2afb5303e191dde688c5626c3ee545e32e52f09da3b35b20f5e0d29a418432f5

Analysis

max time kernel
505s
max time network
493s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/ProcessHacker.exe
Size

1.6MB
MD5

b365af317ae730a67c936f21432b9c71
SHA1

a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256

bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512

cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b
SSDEEP

24576:V7eokafnkAwgcU+29fR4PQviXq1pj3EDT5m+m8I:V6efnkdlUF92PGBOT3m8

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633168251762481"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
2760	chrome.exe
2760	chrome.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3148	ProcessHacker.exe
Token: 33	3148	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3148	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3148	ProcessHacker.exe
Token: SeRestorePrivilege	3148	ProcessHacker.exe
Token: SeShutdownPrivilege	3148	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3148	ProcessHacker.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe
Token: SeShutdownPrivilege	2760	chrome.exe
Token: SeCreatePagefilePrivilege	2760	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe
3148	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe
4676	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 5112	2760	chrome.exe	93
PID 2760 wrote to memory of 5112	2760	chrome.exe	93
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 4584	2760	chrome.exe	94
PID 2760 wrote to memory of 3932	2760	chrome.exe	95
PID 2760 wrote to memory of 3932	2760	chrome.exe	95
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96
PID 2760 wrote to memory of 3632	2760	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe"
1⤵
- Enumerates connected drives
- Checks system information in the registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6f21ab58,0x7ffa6f21ab68,0x7ffa6f21ab78
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:2
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4304 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4864 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3268 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4088 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2788 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3124 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4844 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4312 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3288 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4912 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2396 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5156 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:2
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1912,i,14640545010469589603,1754337604269267176,131072 /prefetch:8
  2⤵
  PID:812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:932

C:\Windows\System32\2hg3rtr3srix4.exe
"C:\Windows\System32\2hg3rtr3srix4.exe"
1⤵
PID:116

C:\Windows\System32\jatns2.exe
"C:\Windows\System32\jatns2.exe"
1⤵
PID:560

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x304
1⤵
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5444
- C:\Windows\System32\jatns2.exe
  jatns2.exe
  2⤵
  PID:5548
- C:\Windows\System32\jatns2.exe
  jatns2.exe -h
  2⤵
  PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
204KB

MD5
081c4aa5292d279891a28a6520fdc047

SHA1
c3dbb6c15f3555487c7b327f4f62235ddb568b84

SHA256
12cc87773068d1cd7105463287447561740be1cf4caefd563d0664da1f5f995f

SHA512
9a78ec4c2709c9f1b7e12fd9105552b1b5a2b033507de0c876d9a55d31678e6b81cec20e01cf0a9e536b013cdb862816601a79ce0a2bb92cb860d267501c0b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fb79dc47e7cd0548ad9606a6509b8995

SHA1
f772bcd0890411776c7d1dd772b6b356c889f7ee

SHA256
fe117645563c9a9a012fc53766cb774dc10f4ef3abdfd8116cc0d33c104abc12

SHA512
e7f5108e3bfbef3fb639220da6a85cc322cef3339b67fb7fca3b2a5a8c41fb7af2a64a39cba5d3e0ea75b91e1905b68cca11520b1df5f4fa68bbbbbcc2ea7be8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4790a5833e216855bc83fd9773383ca1

SHA1
b4f7b8589edde9c25a96dd470eb6753cb6e33623

SHA256
091ed6c90cc93ca1f46f29565ca01bba4883dd2a1e24371c38e48ee5b123e582

SHA512
81d65f94e5668017e94b69b9fe5f8fae07c1a47cbbbfbb7dd82fc3daf4bf3e1a40ad43bf28150a588cbd1b8dd1ac4d9251fda40939276f11d0c7af143ca26acc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1dd5cbc8e8438220745e28b78f89bf94

SHA1
442a96965f7eddbb9d1c5cc401bbd5bc64b036d5

SHA256
7ebf4b789982425627da3723e217a2a67fe5f23ab4c39f04162377cabe1729ae

SHA512
d4959df766bb36969dc25cb3c87c08218305e80e64d62485262589a10fee4e858edde9d3ce4fc666fdd33ac8faae61903279659ed0a4845fdbdc0a2006fa166b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f53dd9c34df49869a3291ecf1ff67a69

SHA1
ed569398d6642c58fa1aa4e0ba3e0793ac4213cc

SHA256
aaaf2509fbc7002f71601074982a1204049c45f5559f6da2ab4bbb4afcead49c

SHA512
65008cf928ce307f3fcbfd05f4f261f59cdd1cc9aee828f2919d1a1842f11aa37e8548fa0deaf5d55c9e2f72b4308f05f2d8703af2ae375b199019ba79f0896d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e04488afa6340be7340eb9fd50cfd491

SHA1
15c80fbf42dd4bacf94d53179613890cb3c32bac

SHA256
66566e17d997653736ae9dbe48f03bc287bf622cad750da2b98d68a16caee16c

SHA512
7a2d7aa141d42d4e5dcb3672e2dfd15c49ac3507eaf2db48362c05bf4c5b481509dc4a4c3767ca393edf5d14e9eb215f0abe11c048c68eb1bdb28e80235adfce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
0411d1b00f85d9e728d1376c94e83555

SHA1
b1955b2f8cb927fcb612f7f68a3d0e4d5967ffb9

SHA256
764b24277ede5c727fe3ca209641e60274e9b3ee88c5f6e955dc6454aef0377c

SHA512
290645242686f5755f15e37a3314b8e13a7b4c0689a7f441adbb654bd3159ca4761a08a6b1124cb522da77579c39f788047eadb8ae36516f5dbd8babce27da58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
a35f21725c63a4db145c1fa71682c3ad

SHA1
ba0b39bd396f20d2f6a3be3d996bce6bf47763e5

SHA256
3580828d910efc7687c6b177479b4874330c95bdcbbb18aedf79ddf90264ab6b

SHA512
3b81b5eb2e7129f6ae376fbba2cabb7e4733a791ef2a4f7598d4e05388954d41098a6fd28041e3f0b258c7dff78709c92562a107db73318f2333e7c5e01f2657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9200992e052217d9c9db0fca5300f1e0

SHA1
4401d6a0d4417ebf85e609f9e4b3186a8c0f14a8

SHA256
c00f61bd88e8c2bce5c4fbe1bf411158a11f4e606f32baa184528587adaba7cd

SHA512
81aab16398b3de71be0323e1bfccde74ee8e1ce493908225a7e9e6d4a4cffaed7108bf28a20b0fc9f5eba50798abc4234555e9df5a112a0cf96e0b0f91b2171d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8e6f94173b117d51bb36af5adf9ac75d

SHA1
8b6c2629f49e16887f5efd2e401108f459cb799d

SHA256
5a8c80276123438b948bed58659bb187ea5a15c88022140d95900f452dc165d7

SHA512
22ca17bcdb45d24835a1affbdfd7802b2eb33a8c9f2443d831befdaf4bdad5e5e0ccd271dbb9a4a06da048c90b232fa4949a49f11e4ec15b6ec3c062e43ff465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d4a0987ef024984a093795bcb9b674da

SHA1
02dadaa61f580faa6dc7ce9114329959420e75c3

SHA256
540d3475d61c1f469fca0b61a5adb0b695979426e9a5d03a8fc54efef87b905c

SHA512
6650c14170cadcc60f33051508ba94ad3f0ea8a3b2653051a5d34e797e5bdbda2ee2dc764c1f748dc3e8a652aa4e78e0687f0787c3170e12a75bee6797dbd113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
635ba7eb4505bdf80870fb363de9e3d4

SHA1
deb6fe96d0adbb8cf7663b57145728e6f70a4ecf

SHA256
8a34c34c9b9faf2db70305a2f48d49a6c90dcaed2af18be642efe81d15405770

SHA512
02c7f38ae60a2a0627c659af0d14f5e44acb2fbbc8e6f6834e1779c3d18cc1c0f23a58f1f6f2805bea848781dd449269cfe3dc7b7d84aa3d25e77c7168a3d47a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
66268fef98a80fbd4fe10c6cec2d7140

SHA1
578d7541ee3f74966747e193dcb8b7efa5e63162

SHA256
5ed4d1d9d558afa3b822235fa4d697eaa5b1e61b7822aaf78c725843d3c249c1

SHA512
ab2aba1f176616c35087c7b05e8e70fe0604a00e80b51135da194defe37366cb8b5da15678cc7c0cbcc231d1fa6b08f7243301de1c7acc597b3c4b7246151ba9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
6dbfedca704d3e69930fd350de963480

SHA1
c7175ec280c3d0d48cbcf5ad6fe9e0b06b7c7ae9

SHA256
23137544da10f8a4ff52b563bffa52420467fde4acdd5bc9f0038856dafdb63a

SHA512
217d88ce2b486ef62e61bfcdd26f97e2323c8b933cd0b364c6b65577657f1c1bd40be33816957fe05bd1d20e067c520c544e364eb01117ab2c22b1cbfd1d93bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
5028761ef911b86ab810e095d0ddc903

SHA1
fd29b4c46353485e86e733ac8fa85d69da90caeb

SHA256
9ba5a651804d3029468868d6dc6e8454f700a0030a134fcc07f18b1ce457575a

SHA512
e893b7eb6522d79dcaf1c7ca7222de98208b0b94025874cbe080aedd7b2eacc81cddc3b30c05a0a684217a1b707b5b1ab792951741e6e5c60a2fc0f430273fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
89KB

MD5
42ebaa2111fe813d4477ef146e5fedfd

SHA1
a2bc8f8c389437c57872fc2cdb06097673f840b3

SHA256
8fca35b04b68372cbff952508736a7c662b985f114ca643e577c8325f4aeefe0

SHA512
a51b3198d7166a837df6842930fa7a56c960d63ff14b0542581cd2d8e3f8e77dad86f10b7c081f4dce9d94c64d6c73b8ce9b4af0cf103a6b5e6c315cf93dbaee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
88KB

MD5
98b75c138e99abbc412d89605cba808d

SHA1
04c9bf5cf21807cbfb24a7b6af4b705ff0ebedf4

SHA256
68018cdca1344d4c58b0ef55459eea49bca1ea827b19703197452cc086ab6743

SHA512
9cd9c0c8eccc048ee936c23d7687ee22d833ea140381349d64d80d3cf7829a2a70b42610e17cd7cedd6ecb62ace0b3696cc6548c81adcecdd1b4d8c83beee582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5882d7.TMP

Filesize
87KB

MD5
0037eba354f4ae8c4572fd4bb138cfb5

SHA1
fd7e13293823ffc878aab02082f0a7022bd03c8e

SHA256
41897b667bc2db09ba733563540aec720ac61f9aa00cde448b5ca6cff3a233da

SHA512
51ae76d9beec2fd6a9ee09a29315abb23b953f2fc9ae6d77af0a7724c12409c149a0b93dd92722a711bff3259c022e1947b506baab6126fbfad9e0f5f02e1628

Download Submit