asyncrat | 2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

Resubmissions

04-11-2023 15:12

231104-sk7bwaea47 5

20-07-2023 17:49

230720-wd3xnahg68 10

Analysis

max time kernel
1049s
max time network
871s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2023 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autoclicker.exe
Size

844KB
MD5

7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1

1751d9389adb1e7187afa4938a3559e58739dce6
SHA256

2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512

cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
SSDEEP

12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG

Score

10^/10

asyncrat gay discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

GAY

simple-drain.at.ply.gg:53096

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
Onedrive.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/4044-691-0x000000001AC50000-0x000000001AC7C000-memory.dmp	asyncrat

Downloads MZ/PE file

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4816-554-0x0000000000FD0000-0x0000000001042000-memory.dmp	net_reactor
behavioral1/files/0x000b00000001b189-905.dat	net_reactor

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe	onedrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe	onedrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe	onedrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe	onedrive.exe

Executes dropped EXE 8 IoCs

pid	Process
5960	processhacker-2.39-setup.tmp
5552	ProcessHacker.exe
4816	onedrive.exe
1072	VenomStealer Config.exe
4044	onedrive.exe
5384	onedrive.exe
4392	VenomStealer Config.exe
3084	onedrive.exe

Loads dropped DLL 12 IoCs

pid	Process
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\onedrive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\onedrive.exe"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\onedrive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\onedrive.exe"	onedrive.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files\Process Hacker 2\plugins\is-6JBV0.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-SP31E.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-EG7Q1.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-Q09MO.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-1E8VP.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-F9EOA.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-EC09N.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-4R6BD.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-LSKBK.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-M1J9R.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-0EIRT.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KA04N.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-E8KGQ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-0NH76.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-BPFEV.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-103BG.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-0DP6K.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-PEJMV.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-7PDQ4.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-76QT7.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SFRO1.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-VIHTH.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-FLQRD.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FOLU2.tmp	processhacker-2.39-setup.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\onedrive.exe	VenomStealer.exe
File created	C:\Windows\onedrive.exe	VenomStealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
528	4044	WerFault.exe	166
4804	3084	WerFault.exe	183

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5428	schtasks.exe
320	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
224	timeout.exe
5436	timeout.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f5c000000010000000400000000080000030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5960	processhacker-2.39-setup.tmp
5960	processhacker-2.39-setup.tmp
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5552	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: 33	2364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2364	AUDIODG.EXE
Token: SeDebugPrivilege	5552	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	5552	ProcessHacker.exe
Token: 33	5552	ProcessHacker.exe
Token: SeLoadDriverPrivilege	5552	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	5552	ProcessHacker.exe
Token: SeRestorePrivilege	5552	ProcessHacker.exe
Token: SeShutdownPrivilege	5552	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	5552	ProcessHacker.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeIncreaseQuotaPrivilege	5772	powershell.exe
Token: SeSecurityPrivilege	5772	powershell.exe
Token: SeTakeOwnershipPrivilege	5772	powershell.exe
Token: SeLoadDriverPrivilege	5772	powershell.exe
Token: SeSystemProfilePrivilege	5772	powershell.exe
Token: SeSystemtimePrivilege	5772	powershell.exe
Token: SeProfSingleProcessPrivilege	5772	powershell.exe
Token: SeIncBasePriorityPrivilege	5772	powershell.exe
Token: SeCreatePagefilePrivilege	5772	powershell.exe
Token: SeBackupPrivilege	5772	powershell.exe
Token: SeRestorePrivilege	5772	powershell.exe
Token: SeShutdownPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeSystemEnvironmentPrivilege	5772	powershell.exe
Token: SeRemoteShutdownPrivilege	5772	powershell.exe
Token: SeUndockPrivilege	5772	powershell.exe
Token: SeManageVolumePrivilege	5772	powershell.exe
Token: 33	5772	powershell.exe
Token: 34	5772	powershell.exe
Token: 35	5772	powershell.exe
Token: 36	5772	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe
Token: SeIncBasePriorityPrivilege	4884	powershell.exe
Token: SeCreatePagefilePrivilege	4884	powershell.exe
Token: SeBackupPrivilege	4884	powershell.exe
Token: SeRestorePrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeSystemEnvironmentPrivilege	4884	powershell.exe
Token: SeRemoteShutdownPrivilege	4884	powershell.exe
Token: SeUndockPrivilege	4884	powershell.exe
Token: SeManageVolumePrivilege	4884	powershell.exe
Token: 33	4884	powershell.exe
Token: 34	4884	powershell.exe
Token: 35	4884	powershell.exe
Token: 36	4884	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5960	processhacker-2.39-setup.tmp
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe
5552	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6124	VenomStealer.exe
4128	VenomStealer.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 5960	3760	processhacker-2.39-setup.exe	135
PID 3760 wrote to memory of 5960	3760	processhacker-2.39-setup.exe	135
PID 3760 wrote to memory of 5960	3760	processhacker-2.39-setup.exe	135
PID 5960 wrote to memory of 5552	5960	processhacker-2.39-setup.tmp	149
PID 5960 wrote to memory of 5552	5960	processhacker-2.39-setup.tmp	149
PID 6124 wrote to memory of 5476	6124	VenomStealer.exe	157
PID 6124 wrote to memory of 5476	6124	VenomStealer.exe	157
PID 6124 wrote to memory of 5476	6124	VenomStealer.exe	157
PID 6124 wrote to memory of 4816	6124	VenomStealer.exe	158
PID 6124 wrote to memory of 4816	6124	VenomStealer.exe	158
PID 6124 wrote to memory of 1072	6124	VenomStealer.exe	160
PID 6124 wrote to memory of 1072	6124	VenomStealer.exe	160
PID 6124 wrote to memory of 1072	6124	VenomStealer.exe	160
PID 4816 wrote to memory of 5772	4816	onedrive.exe	161
PID 4816 wrote to memory of 5772	4816	onedrive.exe	161
PID 4816 wrote to memory of 5428	4816	onedrive.exe	164
PID 4816 wrote to memory of 5428	4816	onedrive.exe	164
PID 4816 wrote to memory of 4044	4816	onedrive.exe	166
PID 4816 wrote to memory of 4044	4816	onedrive.exe	166
PID 4816 wrote to memory of 5436	4816	onedrive.exe	168
PID 4816 wrote to memory of 5436	4816	onedrive.exe	168
PID 5436 wrote to memory of 224	5436	cmd.exe	169
PID 5436 wrote to memory of 224	5436	cmd.exe	169
PID 4128 wrote to memory of 4200	4128	VenomStealer.exe	174
PID 4128 wrote to memory of 4200	4128	VenomStealer.exe	174
PID 4128 wrote to memory of 4200	4128	VenomStealer.exe	174
PID 4128 wrote to memory of 5384	4128	VenomStealer.exe	177
PID 4128 wrote to memory of 5384	4128	VenomStealer.exe	177
PID 4128 wrote to memory of 4392	4128	VenomStealer.exe	175
PID 4128 wrote to memory of 4392	4128	VenomStealer.exe	175
PID 4128 wrote to memory of 4392	4128	VenomStealer.exe	175
PID 5384 wrote to memory of 4884	5384	onedrive.exe	178
PID 5384 wrote to memory of 4884	5384	onedrive.exe	178
PID 5384 wrote to memory of 320	5384	onedrive.exe	181
PID 5384 wrote to memory of 320	5384	onedrive.exe	181
PID 5384 wrote to memory of 3084	5384	onedrive.exe	183
PID 5384 wrote to memory of 3084	5384	onedrive.exe	183
PID 5384 wrote to memory of 4396	5384	onedrive.exe	184
PID 5384 wrote to memory of 4396	5384	onedrive.exe	184
PID 4396 wrote to memory of 5436	4396	cmd.exe	186
PID 4396 wrote to memory of 5436	4396	cmd.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Autoclicker.exe
"C:\Users\Admin\AppData\Local\Temp\Autoclicker.exe"
1⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffba2f49758,0x7ffba2f49768,0x7ffba2f49778
1⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:2
1⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=4748 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=4912 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=4716 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=4888 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5616 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6068 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6232 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=2944 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5956 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:4952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5624 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=3220 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=3208 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=5400 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6640 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5344 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6816 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=6772 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8108 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=7992 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7972 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7864 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7852 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7716 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=8332 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7172 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=4788 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=5232 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=5300 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=8388 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=4428 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=8044 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=4576 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=7488 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=6736 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=4524 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8112 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=7760 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7308 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4848 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7592 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8644 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:8
1⤵
PID:5516

C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
"C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Local\Temp\is-0BLIH.tmp\processhacker-2.39-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0BLIH.tmp\processhacker-2.39-setup.tmp" /SL5="$402DC,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5960
- - C:\Program Files\Process Hacker 2\ProcessHacker.exe
    "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --mojo-platform-channel-handle=2344 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=3796 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --mojo-platform-channel-handle=6568 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --mojo-platform-channel-handle=6464 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --mojo-platform-channel-handle=5264 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --mojo-platform-channel-handle=4492 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --mojo-platform-channel-handle=8632 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --mojo-platform-channel-handle=8084 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --mojo-platform-channel-handle=7656 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --mojo-platform-channel-handle=4716 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --mojo-platform-channel-handle=8808 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --mojo-platform-channel-handle=9088 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --mojo-platform-channel-handle=4728 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --mojo-platform-channel-handle=8936 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --mojo-platform-channel-handle=8380 --field-trial-handle=1604,i,11001349852134929580,12428979332253716270,131072 /prefetch:1
1⤵
PID:3436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6008

C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer.exe
"C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAeQB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbQBsACMAPgA="
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5476
- C:\Windows\onedrive.exe
  "C:\Windows\onedrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "onedrive" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe"
    3⤵
    - Executes dropped EXE
    PID:4044
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4044 -s 1072
      4⤵
      Program crash
      PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp95CE.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5436
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:224
- C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer Config.exe
  "C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer Config.exe"
  2⤵
  - Executes dropped EXE
  PID:1072

C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer.exe
"C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAeQB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbQBsACMAPgA="
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer Config.exe
  "C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer Config.exe"
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\onedrive.exe
  "C:\Windows\onedrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "onedrive" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:320
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe"
    3⤵
    - Executes dropped EXE
    PID:3084
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3084 -s 1044
      4⤵
      Program crash
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDDA0.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
39KB

MD5
73e3a0db72e2804812ca07a43e8dbc20

SHA1
94b9037d96fcbe517a463c3c6ebb6bd944e67479

SHA256
2a7bf42ef89ff1a799997ba58415597ff180e1e7d6f8b9dbbcf38f0b27a02a63

SHA512
3201360d3f0b254527b8650ad7d0d40b07379ffcea9b1ff4c3e3b8111231e6b74c214247473ac0554c765689195ee716aab5e423f8f662aca2cb9a32b9f87e5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
25KB

MD5
8f73b3b8ce550f5cba274fb17052647f

SHA1
9185b1b3a826836c6865bd084f63777251826d8c

SHA256
4ff90821b936333a40f726950ee6f70fe6f22ff1f54c45191c3a7b3f7c1ccb98

SHA512
456123c2317c8365b2895db92b4d727b155caa0c70494ea235507e4013596b05b40a615db512965714b54bab96c8798834ee394fd9508baa7e224dbd810e155f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
64KB

MD5
b17583133eb6750a326190f484646248

SHA1
24de72af6d973b6647f20babd5ff3bf1b4da3169

SHA256
b2420638b24bea966a2b70a97a657ee46f91c3bb6902fdbd8e247c42d77c30da

SHA512
a1d11c87696031d0d036b95a35e5962dc78ea69e82beda88204192d82d6acfb1219edeb93817b1acda4cde48765963bd4051c13fee7eaa69c10f6f1d4ead3d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
85KB

MD5
a0d0b21b6ca7fd4e3d5581d73d9ac734

SHA1
94fb5cdeee732b66bdb4ef8fc19d340e63aa060f

SHA256
f1a94d1675e26a4cb57c340df3c7cf549bb65c54b859f0156fda69ad084e87ed

SHA512
c3b8de9e81aa96fa4e0dc0d46bc34ce62035d1c64a58be8605156a62249dc7f583946537626aae27eee72338a96efddc7f69b8eecd0bd9e080cc52792792b1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004c

Filesize
61KB

MD5
d2f677b913bf8d74b1f0ead0eb6215e0

SHA1
bdeed3898785a05a15285f29a014bd6944019a60

SHA256
2e15daf35317e3677e4a1c3132e368788eec43c196579cb8388352d873c6d7c5

SHA512
e4d7f76cebcaaa20605064057501aa90c020878a7d876fc4517a643de6e4498168ece2ce1c222574aa3a5f23bc360181a057fbdd6ffa6ea0f3e03f50e0b440bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000054

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005a

Filesize
55KB

MD5
ca229a996fac715d1762a0fe03e5a980

SHA1
a208d974470cca652bc7ff816a3cd9b074d6df4a

SHA256
251e8bf329c56d859d4b55f26e5144ea398fade33038f1057da9970e99e377d6

SHA512
688e2471145a0cd5ad5e378576c2de67e345994498843425db339638761ef55c80e9e4b168a965c9a01ac217669181b27b3e4f14d62a35eed4513d445faae908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\10aa50ac-89ff-4dd3-bf76-36acf2ff73ce.tmp

Filesize
536B

MD5
a9318be8f989093076741dbd899cea03

SHA1
2e7f7d2f1b44bc89ee167d4f4bfbd13905672812

SHA256
65f9c2550d128a4d276ed3d70c46447c07b2452afa7555be097f3a811a34bd81

SHA512
b8af2fc17b82cdcbef44c95e20527c3a90a99064da6440b8bb4ef639dac6f96612ea97eafc3c803c05899b3baffd95002c61e0217a3c8f4cdb5467d3b915d1d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
37bbbbf2ee71b3382a4426fbfc87458e

SHA1
8c23a3ce2da71d11bf1880c967f97d23f148fb7f

SHA256
6b116248ed001885b5e6f613d8ebe1ed1a53f096d40b77bb5495dc94a6c9e7a7

SHA512
b78c66b8f0a42befa41b780366ffe189bdaa03d6b734469c9b748a394d7eab3d58244da8289c114f653268add50cfd53821e54d77969c87719d7163c92ba120b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0567333d7013f623893d1f83fb93a4c3

SHA1
abaf17b1229f0fc56f486bc99f0f4cf00c54089c

SHA256
35cc77828e95fbae37532fa903b45229a97f5ef3aae1155a3ac48658b491d36c

SHA512
235f270d5b2c3a88d5e4059f1ef5f9fc8898006a5dcb18499b1219d62dc1db2666ed96621e5f27c217ec0eab4c7026155dc2572a5f99820da6f521b5f9460b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
8bf82631b371d0d430032e3d55c96f0b

SHA1
785e1802fc2f07d1bee909c5e4b178964d39f48a

SHA256
7de1dcb9eab82ffb0988e1285abec85d1248bab6ea95a03d0f9c081eacc179f6

SHA512
38e09235344da7004a301aeff055fdaf631983b452fae85a3abeaa488f345a48fcbe4311911c7c52ead4399b0d70bb4881c0f71167a4e8be845532116ac1582b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
b28f83b339ef8ea2015b0f549950fa72

SHA1
0a89ed7703987b8badc559fa44ecd1dfdd95117a

SHA256
10051ec6e5720b7421557fe81451eb71898a35443b81b419f5a90c5721e851ad

SHA512
0a4673b905bd421e421302dd158807043b8519d926419aa21b53f71962d2e0f7b27abd5e31e92af64d082481b8c60e4b6058cad5704c15dc711cbc3fbd7da459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
c57d67c0ddd47579dd06ed59df3d0b21

SHA1
59b8dec00e26926f88d5b4db7a2061b6d0473427

SHA256
7e9ae600fffe34041ec18e81df10750378cea7e602f1d00b25bb2ebc69a916ff

SHA512
dc79979c599928f85d25cfbc9f965f93ea1539c40e2cdc7c55a73a385144ba92a1d38464ba677682f61c5ef5528f34e0e89fb6d59c80cce24d0bb4450feb9e97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
c3e5c0a29cbbb56314c683d342aa2e60

SHA1
1b122d3da6f4477f76d46b235f352b32541d1ef0

SHA256
77b421171c751785d8d71f0cb882e0d12622f15baeb5c799d81bd2f5a5c980bd

SHA512
799ceb1e31814986dccbd35d51f3b0c86e0f864e313cfbb71b1648436855fd4c68b75f793568b4bbb2992c3de518819b0111402d10f7b7adfcebc917e3a790b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x03cymf1.o4l.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0BLIH.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\Downloads\Venom Stealer\Venom Stealer\VenomStealer Config.exe

Filesize
83KB

MD5
a2dd19750cc521ade47a41a62dd3e1b2

SHA1
a32b277841f8afafb5093f56dae21cb062c4b5e2

SHA256
d93f8bd9c2a9786af055093b278b8b61237df0c4a4d4653e7510bac332c9f943

SHA512
949e50cf169a39c1bd20c047903b568eb393e11d4216c81f3bc61d578ac3040ab9d2bdde349ce9620e95e260f80af24407ff38fd557ed77ec1daaea6c1835210

Download Submit
C:\Windows\onedrive.exe

Filesize
434KB

MD5
887401780c434249940664bdbaa407d3

SHA1
5f44edf84097dfed63098a0847a5ef4938637f75

SHA256
d0b80a057327249e93948cc9d279a7c9a102815c1ae3ebcac274520bd5b2d78b

SHA512
680455762debced6a133c0f123a5a896f68c8714ee4c7d4fd40d7e26d873fb478a0bd345fba1b5f85356b24fac02aaa400102a95c2da0a2014ef78a71d01ec38

Download Submit
memory/1072-679-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1072-561-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-697-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1072-902-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-562-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/1072-568-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1072-642-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-569-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

Filesize
40KB

Download
memory/1072-558-0x00000000001E0000-0x00000000001FA000-memory.dmp

Filesize
104KB

Download
memory/1072-576-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1072-560-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/3760-513-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3760-378-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3760-472-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4044-677-0x00000000000C0000-0x0000000000130000-memory.dmp

Filesize
448KB

Download
memory/4044-683-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/4044-686-0x000000001AC40000-0x000000001AC50000-memory.dmp

Filesize
64KB

Download
memory/4044-691-0x000000001AC50000-0x000000001AC7C000-memory.dmp

Filesize
176KB

Download
memory/4044-893-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/4044-894-0x000000001AC40000-0x000000001AC50000-memory.dmp

Filesize
64KB

Download
memory/4200-915-0x0000000006900000-0x0000000006910000-memory.dmp

Filesize
64KB

Download
memory/4392-912-0x0000000073480000-0x0000000073B6E000-memory.dmp

Filesize
6.9MB

Download
memory/4392-914-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4816-566-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/4816-684-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-640-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-656-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/4816-554-0x0000000000FD0000-0x0000000001042000-memory.dmp

Filesize
456KB

Download
memory/4816-556-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/5384-910-0x00007FFB93E40000-0x00007FFB9482C000-memory.dmp

Filesize
9.9MB

Download
memory/5384-916-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/5476-874-0x0000000008740000-0x0000000008748000-memory.dmp

Filesize
32KB

Download
memory/5476-559-0x0000000006E80000-0x0000000006EB6000-memory.dmp

Filesize
216KB

Download
memory/5476-565-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/5476-567-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/5476-639-0x00000000094D0000-0x0000000009503000-memory.dmp

Filesize
204KB

Download
memory/5476-564-0x00000000074F0000-0x0000000007B18000-memory.dmp

Filesize
6.2MB

Download
memory/5476-641-0x00000000094B0000-0x00000000094CE000-memory.dmp

Filesize
120KB

Download
memory/5476-570-0x0000000007470000-0x0000000007492000-memory.dmp

Filesize
136KB

Download
memory/5476-644-0x000000007E370000-0x000000007E380000-memory.dmp

Filesize
64KB

Download
memory/5476-650-0x0000000009860000-0x0000000009905000-memory.dmp

Filesize
660KB

Download
memory/5476-651-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/5476-655-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/5476-572-0x0000000007F30000-0x0000000007F96000-memory.dmp

Filesize
408KB

Download
memory/5476-571-0x0000000007C50000-0x0000000007CB6000-memory.dmp

Filesize
408KB

Download
memory/5476-659-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/5476-661-0x0000000009A00000-0x0000000009A94000-memory.dmp

Filesize
592KB

Download
memory/5476-660-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/5476-573-0x0000000007FA0000-0x00000000082F0000-memory.dmp

Filesize
3.3MB

Download
memory/5476-891-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/5476-883-0x000000007E370000-0x000000007E380000-memory.dmp

Filesize
64KB

Download
memory/5476-579-0x00000000086C0000-0x0000000008736000-memory.dmp

Filesize
472KB

Download
memory/5476-563-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/5476-575-0x0000000008370000-0x00000000083BB000-memory.dmp

Filesize
300KB

Download
memory/5476-574-0x0000000007E20000-0x0000000007E3C000-memory.dmp

Filesize
112KB

Download
memory/5476-869-0x0000000008760000-0x000000000877A000-memory.dmp

Filesize
104KB

Download
memory/5552-546-0x000001F498BF0000-0x000001F498C81000-memory.dmp

Filesize
580KB

Download
memory/5552-897-0x000001F498BF0000-0x000001F498C81000-memory.dmp

Filesize
580KB

Download
memory/5552-542-0x000001F498BF0000-0x000001F498C81000-memory.dmp

Filesize
580KB

Download
memory/5772-584-0x000001DD64FF0000-0x000001DD65000000-memory.dmp

Filesize
64KB

Download
memory/5772-892-0x000001DD64FF0000-0x000001DD65000000-memory.dmp

Filesize
64KB

Download
memory/5772-657-0x000001DD64FF0000-0x000001DD65000000-memory.dmp

Filesize
64KB

Download
memory/5772-658-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/5772-594-0x000001DD7D7D0000-0x000001DD7D7F2000-memory.dmp

Filesize
136KB

Download
memory/5772-582-0x00007FFB93AF0000-0x00007FFB944DC000-memory.dmp

Filesize
9.9MB

Download
memory/5772-587-0x000001DD64FF0000-0x000001DD65000000-memory.dmp

Filesize
64KB

Download
memory/5772-614-0x000001DD64FF0000-0x000001DD65000000-memory.dmp

Filesize
64KB

Download
memory/5772-599-0x000001DD7D880000-0x000001DD7D8F6000-memory.dmp

Filesize
472KB

Download
memory/5960-494-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5960-473-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/5960-394-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5960-510-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download