hxxp://sanallink[.]rf[.]gd/

Analysis

max time kernel
1642s
max time network
1651s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sanallink.rf.gd/

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630559539118434"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ContextMenuOptIn	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\ = "SyncEngineStorageProviderHandlerLibrary 1.0 Type Library"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1\ = "SyncEngineCOMServer Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ = "ILaunchUXInterface"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ = "IGetAllSharedFoldersCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ = "BannerNotificationHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID\ = "FileSyncClient.AutoPlayHandler"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ = "SyncEngineCOMServer Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ = "IClientPolicySettingsEvents"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\FileSyncClient.AutoPlayHandler	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5884	OneDrive.exe
5228	vlc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
1404	chrome.exe
1404	chrome.exe
5884	OneDrive.exe
5884	OneDrive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5228	vlc.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeDebugPrivilege	64	taskmgr.exe
Token: SeSystemProfilePrivilege	64	taskmgr.exe
Token: SeCreateGlobalPrivilege	64	taskmgr.exe
Token: 33	64	taskmgr.exe
Token: SeIncBasePriorityPrivilege	64	taskmgr.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
1404	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
64	taskmgr.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5884	OneDrive.exe
5228	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1560	4944	chrome.exe	82
PID 4944 wrote to memory of 1560	4944	chrome.exe	82
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1636	4944	chrome.exe	84
PID 4944 wrote to memory of 1536	4944	chrome.exe	85
PID 4944 wrote to memory of 1536	4944	chrome.exe	85
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86
PID 4944 wrote to memory of 1964	4944	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://sanallink.rf.gd/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbd50ab58,0x7ffdbd50ab68,0x7ffdbd50ab78
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:2
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5116 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4184 --field-trial-handle=1932,i,18411830482053895700,5709354850243148250,131072 /prefetch:1
  2⤵
  PID:4644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbd50ab58,0x7ffdbd50ab68,0x7ffdbd50ab78
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3684 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4932 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4828 --field-trial-handle=1888,i,12749035829451302054,5867517179638489241,131072 /prefetch:1
  2⤵
  PID:6036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3828

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5896

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ImportClear.AAC"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
d9a49a7d6d5ca840cf0f0e937007e278

SHA1
90197e483cc1bf8970cb6012997b1968f43d8e78

SHA256
183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876

SHA512
142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
99397b66ae24176c7903aed7bc73a3a1

SHA1
f2c23c6e9a4d2066671f3838188f58a1d954e309

SHA256
590fb3b825230de2ff16bbfee3cdaa88babd6aae399e798e7ff7b0c6dd624758

SHA512
faccf9b3afb110cc3dc0313bbc8c434ca4f45954278f6db5d87589ad639886435006e730e7017c75e35261dd4bc0ca1ac54b75ee73fbdbfb0479e2c604435dff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
28b17d2520bc6a0b1e94c678ee312002

SHA1
53f90fe78b571478b2b3564cdc0dfcbbe77f54ea

SHA256
21fe6cb5372c2375cfafaed93613bcd864c46911baf90e2d5095e264f689f771

SHA512
4f95223fbf6e8adb51d4fdd9ae8b7d505fe118233db777fa4f939cc633d4697b7ebb1ff07065745750d5c408af3ecc3a6ba9afa235af68cf5438dad170846819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
a000aed726be794e83b193b05001089a

SHA1
a647c87e098e135c603d1228ce5c3d8c4fa1c4d3

SHA256
0ef5d7c59373482d10484a53173334f68e72c3236dea1a2e823cd999e3ad9984

SHA512
e92597fa0ab8af1a399827f803ed7cc7c26662a1ee85417de14a4fe5f71e559d01681837f118ead18086005176da307e8b02fbafed9ba1a6596d2e0487c48427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
327B

MD5
7995ae49608ed99f674a4e517ba3c875

SHA1
36e632a60a728bbf75d178dd3b28dff3b86d948b

SHA256
e94547e5a93f54888ebae33563a2c564f7305e93b4f706fddfc82a571e950dbe

SHA512
17c7a4557c629753138995b8bc777ed47ba32d563d41435d642c93536a3686aa07fc6356464355d63354c8759b34ab0763f01dd27d78180f4152c863608ceaaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
f12806858ff2173ee78f280efc0fb817

SHA1
1a89c5a4c8b0a6a705d7fa65cab0ec6e74b3bd70

SHA256
84683d01c1c4c01e0eb50fe10809a5fb10621c374eed56fabc92cb4788b35454

SHA512
31a448c2dfc77a0b797f47944abea77a3e103294a7f6f9aba610b190c86222c348ba027bffe9638979f5cabdb4750f2eb35ba0526e83203ab727be0935ee631a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
0f488c7a14a1c7c43f9d92ebcf8a6b9b

SHA1
eb90656e471c4e99bb8e8d2fac7ea26324aee199

SHA256
f82b81e45d517266533e20ca12abd18f854498ead1040ba2217900d990a21f71

SHA512
805be9f7c0e7868c5f760c04c02ace4f03f63968bbffc0d8aece752f179046e952b3c2ff808b368a7ef7ab3729865c551655b2b4d5a6d35b86eaf8e0138b6737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
e66908c7a2bfd9dd26120feecf232949

SHA1
7029640d5f93758ee7707b75c6ace8ec74b33eea

SHA256
5579b9a6b91980eee43f4be24338e61c2ed88df2db700cbcd64409494fd7414a

SHA512
e2f70bac8c34e6340fea8d7a75726639eb21d42fa53dbdf9c7036a6603111621a48c38b7767c27efc715ccd61e0c1619e73b6048d7e0365c96e4267f29380562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3c22ec8ed9e38d7ee24f687d2664ff0c

SHA1
598e5d10ad08f34e6cd3916470d4a917a114a74b

SHA256
1a256aa629e0ab378ae0c89575b6d9165580fac17d4be1781b37890673fb60c2

SHA512
e1bbb4cf97ac8124e8b8e6baabeb7005bb0cf0c2de013615fb9fba45fdce0f4e12eb9505f3241b6c44b3759f559b5bad2609966792f066dbd4169c5e44e29415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e6831ef9ecc68a31e490c3380da8950d

SHA1
1bc206601ed39385f18f6a2afe8533b20f5a2198

SHA256
5f91de87b643e8c9f7505fe00ded1b8fd618c6601095ddcf7e687cb249635f33

SHA512
01931026cb2ff585984db7b9a73bdf107dc36079bd9862936360a43cbfd38267e743215f9e229c01ba3a51aedeb4eeeda997bbe9439e04a2e5cc82a20b5ccfc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d91bcf2d998d243bcdab7f4647151cbf

SHA1
049d339e719ecb74eddaf2ff5e62ebab7f206f63

SHA256
dae48665b388c96be20cfe26c97bbe909a9451a409479f8df54ba5492498b47e

SHA512
26f41998f8890356ae78d05ec55a162e77b74a724df055cd4c9a4bd8ee0346351accaa3aedd741222beef9b639b54ab378979b6867c2e08f561b697020976f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
232B

MD5
8a30a1fdd0459d9ea8b1e78a8e636856

SHA1
9d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20

SHA256
88fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33

SHA512
b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
3836ec0192a402512419f9bb031e8aee

SHA1
3e245602decbefb5b8b873d82711f171e8a8f4d5

SHA256
2058f03afeb99eb0ee430bf9eefd7aef5288ccfb6a043084edc03b9fd5dd5582

SHA512
f81243110403abc2d97123743cc3d3987dabb268f73e1b7a03ea4de6f06c73496fc8215f07824afddec0c8ce2ad4f4bd77decd73f21d1fa478fde76d93e4aad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13363055951275195

Filesize
1KB

MD5
ffe97f3e5ad8e61b83b3941d5f1517c5

SHA1
79f70475d3914a47b0855010d527b76103afd151

SHA256
2681a5fcf5db38396a0cb39d9b72fd7c5be618a331491030c7a61f6cad7d03d6

SHA512
425b16906b07581868ab1803f81ab4f6f13c5a08b75e16a6db3f980d78bccf089e4fd05f432f25fa34787b72194042038ca671ae8739d4f02c786e1752a1dc1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13363055965423195

Filesize
817B

MD5
37ba304bad74d17c50081e39dbd56b0f

SHA1
3c6932a91d27cfb42f22786d29acebc53c17a2fa

SHA256
b7c6662627e6b9c218e9903c2748ee20622c0332745ab6deb72adde8f9ad0de5

SHA512
d7633404fd3f70abe76f52993fb21c0a53b26a03662c782ae1447e81b1f7f6aa248e47aeb71c6b748cfc115122655fd4d06a2e5b6f8eb6ec05668adabbaf7550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
67c77024aa0558729c82e74437016543

SHA1
311a148181ab25d74c96bd78742dab5189c4cf79

SHA256
99c8fd79efb672c6ed2958003ab19f578403e2a8f9df99ee14b8744081279af1

SHA512
f6409e29444dcb080734adb13a922af61935f6da683aac25579cca8302d800b28636a830e54d15d22b42fdf7b7b07be9ab58819533f269980a67103a62912370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
bed30ac91e6b0b48ac1672709d50b81d

SHA1
92360105dd6c2673c68f289616301fdfc0a9c1aa

SHA256
5e4cb431ba94f346bd3a8d26eb866b05619c80e16537c06c9727ebd79a9cb550

SHA512
98c55b538dad1aeec27bd80a356ccb001b991f00277e6ed8db4b329c1ce0f8d617a0e36b0881b251331551b7f3aafcd0879f3a8529dc3506f5c8427b125236f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
15KB

MD5
e980c0789b63b35dc9691cea2e900224

SHA1
5d1c1927efe6983e3d94b49f3708df42c3004d59

SHA256
73e8b5e88523a7be0d717cb3929006eaea8038b9387872b3503dec847b13a0f1

SHA512
cc080014c574d7f5cbce3578137900cae47512f7d379f1fbb0c153c8f0db55dab34e49ce137c37b25e44410b3f7cd10452f41beef3e0f7dc1a43bf4bbc294266

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
318B

MD5
491b2cf2309f440856e3612a02f563c8

SHA1
bc2b6c59ef6574f0de54dff817cc9f8ce04fc8a5

SHA256
eedcaad46d3f8a7741f0fcfa23ab66a41aae36ce282ffcb3924193848cb32550

SHA512
da03a2d094e3c79e8a3afa4bbeec2a94c7bd0055e07029ef40c495692cb7f575d9d18f9cf9219424a19ea23ce2f4d80d8e6d93ba045f18ce3423529ee1747015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
1KB

MD5
ece3a25d9b61696f24b132ffe89d1923

SHA1
885fe6fc2a5cc0c973baba6c437781762fd6bd9b

SHA256
08de2569a327013f49d9a2ff4bdb6b42fe39023a42fcf1794c30709995d6a291

SHA512
c7095a65705f6077c7aeef9c0e3b0cd834bd7e70a73a2711151f462bf312deba63cab65994532025b07c906bfac4b196e7510bc97e022a7e3241255bed02f6e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
b8614ba4ace3cf09d7655088f15b529c

SHA1
85db6bacc781878a611e83ccf6d8b2e7e51f24ad

SHA256
f39307dc71482345ae8534d149da5e2dd0957d88148d2c0b14a99067e1a2220f

SHA512
d7b31008c20d763577c13d6cbde8ea238959821b558497d847d59fec248d7f256ebdca43368caf75b9a1497d268f0a8670d92efda6f964cd03e7639f297dbb0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
889B

MD5
c31c4325b6b9099d3fa9c007ad3a16e2

SHA1
686046aae26ce5c5b75e807e48e11a8de74a73dc

SHA256
980856d398501a500254c358b46c06061d6f66f4f5e77ac049625d24500380b1

SHA512
d4c6eb6c29560e60052b1c24ece9a282b51a3374eca307ee3d6a824104b12fbc2f10d14f84a14830e13ed52252616320f2d10075da5d323a30a883ad4863f9fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
eadab026f457f0bf9945e5a47e369881

SHA1
3e7cdf12b4580cdf5962c00c85614ba06a56023b

SHA256
6d82b1ac1d0f127b14d8bec7a97aee2d915808bbc61d24bc85bd68c30affb61b

SHA512
b9bbba41473e47aa29d635459a9722f75db11e303d7d546f7995204ce2ee9fa0f5d57c985698ad65523311ebe201f7c15ab87ccc7236f1d634b37297cc5d76c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
d9529c9a58e162330aa1dd468140259f

SHA1
e08dc59e33ddca85d742cde86bd605f6cd7291c0

SHA256
2a374f57121d35666a547d9176e467776e43580a1700603d9afa1706af4875d7

SHA512
0b1db16a1d68c6b1110309960cd6e2354cffe5344d8cfddb828d40b052595612050c05b182df6a82a01a51a81d9a8abf3e4bef1d660237187763d4895c7ba235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
30b06a4e2ee2bfa613d1046ff6b05c07

SHA1
c4cbe024c0928d15d9d9357ffc8e65f71577de19

SHA256
437c3590484953661aedd1c4d83421474acc99367ead268784821e4c91b59981

SHA512
cbbe216cda993f502cf25519b32d54bb0a06d2aaa19fded9d2d936371cc3502f987165d06b21f50d24af68ab483914661e413637ba6742cc0873e9c5617ca3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
1c0fa973ead8d7ce3e6617e0b4c57660

SHA1
deaf6fe25a43d56ea42de5fd3e273d0fc66f0acd

SHA256
b2b2120fca9150f559da2e943f1896b65eecb3ea523916fcaa630b75b4ec5e93

SHA512
a76ef25cd744b2820dc3277ee2d02861f6c37db1f9d55dc56c44ad37c4221da1dc434f678abce860d252ee2af75895be4454c6846d1510be3cb983bfed0c5a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
ccd216d29e2d7e08b4cf77dccf292f39

SHA1
c85c089052a3be3df24ba521eef61d0c806efc41

SHA256
873ea9907c7f75c46b20a3e7ad3fe6583d7567b86ab1b9a3bed3816357111829

SHA512
03e16db363098864567244d951500c387d2f172d0c46b9e19e7045e32c9075f8b5a8831be3d87d5dac2f916bf2338482274bfb984a0bd6f00f563dab95bee8f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
2bb074ce3092976c5170a1c4f482756c

SHA1
ea61a25a2ea965f5a892126e872af8f04610c71d

SHA256
789d8977415cbafa57e7936d83632deeb0f31db72ef9e1aae4bf41d6fc0e2791

SHA512
3adc9a3a6ff6d0950e60a2dfe50810c788164aae4641785d71abcbdeb6054be32652a11eb761f44f7f9902a2cd9aac1ec9455f25a74b1d31190e09655cf6c533

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
5c1ec13efec3a66b1925fdc713e20f52

SHA1
c910e069e39cdbc617028c879468c93fd04588ee

SHA256
ee7953478f135b20fd82dd3dbfab3f42307a1d99503df9a96a253c8159e71bc6

SHA512
61d8103008eadff98b981b170a912784c85aa0f294deb4b69d38ef061d31882f422ab1e12d4ff8ea34b4b315cbcbd2107dcc735018a77816aa54cb551e112d2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
8a11cf028fdbd8224a26b00da83d379c

SHA1
54c3b418ad6e91ff1219152b60c0707cb4e4d3b7

SHA256
eec70b6138056f7963b1cf3cb2121c0be65e590ff05990e19ca38f89d0a6ad0c

SHA512
214958eead5bb5fa99d807401f75f448fab5ea26796666a090ab7b67a408cc6e4186b410e9deeed05faa80d991ede0079c63454e1fa1f2b5b16831169cad21f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
40eb722c7a9870dbbda9841f24a750c2

SHA1
1c88e1ddb672305c1e63606ae3cc6a3b96f0b7d9

SHA256
f303d71c2c4276b787616da5e5e871d1ea25c77660deffe811efe451d12b5a46

SHA512
3cda556f91b3eda989f2f16ee2f555e80f680aa47ecc92d7fa87c90605c38f650f109c03b3f682e414279ee1c4482a45d8379b0cca8e65179f766ee6ad44996f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
87KB

MD5
544775861667f478805dcda5dc1c9476

SHA1
2cc8f27d0f781721eeffdafbf037beea3363b115

SHA256
a875d36e150556b4c9dbede34248264cd955222f46edacb723127309c12ecaf7

SHA512
04787b4a72087823832984874458845ec3e10856d6e9662546033dadb7d5c03662fdacaf79be5cdf1d52827cd26d6cf317b7c30e1f983795d5f848767ca91676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
d87a48f6b335cee0ba7eefc98ca59ca1

SHA1
de1ab839219bdffc41c0faf2d79a9cd8a066d65f

SHA256
6411c65c46e6019d997caa7af9d31cffabcff8ba6cd5aea599a6c6723d53323b

SHA512
ba91286801123746eab5bb88a686fdaee9dd34800c8e5fc2448a1c5cdd4486980cdd6a2994ef84cd8e1efd4842ee6a6f0720396305d98a2694974c60c7478ffe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\dc96d0ae-117c-46b3-b296-d9950bd1048f.tmp

Filesize
90KB

MD5
29d3a2a308805b1ca8229ab81b21e6d0

SHA1
e056f83a41c4542324c5084a7f02ef743c8a9abe

SHA256
f89a56417af1bc2665f98647d70ada7d49bad5eb0466ab7a3a6d47519a2470c4

SHA512
e527ec740ba1eb322d8553e79eeaa26c0c46eae273dc74fa118fe912ab80b4d16560c56dd4a7fc8fa384135dc6a629e5c7a90a40f98acd6c66f678161d83a13a

Download Submit
memory/64-142-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-133-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-134-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-139-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-140-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-141-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-143-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-135-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-145-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/64-144-0x00000217FA190000-0x00000217FA191000-memory.dmp

Filesize
4KB

Download
memory/5228-338-0x00007FFDBDCB0000-0x00007FFDBDCE4000-memory.dmp

Filesize
208KB

Download
memory/5228-337-0x00007FF7ADE40000-0x00007FF7ADF38000-memory.dmp

Filesize
992KB

Download
memory/5228-339-0x00007FFDAC2C0000-0x00007FFDAC576000-memory.dmp

Filesize
2.7MB

Download
memory/5228-340-0x00007FFDA45E0000-0x00007FFDA5690000-memory.dmp

Filesize
16.7MB

Download