHA256
5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

SHA512
6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\Telemetry.dll
MD5
7bfedf5e7dda62c9014fb4b07f8d7814

SHA1
b3bb93818b1c482cff1e965599678ae91fb5ffa9

SHA256
a6c2d9050758272d0b43a68f3e50925c65b11353776ec7b8a52a4095c9ba6b39

SHA512
de4a7596e4031e2cd91c4484ae3eba873ac96cc96ed54221d2d766010407d83211cd00ad49afb7a4cee1eafc4a3fc46ed0d92c2e30c32e0fe76ae9212e213a9a

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\UpdateRingSettings.dll
MD5
5888321cc9a6abd980e76b8e359f5cc2

SHA1
8b0cf82d39f5c45d710f962bd305fe3aa89c30cd

SHA256
0be7e06ff418080feb0cda6d063ac3389028e7c539c88d7a2a5a4706c56f4d7c

SHA512
3e56b88f09eaf86b4e05746a1f228be472bd0f6e30b2a66f4319783d03dd21f0ece1d8eef9ca89018cc38117fa27cc6f01e1bebe1450b857205a998542a5390c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\msvcp140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\msvcp140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\msvcp140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\msvcp140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
memory/1120-202-0x0000000000000000-mapping.dmp

Download
memory/1128-291-0x0000000000000000-mapping.dmp

Download
memory/1244-251-0x0000000000000000-mapping.dmp

Download
memory/1264-326-0x0000000000000000-mapping.dmp

Download
memory/1284-399-0x0000000000000000-mapping.dmp

Download
memory/1332-338-0x0000000000000000-mapping.dmp

Download
memory/1472-315-0x0000000000000000-mapping.dmp

Download
memory/1676-311-0x0000000000000000-mapping.dmp

Download
memory/1692-395-0x0000000000000000-mapping.dmp

Download
memory/1792-265-0x0000000000000000-mapping.dmp

Download
memory/1904-227-0x0000000000000000-mapping.dmp

Download
memory/2540-286-0x0000000000000000-mapping.dmp

Download
memory/2692-376-0x0000000000000000-mapping.dmp

Download
memory/2852-207-0x0000000000000000-mapping.dmp

Download
memory/3048-141-0x0000000000000000-mapping.dmp

Download
memory/3176-150-0x0000000000000000-mapping.dmp

Download
memory/3196-188-0x0000000000000000-mapping.dmp

Download
memory/3208-246-0x0000000000000000-mapping.dmp

Download
memory/3268-154-0x0000000000000000-mapping.dmp

Download
memory/3312-197-0x0000000000000000-mapping.dmp

Download
memory/3408-123-0x0000000000000000-mapping.dmp

Download
memory/3532-128-0x0000000000000000-mapping.dmp

Download
memory/3572-133-0x0000000000000000-mapping.dmp

Download
memory/3636-117-0x0000000000000000-mapping.dmp

Download
memory/3656-346-0x0000000000000000-mapping.dmp

Download
memory/3668-231-0x0000000000000000-mapping.dmp

Download
memory/3668-334-0x0000000000000000-mapping.dmp

Download
memory/3832-238-0x0000000000000000-mapping.dmp

Download
memory/3864-261-0x0000000000000000-mapping.dmp

Download
memory/4048-162-0x0000000000000000-mapping.dmp

Download
memory/4116-299-0x0000000000000000-mapping.dmp

Download
memory/4324-329-0x0000000000000000-mapping.dmp

Download
memory/4324-222-0x0000000000000000-mapping.dmp

Download
memory/4368-126-0x00007FFD650F0000-0x00007FFD650F1000-memory.dmp

Filesize
4KB

Download
memory/4368-122-0x0000000000000000-mapping.dmp

Download
memory/4408-145-0x0000000000000000-mapping.dmp

Download
memory/4476-306-0x0000000000000000-mapping.dmp

Download
memory/4540-271-0x0000000000000000-mapping.dmp

Download
memory/4600-212-0x0000000000000000-mapping.dmp

Download
memory/4672-296-0x0000000000000000-mapping.dmp

Download
memory/4684-192-0x0000000000000000-mapping.dmp

Download
memory/4768-240-0x0000000000000000-mapping.dmp

Download
memory/4844-391-0x0000000000000000-mapping.dmp

Download
memory/4932-351-0x0000000000000000-mapping.dmp

Download
memory/4980-217-0x0000000000000000-mapping.dmp

Download
memory/4988-234-0x0000000000000000-mapping.dmp

Download
memory/5036-256-0x0000000000000000-mapping.dmp

Download
memory/5060-321-0x0000000000000000-mapping.dmp

Download
memory/5072-177-0x0000000000000000-mapping.dmp

Download
memory/5072-276-0x0000000000000000-mapping.dmp

Download
memory/5112-279-0x0000000000000000-mapping.dmp

Download
memory/5136-354-0x0000000000000000-mapping.dmp

Download
memory/5232-361-0x0000000000000000-mapping.dmp

Download
memory/5248-364-0x0000000000000000-mapping.dmp

Download
memory/5940-374-0x0000000000000000-mapping.dmp

Download