hxxps://dl[.]tspon[.]co/eecbb64b738167cec3bf624516ac3a4a

Analysis

max time kernel
92s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
13-03-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dl.tspon.co/eecbb64b738167cec3bf624516ac3a4a

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547666899367583"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ = "ILaunchUXInterface"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\odopen\URL Protocol	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ = "ISetItemPropertiesCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\FileSyncClient.FileSyncClient.1\ = "FileSyncClient Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ = "ICheckFileHashCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Utils_v2.4.4.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3572	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2824	chrome.exe
2824	chrome.exe
3572	OneDrive.exe
3572	OneDrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
3572	OneDrive.exe
3572	OneDrive.exe
3572	OneDrive.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
3572	OneDrive.exe
3572	OneDrive.exe
3572	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3572	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 5012	2824	chrome.exe	80
PID 2824 wrote to memory of 5012	2824	chrome.exe	80
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 1848	2824	chrome.exe	83
PID 2824 wrote to memory of 4844	2824	chrome.exe	84
PID 2824 wrote to memory of 4844	2824	chrome.exe	84
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85
PID 2824 wrote to memory of 2316	2824	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dl.tspon.co/eecbb64b738167cec3bf624516ac3a4a
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa8a339758,0x7ffa8a339768,0x7ffa8a339778
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:2
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2220 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5328 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5744 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1508 --field-trial-handle=1824,i,5491933505197958675,3365294350125064020,131072 /prefetch:1
  2⤵
  PID:4068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5e3a948107508563d00264ae9cded03e

SHA1
f545f84096355df44fb9befae2adaac7e5251807

SHA256
7d7c744b318de00b66a1fd5daf435dc0364235f6ce534782bf9580020e1d4d50

SHA512
b744cde5d61123cec9a4b74e469cd3cf597a07486b0c92f8a9924c14e69a2d7873cc75dfca2852d643f72dad2aa02f2f800a320c631ca70076b01e1a50292de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
401d9787737e6fb2f22dab9a30d9573d

SHA1
a64671e0d6e2079d7bf51b29ca34939e0df82a89

SHA256
130a3c757421829c4c6b9e3b2160282a7850f6caa12e6db883e09d40dbbf410c

SHA512
0d88fb2a38dfbf5db4547bafed9e848224e8baa1be391d3bcbf496415f2509d7058cb013a5062f1e96d6ef0b693bd41150c4be2750ce5c20308dfb47314efcf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a99d3311401f67456b9c1e23ecefa682

SHA1
41186e9d1450a74de06b58e2f9e90e6217eaf324

SHA256
3af912ff8a0a1edc9f828ede7c550bac54e4bc975a495db93074a9e232615d38

SHA512
da72caca03ce27721d4dea4d308435d9eecb0e0d95e0181446de340af7928eb3dec050a937849c369ce140c26a1de9c81fb6970cb27842cf97408adde8667ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ea4d274e4c00b6cd2460ef10cba2471a

SHA1
e0393911ad3f4e75751aab394ad62213b8d9c3aa

SHA256
b713c5b2d68768f50257db9991b4f956ceefc2b76fa19156692cae17196c4f50

SHA512
9fdff02e6b5608bbb6bb06709bcd070a2fabb179045021f8f2d0510dd694b497929ef2967c68f17f21d8b723f470c6533e65f65bb60b0bda3774de9d8fb7862c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
b71d97f4e5ebd0ac862d5e5e0be48c33

SHA1
90840d4f1849077177191eecbb91a51ff3e5d8f1

SHA256
1d4dba416ff3a9cbed17f767060d89c0a7e71cfff258aed9917cb7cb7ac636e7

SHA512
04cc909f7295f1e6831743d5fab11a6309a603debb32be54c19442d39613b08d77862d6b01444e507b78c9fa7392092ea55546adcc69d18cafe90f18a24fde9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7b690acdf3e38d203fb55d7e4c2e1dc6

SHA1
e45e8c507bc39195f719bd794f9f9cbd57978018

SHA256
80b97344af0100fc5a47fb39cdc177bdbb0b3644fcac910d5f93244a25d472f0

SHA512
88ac2ee1a732841f6241cb1bfe1d1ddba426c49021433f3813b830044a2bbd1dd01965a1aaef749ac979d105705e48140f0a9a587521f0b375dedc08aa63fcdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
034cac2d1bbf1bac1d86221641b6b464

SHA1
884a0990d565881152fce394cdd2681693cc6fd5

SHA256
2570136b1a0f2fd2d07a93a6f3ef90e8e2f9914bdc80875aa81465b60ca6868e

SHA512
fb4012501b2596add6b1cff8568eb3ca54c7981a2df6128770d4cded809c667b1669dba68da04e9e792f9fb7fae3cac77a7a1a246dd3d7651f084b8c9d2c877a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
73fb83865091d696bdce60145e950f91

SHA1
be4f317d30db6ebbec02e64672418088d2ee4fc8

SHA256
95feaed0d150cbe6093d98eab8e11855cbd8a5bbbc6613116fb891d258547103

SHA512
9ee14b4110fcf190bc55e88c887f79569c261eb389fc53ff3c86b0fa0c01056a6a2bdcc41036c659ac9b082aaaae5854131545e661050f80dcfe2cc244857a92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
b845d3cf1a0076a8646c8488a75044ba

SHA1
c8876283ed774ea5cbad9138cbb454a7fe45f0d9

SHA256
6ce81d83f85d436965ae368492542ae53b6b7f7279abf04046f5a05f6057b5ac

SHA512
b8c78c57eff98e6dfdf95cfdbb91598d2b380f2dcf38d1b631d9a0e85f9a527954d569c7d8b25ab4c55f37d49bed9489e5476d2986fca40ea550f6766af2b15b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
26836739b43cc4c9f769fcd35a370666

SHA1
394c0bff69ddd57e181eb137a8461b3742f6a4e9

SHA256
4535971c999499bfd82f2aacd7b42be6edf705d9b3deb45270928a5c532fa412

SHA512
4854ba54c8a204c7c3af4c5a667f326777340ef011598b45fcac35edb7b2b0654f7c722461a79fdb06caa205ed3ba8d4e8108d534f56151e60df99f8e229a598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
8c9e9023630ce8a98bd99f3fb67b9826

SHA1
b3f52b43e5977640311c6d06f7621428fc40cab1

SHA256
7ee1223ab3d9aa34346969b6c1e328befac99e794fced92468bec5805c640ef7

SHA512
7764e7752fa04005dc73f5cb2e19854015a6bb046fe82d566f98352af59344bed90ffffbfb992b41a05991ec84c31b1eb3ec33509e7363385c0122898d5229ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
b92d114b57f9bae0a2339d6def2793f3

SHA1
24d060041bf50892e68b11c3be563e79f9fa0daf

SHA256
06bd36224d20b4e852ff36306a09a8e0852ceb7316e71b3924dd4983b96e764b

SHA512
806902bb88a9ff396bb38fa3fd1aef387aa96fbebed445322b11a6571438dc8e96de6630cd584029140eae7d3b7c8401c28a0e0d1a60506e9e1c4268fedc7373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584bc9.TMP

Filesize
94KB

MD5
be2f0230dc1c11dfd7abb94de11eade9

SHA1
d192f1cb768325198ca718b831f5b5abfb13ce75

SHA256
4f8df3e1d6136df9ec66a6be1ae2c9483a9e1fee5d3276f245dd24b31dc45abe

SHA512
6ebad449dac9d2346bb84621b2fc322afc30466abce8cb0e9e5712ac8098c8f8d6a3a827041ffcaba34dd6116cf4a160aa9b36cebb8a1dd128fe359c3d777110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
69af002854acb489490795d702df8fc2

SHA1
d404fbe57fa7b935fb23feefe10fc898df6a7c44

SHA256
c616d12d89cab28df706f7353e2a38b126a86fc42124f870c4e53a8ea4cc03cb

SHA512
ff4406a3423cd70ae609a66a4a9ce872eb9fbfed90d511d9527ef4976cde5d59eaad96053b8001ac6ba684d947fc5a47e47d3bcd710685b0b841252ce045058c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\51HF3E2L\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\Downloads\Utils_v2.4.4.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit