discordrat | f7942e05518073bee6eac475dc7d8123c350bd17b0ef42c1b4d14d6e5ebb50f4

Analysis

max time kernel
206s
max time network
218s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27/02/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

d63c4fc029fd8393bdcc4807bfecbf53
SHA1

0768be95491c041ce15da88361fce14b3608692d
SHA256

f7942e05518073bee6eac475dc7d8123c350bd17b0ef42c1b4d14d6e5ebb50f4
SHA512

715ef9580957ca74018499dbdd069be2f5f8c69fa71c8ece5f05b557dd29c23762afc203184100ca41829ab20bfdfa2033a114a1a2b10e313f45ebf5dfab7ce4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dcPIC:5Zv5PDwbjNrmAE+dQIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMTc4MTAyMjAwNjUxMzczNA.GwNmTE.XiN06oNscUVljN9Vv9c1o8iBqPypL2DMlrbccs
server_id
1212054940705628210

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
1252	OneDriveSetup.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ContextMenuOptIn	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ = "ILaunchUXInterface"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\ = "SyncingOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID\ = "FileSyncClient.AutoPlayHandler"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget\CLSID = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1\ = "SyncEngineCOMServer Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\ProgID\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\OOBERequestHandler.OOBERequestHandler.1	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\SyncEngine.dll\\2"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
756	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
756	OneDrive.exe
756	OneDrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	Client-built.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
756	OneDrive.exe
756	OneDrive.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
756	OneDrive.exe
756	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
756	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4820	3380	chrome.exe	76
PID 3380 wrote to memory of 4820	3380	chrome.exe	76
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 2872	3380	chrome.exe	79
PID 3380 wrote to memory of 1704	3380	chrome.exe	78
PID 3380 wrote to memory of 1704	3380	chrome.exe	78
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80
PID 3380 wrote to memory of 4460	3380	chrome.exe	80

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd881d9758,0x7ffd881d9768,0x7ffd881d9778
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1812,i,10442099114290719280,15945912062865837751,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1812,i,10442099114290719280,15945912062865837751,131072 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1812,i,10442099114290719280,15945912062865837751,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1812,i,10442099114290719280,15945912062865837751,131072 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1812,i,10442099114290719280,15945912062865837751,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4464 --field-trial-handle=1812,i,10442099114290719280,15945912062865837751,131072 /prefetch:1
  2⤵
  PID:2772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4020

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:756
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  PID:1252

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7ffd881d9758,0x7ffd881d9768,0x7ffd881d9778
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1812,i,8620291932179741602,12362133819703702101,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1812,i,8620291932179741602,12362133819703702101,131072 /prefetch:2
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1812,i,8620291932179741602,12362133819703702101,131072 /prefetch:8
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1812,i,8620291932179741602,12362133819703702101,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1812,i,8620291932179741602,12362133819703702101,131072 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4524 --field-trial-handle=1812,i,8620291932179741602,12362133819703702101,131072 /prefetch:1
  2⤵
  PID:872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
72eae15d9e00f6199f99869be2fdec65

SHA1
ef04d90785f7c663850ff7e922c8686088bb20c1

SHA256
0106666315858c1b5b9c571926914fc384fe6abcd5373ad150a93d1d4444f146

SHA512
93567b7e2f24cf4aa668a8616062762edd46fa2ede91e3e1fb1befafde4e108444cb7c0d94746eaf4041e72e564633ca24ab6beb228f052ded8b0c7d6cbe3ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
5e1ef61d494c3661b430e07a35d0e033

SHA1
3f85f91491429181fd79c7f1f9abdb137c88db45

SHA256
72d2954560b1a69be71cbd893106f2c8892f44a0af7632ee1eff833165db8261

SHA512
07340a97e397ebdf995ab925a4525c2d33580380423bc9a5fe7cbd90cea879060f5ada4083ab8221a47c545a4aaeca3b9edf092efb460b4f47d5cfbcf7f65874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
e22d15cdfe97055c5debf42ed2b99fbb

SHA1
b8df1e7ce0c24752d4ad9263d84c2bc6a97d0d75

SHA256
77806a82008adfaac50a27dfc6d98a0cd2ec99d560610fd9bbaf0ecfc8e17550

SHA512
2b5a6fe5da3c87ebbcf61d13c46dce9caa0feee5e9a57a85755cf3837a38ae3e1d7587ef9f4c43826202d75cc68cd73985bbf2110af82f80b530a2892a06109d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
768KB

MD5
bac5faa30bf71d2152dab5402e36e826

SHA1
9624629456251edbb9b996c76ff96a0f1a4c9dd2

SHA256
a3588e36df4fd5ac74e85e73dc18dcd40ae5744236bba5c1e95b2e346703e848

SHA512
b976451db96686a9816939a36d5e8642ac8b2048080236198f5a0e512e22cc3d6edc405907da3757cfae657ed2e15309d02d9910307bd10486acc8c1023ec511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
dc611f1eda63e434f6772a3bc9c7820d

SHA1
4fd92246ce5ad5158e33d45188fcb874cecd3310

SHA256
b6b90a8f0d1d48ab03e104043b2847c17ea6293f01d1d2ac4cec45bed894ba60

SHA512
c231e3da07e4536ca628bada795d041bdc4adc65331d711b543604f70e2e30dc7a42adb8f00aada24eb75d59fedb138ebe2dbaa520bd44f145ae2da43c2ec6c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
332B

MD5
3768fae7d2e9fde407b2d7381a4ec65a

SHA1
63e555bc7f0b9e6b937cedd69eb751f582e80e0b

SHA256
95a472a3b60137f6cc45e167db5ad32f5059665585acc0fb6d0198c3e465d01d

SHA512
e6d317b0a84f075afeb06ee12886048358ff5c656f06816f63726827f5fe26f3eb87e2d9086babc55306a4785bd1c73061a8ce1c8e351d54ce8e99cd7cc2ce3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
e148c1caa8306d12bdf13b17eff68b5e

SHA1
14f614086ed2947e718d13e5d61c668cdcb94eda

SHA256
56665694bc203181465bb381d3f5feeb0ad095b006dba890ae0816210cedf2f9

SHA512
778815f8fc0e23af018e342ef6a473079449f75cd9ba57b32e4b10091459321651d8428651cb49150671c47a3d4d27c721c60baeaf5e573f01569ba487bbc2c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
6072735991efeb173e56d2b901003152

SHA1
fdfa51f4391a1bfdc92da4c39d93f1b96dc29a91

SHA256
775b90e5a827302d8019e6b991a79b3e3f115e0e095a3dea7d3f4c20adffb107

SHA512
1aed5b4bc8105668f1057dd60221aa2eba80cf16fe5e57cfef911ebeadfa3787ba031b8b739b5bda50601bb41908b48667993bf3a38f9bbc130157987a3b9734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
a8f74d0981204f59f24a31adea0343a8

SHA1
880361f022cdcedcf36f7ef956846f472c6b0cef

SHA256
53244339e4043900397ed3c7a47f9e4429a1c0671320fb825b8e5c65b631817e

SHA512
f35f6655e2014e54e07bdb255d2016e9bf34dbd9dd0fba0fa6d132a131ca965ef1d033682d99bcef844befa02e4329e71f1bc97225d7b759c7978b4b6a1a1f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f7280482e03644844f355d138dadd488

SHA1
26e5f055279d7464a2d74cd739e71a53e4e823f5

SHA256
ac5e30c72b58d9c32a4ff4ee50039705a830c99fdabc2c77d062f529f23158f0

SHA512
c6f1420a24ac01051412b000b67b474828a8defa25a42d6988cf3c9bc73eb72a9300f9c5df837786af6a7aa0cc1deb068f070153c2d6a5a76c204fe5fcdacda5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
213B

MD5
046cc08d163fc4578cd1b77a5d0965ac

SHA1
92f503e605c30974baf385f1619f1269b81dec57

SHA256
693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166

SHA512
e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
320B

MD5
a78bb3c5b524123693140f44b04e3b6a

SHA1
0ab27f340143d5510fd031a29e3435c18faa534b

SHA256
55160180887449162ad18749c929e6c36c1aa23e092af433874e141aea60b297

SHA512
0ed2df18da8f72d526d3dbccfa5e60a1c57e9ec57cc1367c0da2df2f97da02b184ed624756acedd8715d3137e2fce6f0a42ed09638f8d482d4cd37fb286f07a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13353521856673685

Filesize
2KB

MD5
429aba0c0c313528369dbaa461c85c78

SHA1
08af93b24c349c14d91bbc2b889bb494fdafb66a

SHA256
63eab5ffd52dfd6b540193124edb0bdfb953b7b110970f9c23b8e92b0e223118

SHA512
fe510799ebac94d18126619f67e6965f426e4f0f9b0069cfa07b4d226d055e3b1662854f40bcc23029c3be45b140e9438eb72541384ad9a3a076b50732062b55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
590b305f963606b9c90ff969e8a50819

SHA1
e6e246bc12e241742cce8bc0f9a1dfd8a44c864d

SHA256
406ad578aa4c1b79eb2ffcd873ea1401a9dffa990c8f9999bccb011a9cd22e24

SHA512
b7f5df929e1ce8ef73b52bfcb2788d5c045fd7bee926dec562e1817d1e4d58a998aa922c15e94e7245de65c5c33b6041459f874a73ecb7e2d80f90937918d0c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
02cd6fa9bc5d2d71dac2ac04bbffa912

SHA1
c1ebbe1a77f883f597fbece78154591ae5b400c9

SHA256
974e33d8c44415ee4ab98759297c952d43d377d47427897be51418b053d2a18d

SHA512
d2793591b5a0490dee58eca8fa1b9492600a1f0cb4ca1808cfb9133ddeaa6dc01aa9f2238e039b374a8ea0aced1384d4613b79cea2bc529fa32e9e9b4bbc48ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
836B

MD5
2425def9c80d1f6b96082da400713389

SHA1
5e83a694c6033b413a107c237312531b53914dcc

SHA256
4e4bc62145fe868b0d633693e85470de47411d6bd5bda0b12dbad2bba54caefb

SHA512
434b980e51ce01c3a2250f80ed5e85fdde2fa0a2dde28d683311aa88e2e7c4dea8b0b069df2afb1c406a90155a350b5b38ecb127ceaa7514cfde88da77dc818f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
6d1ec99688be329d82239e0b9ab6bf53

SHA1
ea342d76b916d73dbb8dab4727aec7f292d46abe

SHA256
480785b12e47789dabed41342b6e21cdfb29563e1383b6927c00a2f5107acd45

SHA512
1734dca2e0995c6607aeb531ff8ca91ea0a9ac30871620c365abad0166ce7044b9de9ea7d006ba1f94a4f4dda7febba09c96765cd690239a4b91671a96327ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
889B

MD5
863ffee852561f21587333fde098010d

SHA1
ce25f626187786eda6c2e02095761cac423e6543

SHA256
75cae21f11e74a6a0e4bcd49974d1732f6e7b5af837b2ad47f7243ea1e60ca55

SHA512
0873c83399fad8b8b7e352f9b93f9d33bf11ce100d5790ce8b34c17b9a407f266e6793022b944492831dd4865144bd9901e47b43bc2e2ef5ae5fef3a55681c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
6b35651c754cd3eac3f3ff0d0554bd24

SHA1
3a048985142c41434bd7b471b80c72c725c9107d

SHA256
47316208e793b234a3b60a5b4c04264e6efd197601e55059208aa175fb4f68c9

SHA512
e0f413659a46e10bd918426a2f20dfb0d2c094c37b26a87c275e272c5efd0e84a2e240051910a5febe54efa19acbc31089d9a63a7ec052d268dbd11294663642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
1dab1968c065c4de55134e6cde670cbc

SHA1
a1416f9f91db7301d1cd8721af13c3b6c2b53ae9

SHA256
2bc7c27aabb5709b2fdcab7e6889b562698fd5702ced07fd68a1a839b1538263

SHA512
51497d9f96a29f8325af2a79d19b8ecb5ea90833af5a0d7af7affc4081a248d05ec2ce1584489980035fd9e61490e84aad88b5bd2d1e7dad44a904b483c16236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
1c1cca0642b8dca619158e689041be97

SHA1
8f06061e1755ed8ce84efd02dc9f0f4a760e29a7

SHA256
0a9225e0e6300e814d2a4e1cc27b587862e61457c24fe67b4c7c51b6af7d81f0

SHA512
cc1dc541bb1725fc092bee311eacb79dcf3f49d8c61ed6b2143a3efd78d300e8d67647e78d4df5b9d0f8a848e3e7b21f29a4a84517c0843603f06dffbbf82ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
896KB

MD5
9442b84582dbbc3f912afd5cbeec4196

SHA1
8290dffaed37c328fd22713c4dcd2cfa3f0361e6

SHA256
d04631dd5d26e89216d56ddc8f88d2f788f0d0f649d8c1012f4c5b607647d504

SHA512
c443b85c392c7f9833b7f344e37ef955f7071e8068c328d56955c617b3c0f0f8178e1ecaa50b53efffeda5dbbeb19aa98cb6fbb5c882fd1a9393fbb737441346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e5705444-897b-440a-a84f-018c4572b100.tmp

Filesize
255KB

MD5
abdc07967f98116436222c6003984114

SHA1
f10cf5544398b8a4ab8bc20a09d209d36358ea88

SHA256
ada8055a9e3cc569f1b0da9a69d2b4e107a2d1f72608f65342269546b1a1b129

SHA512
828fea7dfd6a96e6d1337d281bc0a60a0d8bf6220decfd786b279501d2a24c8670bff2a76e352250a1c45c9579b7b1c0b6f3277c9853f9ce84766d8ed1bb4b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
25.1MB

MD5
0ab973eb5e3fdf946ecdcac7d2671784

SHA1
aa4c151c5fcd1a4954598afc5e9d8f685fdb7c21

SHA256
8342d03136913b627589c091e1cab842187ac4538f7539c7bb9d65abab7e56bf

SHA512
686ba0957b811d39ee96ee12c0a595e12ddab6844fddcc96624e02b66d33f552fdb02b224f6a7b5c3c2495a4fa40eece69ee29baed9ff07ec2e023c44c812edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
3.3MB

MD5
35dba055899a9f4dc306fc012d724779

SHA1
7f9843b1a1f8818ed7dbbcc37b64c167deca09e3

SHA256
0136a4abff4f7649e3d13a77f21e7824fd2874cf66618377eb32e86db673d638

SHA512
a3afd9bb0cb84892907ed90f790f1cbf22513d2cb6881d105413b40708942fd9384fb2d91a4c818ca398c9598e5af14fe65aeed37ed8504fd82b718c55436019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
3.4MB

MD5
aad80b4dd3c53f936c31f232518da7fa

SHA1
b7b44a3eb61ad373765b9685f986edb24dba10e6

SHA256
b49e5cf6d8ee9b85c595bdd906442d414131aa49a0515a5befaee103be48291b

SHA512
de0cd2152b50a8fad502269cd70301998186101e28692f84f5783d66e8c8f0e0faeafd49a5e0e8ab6cf3609b621da3bc11956399cb44c518070f705fad06f6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4YIKLXZ0\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
memory/1888-6-0x000001E5F1B00000-0x000001E5F1B10000-memory.dmp

Filesize
64KB

Download
memory/1888-5-0x00007FFD9C350000-0x00007FFD9CD3C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-4-0x000001E5F2040000-0x000001E5F2566000-memory.dmp

Filesize
5.1MB

Download
memory/1888-3-0x000001E5F1B00000-0x000001E5F1B10000-memory.dmp

Filesize
64KB

Download
memory/1888-0-0x000001E5EF140000-0x000001E5EF158000-memory.dmp

Filesize
96KB

Download
memory/1888-2-0x00007FFD9C350000-0x00007FFD9CD3C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-1-0x000001E5F1740000-0x000001E5F1902000-memory.dmp

Filesize
1.8MB

Download