Malware Analysis Report

2024-11-30 19:19

Sample ID 240308-w2sftsed4s
Target osu!rx_mpgh.net.rar
SHA256 71bb87b4ff7fa115d2f4902b0f5636c4015de9c222882b06c730127a6146093b
Tags
persistence agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

71bb87b4ff7fa115d2f4902b0f5636c4015de9c222882b06c730127a6146093b

Threat Level: Shows suspicious behavior

The file osu!rx_mpgh.net.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence agilenet

Modifies system executable filetype association

Registers COM server for autorun

Obfuscated with Agile.Net obfuscator

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-08 18:25

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:28

Platform

win10-20240214-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\osu!rx_mpgh.net.rar

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID\ = "OOBERequestHandler.OOBERequestHandler" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID\ = "FileSyncClient.AutoPlayHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ = "BannerNotificationHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID\ = "BannerNotificationHandler.BannerNotificationHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ = "IFileSyncClient9" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\ = "SyncEngineStorageProviderHandlerLibrary 1.0 Type Library" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget\CLSID = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2520 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\osu!rx_mpgh.net.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\osu!rx_mpgh.net.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\AssertProtect.pptx" /ou ""

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 225.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 127.109.16.96.in-addr.arpa udp

Files

memory/4560-0-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-1-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-3-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-2-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-4-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-5-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-7-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-8-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-10-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-12-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-16-0x00007FFCC7420000-0x00007FFCC74CE000-memory.dmp

memory/4560-19-0x00007FFC86AA0000-0x00007FFC86AB0000-memory.dmp

memory/4560-20-0x00007FFC86AA0000-0x00007FFC86AB0000-memory.dmp

memory/4560-219-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-227-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-228-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-229-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-230-0x00007FFC895F0000-0x00007FFC89600000-memory.dmp

memory/4560-231-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-232-0x00007FFCC9560000-0x00007FFCC973B000-memory.dmp

memory/4560-233-0x00007FFCC7420000-0x00007FFCC74CE000-memory.dmp

memory/4560-234-0x00007FFCC7420000-0x00007FFCC74CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W0EKIFFP\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:48

Platform

win10-20240221-en

Max time kernel

633s

Max time network

866s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\config\legit.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\config\legit.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:49

Platform

win10-20240221-en

Max time kernel

1200s

Max time network

883s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe

"C:\Users\Admin\AppData\Local\Temp\iTVqM6K.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 15.179.17.96.in-addr.arpa udp

Files

memory/1236-0-0x0000000000650000-0x0000000000A9E000-memory.dmp

memory/1236-1-0x00000000734F0000-0x0000000073BDE000-memory.dmp

memory/1236-2-0x0000000009800000-0x0000000009810000-memory.dmp

memory/1236-3-0x0000000002CD0000-0x0000000002CF2000-memory.dmp

memory/1236-4-0x0000000009EF0000-0x000000000A3EE000-memory.dmp

memory/1236-5-0x0000000009AF0000-0x0000000009B82000-memory.dmp

memory/1236-6-0x00000000099A0000-0x00000000099AA000-memory.dmp

memory/1236-7-0x000000000A3F0000-0x000000000A566000-memory.dmp

memory/1236-8-0x000000000A6C0000-0x000000000A6F2000-memory.dmp

memory/1236-9-0x000000000A790000-0x000000000A82C000-memory.dmp

memory/1236-10-0x0000000009800000-0x0000000009810000-memory.dmp

memory/1236-11-0x00000000734F0000-0x0000000073BDE000-memory.dmp

memory/1236-12-0x0000000009800000-0x0000000009810000-memory.dmp

memory/1236-13-0x0000000009800000-0x0000000009810000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:49

Platform

win10-20240221-en

Max time kernel

313s

Max time network

892s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prejit.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prejit.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prejit.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:47

Platform

win10-20240221-en

Max time kernel

315s

Max time network

882s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bunifu.UI.WinForms.BunifuPages.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bunifu.UI.WinForms.BunifuPages.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:47

Platform

win10-20240221-en

Max time kernel

311s

Max time network

1224s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:47

Platform

win10-20240214-en

Max time kernel

615s

Max time network

866s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\config\default.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\config\default.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 76.246.100.95.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:48

Platform

win10-20240214-en

Max time kernel

315s

Max time network

861s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\deg.grv

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\deg.grv

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 18:25

Reported

2024-03-08 18:47

Platform

win10-20240221-en

Max time kernel

315s

Max time network

889s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bunifu.Licensing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bunifu.Licensing.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp

Files

N/A