1e377eb44f8ae5a7cc8757b09b516518e8068f9ad955b1c07b046b7cd8492be1

Analysis

max time kernel
1038s
max time network
1050s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Vulcaner-V1-main.zip
Size

1KB
MD5

8358fa50ed5dacbd146b9b571159b0b0
SHA1

769356451fedb3d9cfe0f3a3239ae84fd1a66cca
SHA256

1e377eb44f8ae5a7cc8757b09b516518e8068f9ad955b1c07b046b7cd8492be1
SHA512

5430af5d6994e5b5ece0772982465adb4bc671b29b5b6058645f4e392eeb02bc30d1ad569a1539b1a1269d56d997f4261bfac9456c4ae4465f272c3c497873cd

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587731258834813"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\odopen\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /url:\"%1\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ = "IMapLibraryCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CurVer	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ = "ISyncEngineBandwidthLimiter"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ = "IDeleteLibraryCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ = "ISyncEngineEvents"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\ = "ReadOnlyOverlayHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\odopen\shell\open	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\ = "UpToDatePinnedOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\FileSyncClient.FileSyncClient.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ = "FileSyncCustomStatesProvider Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\Programmable	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4336	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4336	OneDrive.exe
4336	OneDrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
4336	OneDrive.exe
4336	OneDrive.exe
4336	OneDrive.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4336	OneDrive.exe
4336	OneDrive.exe
4336	OneDrive.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	firefox.exe
4336	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2344	4612	chrome.exe	83
PID 4612 wrote to memory of 2344	4612	chrome.exe	83
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 4000	4612	chrome.exe	84
PID 4612 wrote to memory of 3812	4612	chrome.exe	85
PID 4612 wrote to memory of 3812	4612	chrome.exe	85
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86
PID 4612 wrote to memory of 416	4612	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Vulcaner-V1-main.zip
1⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbe77cc40,0x7ffbbe77cc4c,0x7ffbbe77cc58
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4844,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4572,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4592,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5284,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3396,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4976,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3464,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3476,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3300,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4520,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5340,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5360,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3444,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4632,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5384,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5328,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3232,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5128,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5136,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5348,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5020,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=4588,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4600,i,10561303661098461481,3606446275309281734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:1316

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2332
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1856 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac154b7-0128-4486-920d-1764f3522568} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" gpu
    3⤵
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8da3e3f-f25c-4058-bcd7-ad669f595f0d} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" socket
    3⤵
    PID:496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3148 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1862d31a-8c10-43a0-a270-83d46b8990ec} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" tab
    3⤵
    PID:1684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b019209-8f85-4d8a-825a-1f13897e64de} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" tab
    3⤵
    PID:3776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3956 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4252 -prefMapHandle 4244 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a508053-9057-473d-a659-60ac580a13d1} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" utility
    3⤵
    - Checks processor information in registry
    PID:2756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2720 -childID 3 -isForBrowser -prefsHandle 2820 -prefMapHandle 2824 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d0aba79-4ff3-4acc-a6dc-447092dc4791} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" tab
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 2808 -prefMapHandle 5432 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3195fbca-2091-4a8f-922d-91d801f7ddee} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" tab
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5604 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78979a8d-5f2f-4357-8acd-098c2e1df82d} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" tab
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3592 -childID 6 -isForBrowser -prefsHandle 6008 -prefMapHandle 2260 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f645307c-c8be-4ab3-859c-9137ad7725a5} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" tab
    3⤵
    PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1940

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b3ac2cb92de7a9cdf51657f76e87a769

SHA1
0bc8434130c90544d65fe6f7ee8f09aba994fc34

SHA256
b2ff6d977acae5a846fb0f280a0c1e9888b92a9d0f1fe2763f56ab3313b83a49

SHA512
f92f051bc5982c862359a030df7170ed14eabaa187e36d3130d9c81da984fb93e36f07a886061258f21d14bca6e899116e9886ed1e8a3556090073da031670d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3e1e616803ab1eb90993e12c6e0387f0

SHA1
4ccc48c709e72e7ff76effcc0e4c7fe7f59702e2

SHA256
ea8ae8dd257c9be1f011530764da9cb8b78034973d2cc87dfba42a60a7c24f15

SHA512
9a6dca2602cb8fa355abb365a41931041b3d987758c69ee27561384c1c4a16c38432e1cb1eb567d652409c5fd37eff94899169ac2172846ba3faaafef6772559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b388fded26ce399587eafede8011926c

SHA1
72861f414151dd880ae2257ecf75b5ce547f8837

SHA256
e287134afb498338b42f00dd50ade222588ce8aa1cde8b14c7585f3ee31af435

SHA512
9ff6f787d8338bbf0a5f0c2b20c75a4f7534185e0e949756c9624bc874f672dc0f6ea2d0ce067c6638600eab3eb64d8da7428ee7e3d9c2532746ee04a8c08e9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31a08d8df55d14b1230101ea06a455d5

SHA1
3c91c889fd95e35decafe3eaa8803a135644f399

SHA256
3cebcc373336df03ceea26a8f97a67ded911e7b0c6758fb64eeb3ad8afd0a1f7

SHA512
339b266aec86232e05c253f3035e6d83485309281861fb73792ca45b3ded91411d0275e3de1f08e0e6287639059ad0fd1ba40bbba4e273d0ad3dff9d143901eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f6b5a46a8252968ed75b0b2e9831da0

SHA1
f89883bb4ff6060062366ca666b2624637626328

SHA256
1f4f610c7c67c868ce1222086ad8a364fa128066b4305f17e722dd2f53ee984f

SHA512
c65c2d6b9c0002e03ef1e75ea7490a7d9c38374d19e88c42756ea59a99eb03b24aa87fc7a84a8a0d41d16517d3603b0d1a9c28a2e6f856fc1285186a17bc0276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8e50fe696ca1e76b2a63685fcb05166e

SHA1
254b5eacdd98785fb53163093b71945396c39855

SHA256
be64f61c4d0e45396d00136761e033c755099797e02c381b8d575080a8ccf7b8

SHA512
5c534614bd2196bb978496bc237f2667e640ef468313671143315705c18b8013e2421e96993281ffc1a8516b824e7d235e044157f9b7a9c242558a8281d53d23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
65a5cb4750d6af0c2345f04e0d70bc37

SHA1
db29947ee5a4406fc5ae47b1818247a2266f192d

SHA256
de5e934f6419887f2f74523f6a4d24675bee5a059c9df0064a1775a346c9f1f4

SHA512
7a01651f2a525bfbca093104fc1097f95b9fe22cacaf98c891f8e82dbc71d11ecb592e8aaa41422aad60a5ad09a3ef026de086bbc56ce257d62941c6c51d8595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
49515974021e6ace9de7de47f8bee16f

SHA1
5dc75b0fed15d9f5906c43cff935810c692c7933

SHA256
c6554f8747d4c2244da8aada64b1c44df1348f03be6439734c4bfa79de63aca2

SHA512
2a48015ee17cf3d63169e5baccdd921ec57e00ff8c899652a97ade5ca289aae16828706dc29b96c1b593a6c7b5964061165cfdf48a962f2dfe52f132d6193a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
c76832886684ef43f4402d06c6e3aee3

SHA1
8ba3069f6a193ed59bb10a0c20781e957266fca0

SHA256
afd8cafefca52b57d9bc15b2a0b0ee2293235a04e24b36f2e481df0a2fe7f867

SHA512
3d25d2322fc0079bfb52166253045da3dd4a488097bedd45718a8d4488dfd3851aaeabdb228266526ffb628bba58acc9100677dc5b434bc48b9d98276907557b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3fdc2d70b7f710cc4a27b8728731bfff

SHA1
8dca12c06dd510d9481007ba4eeb2015c67dbc4e

SHA256
c581f68bd1a0385143abf10a43bf469ccbda7881c8ddd98c0e298447056ee3c4

SHA512
cae712e3efe717d81c3fc708aa7fb3ac3a1005940a2b0326c14406d22d11d8584e9b47c6e363363144736b013ac0c2ba7976ba77b11f79b84b0dde8e62271ab6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0zdbhklj.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
113f2106d40ff41f634a1fc132942bfe

SHA1
958cbab8c182663d2643c55b1559003e76ae06e4

SHA256
cd191efcb910c226da73bed51c5b4232835afad47e5ec01d74e9f8fd5bb47e95

SHA512
af333f79183704dc98902a207300286257b0a4573d173e2d1ce5cbeaa3ce363b3bc3e8283e11028ebd1939f370bfcb8c0f1d45ca179aca794fbc01365bb8de1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
c625fcdd000e83a4c8bff9c45f3c853b

SHA1
a0a7ac206b79a7a9dc3749867d7c32421f43e82c

SHA256
6293251493593bc86b8faadfc96366ad19b38dc4fb669abb58a665b3e3e03a2e

SHA512
2b373ab5920225b501dd6e580ce1018064329da2744bb2e0d5cf370d411bbd98feddf21dff59bbeebf6fc7c90e1002f2dc6ca63c34e636dd3c84ee1f483698ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\bookmarkbackups\bookmarks-2024-04-28_11_iDbhmhSEVhkTifShOblNKw==.jsonlz4

Filesize
1011B

MD5
230b3d619e8506868311adfa4610ad69

SHA1
65c351889a053e27127ed946a1802279f401f4ad

SHA256
6f721d1d8b7e7a9ceeda2e016aa1adb74e14fd3d04eaa751adb2240fbb97ab0b

SHA512
2ea8535dc5e7dcef282432fa86debd479640482ed2a7d53c3b4c497ea49bf4c6e54a7af2d1a8d75a71d68b420ffad3a0460ce24117dae8baac35e390908dff53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f41cecfe38ed2f248b625ce60bad22e8

SHA1
1141f6cd2eda45068d36b9eca060f9c8f4b6bf30

SHA256
e90038c1fd347c83a7f92160c017e550cb253b32b9802686663e65a164b99118

SHA512
20a43cf221f9ff6d8b08fefe67a4a22c7cd74b78677b9505a0860054a8d75ba95b2d2a36902e8aa91b90a6c9080e32b3b42f56b03547860a7308c403da0d2ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
664fb8449eebda1c16b90628abf78b9c

SHA1
f8ae5418e0d0e955690e2167ae30ec5fb0f9861d

SHA256
9d6eb2e250652ca9154ef325687da218cf10775402dce8ff2c8cff40e40c955e

SHA512
47c9167d7e09f19de37a2a8798a7ad3346dd544162f885d89c0c256db589117e2d0ffc67ef0d9e238cddc92c3a5474c56222c5c34d390a32d3c8e701b2a07ecf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d41bb51a7745baf6481c4feae22325e4

SHA1
981d57f696f4d75691df2515abcb9e9c31814bed

SHA256
6768685e9a338be78c897cb82ad659485cfce5ce236f2f67b7d5b01cc210687b

SHA512
f7c6057b048b74e5b552a7bd209568f164d0c2bcabe758020717052a084d2d1cc542f3998aa61456bcd4236e14ee8aad56c6c06dfe83d87d23052a5dfc9c59fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\15b58552-e647-4f95-96ee-7b284856689b

Filesize
671B

MD5
080e78ffefc0e86fdb6e7f0c2662810c

SHA1
4ebd871eb49e568da429d55bf3fe9902e21a2cbe

SHA256
3cd903790f68fd8a1370584582f81e9a90c0dada7e665a5f5e75ea191bab8935

SHA512
11a8677b8814c795eada0a6cbe6d72beb858678e69cbef8a47ee882f2decb12bccd49893b17d5a5ffae52a30e586980dcd87a5c010faf6d87a239c0e05e69fea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\2e7d01da-a666-4adb-991a-abb56410748f

Filesize
23KB

MD5
0a9f12bb637e28c0b33f41de5c0b115c

SHA1
a6ad6555c3e81d17971174839373ae98b669d3e0

SHA256
2b1c2f3c2d72578de4e7d17229c96362a8495d3cee253b2c4cba93f2d2f076f7

SHA512
675a812c2f70e83a5549ae6e54a60a329f280e17c08a0feec46a8ec402096aa0f4541c2df42ce430cccae158fc25c8f2807c1b53a9ab400daacc7ba8578ca3b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\8f96358d-4d3d-4037-8488-daf156d6b9e4

Filesize
982B

MD5
f50182521a4ad6d380cecc7dc0459fd2

SHA1
1601685508b02fd8008f8a67f830a4c26f60473b

SHA256
c89b5079537b078af44b3646fad9d6ee7b16ac5a4aef8e602bbdcb8af7be2b89

SHA512
4035415eb0d361d781b78eba8fb3935f51ce501c8445be4cf69bc599a9603962c502ae74f83d8a413cb5e7176c982641f3db296811924c65a149fa91268d96de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs-1.js

Filesize
8KB

MD5
a6773274663603e819727d02e0316fc0

SHA1
65304f7a13788f17d642df89dab252f2cd6188ff

SHA256
28d051fe99f80aed6997a31667b77d933c102d93c081e5284aab97e4659ff1ea

SHA512
c250bd2ef72cd2d7f5ac359c9778f1cc2444b3d76aebd1fcf75d05684332378c44b21813e11c98a3a1ae463b9aba3539675fbd161a34c1a934b2343ba53c3496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs-1.js

Filesize
9KB

MD5
0073439fd22562bfaa137ec06d36c8df

SHA1
fb7c4f4f83d940b38ca68901f0591724bc6239eb

SHA256
404a535e15927f1a1e91f85a688db66cae6794f0a0a6635c90eb0abb9e0e4723

SHA512
9e6721ec462bd121ae03d51927c96b2929fc6ea398d7e426cc90a7301b8f20437b05811327aad6239289783e0166cd00475b4a9eb439e7db6c89bb40306aed7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs-1.js

Filesize
9KB

MD5
a6172fe11b43857e2c147dcbaee59ba2

SHA1
6a9b9dbcf5e45653731f95af0c241a5478b5c0cf

SHA256
7761069b848d46afbd7d6c2d85240b38c8d1f16e4a43296791d054e7cd4456a1

SHA512
5b70e4d3d96020c7859435d6616a5d1e1d9435d9f095860075f7bbbc3019f0ca458cad5e81d4b177c9f4c0f50a47149c009dc33bf7e0d0dd8755326afb6440db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs.js

Filesize
8KB

MD5
cc11c1d1a28f765089ed86a14aa1dbda

SHA1
b3d1aa287756ea342ba5f0eb81a08fe5a40c1bed

SHA256
a65e673afc9f647eaec7d3057345fd0130d58e28b97a9335b74ac4a77e827c28

SHA512
b5127200043831b7794400980cd035f7a588e788cf8ad70fdb141d1d6bd164a25bbeb906ff6d8add2440d074521e577ba26b8c2717fbca8048494c7bbb865a13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
57cd68278077d1541218cc13cf885547

SHA1
de430fd025c3134aecbff8ccd58868f76dfe229b

SHA256
51bca68d5f7c47958c931f7bc55ae19ba27228df127fcebe94f3c886cb04a66d

SHA512
e01573c2e561609293cb5cb51a2e1f8eb18bb4125c4a265b41043b139ab0adcb8cfe8175915edc19a25bd2770bff67f664b5ab5cf253de5404545ee22197a558

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d286763ee38ce0eb6d77ccb3ee736139

SHA1
d2a27e99b7921936e2f82e27a20bf1b936010491

SHA256
c3405de79068ba5fefe63628d10223f87e6964ef17d4abc0e240b19218abc88d

SHA512
06f67b4da3bec1c34448c42b1f9dba7ee7ccf991e7577d48b9a806b6388b64be85f6d5b27785baa140f8d033d91869897254cc18b5a279ee314e953e91ab5845

Download Submit