vidar | 630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced

Analysis

max time kernel
144s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2025 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.ps1
Size

29B
MD5

726ac161772f83ef4c852d6c3e158e86
SHA1

66b5487d1d873300d241e96fed4e1ba5d8fea2af
SHA256

630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced
SHA512

0b103e71e1a6b5ba400981f45ba460290ec97bd424a80ed4675b12aa68e9d3426bc253c5ae63ad4deba146b69a10b8f532c40344e6194482c3cc73bc4ab95910

Score

10^/10

vidar credential_access discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral1/memory/3804-54-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-58-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-67-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-68-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-69-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-70-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-110-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-111-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-114-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7
behavioral1/memory/3804-118-0x0000000000700000-0x0000000000722000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4732	powershell.exe
4	4732	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
12	4956	Process not Found

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2928	chrome.exe
3332	chrome.exe
1060	chrome.exe
4816	chrome.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
4924	updater.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4924 set thread context of 3804	4924	updater.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4732	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
660	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133838622402897084"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\ = "BannerNotificationHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ = "IOneDriveInfoProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VersionIndependentProgID\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ = "BannerNotificationHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\ = "SyncEngineCOMServer Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\ = "SyncEngine Type Library"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ = "IFileSyncClient6"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\FileSyncClient.FileSyncClient\CurVer	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS\ = "0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2888	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4732	powershell.exe
4732	powershell.exe
3804	BitLockerToGo.exe
3804	BitLockerToGo.exe
3804	BitLockerToGo.exe
3804	BitLockerToGo.exe
3332	chrome.exe
3332	chrome.exe
3804	BitLockerToGo.exe
3804	BitLockerToGo.exe
2888	OneDrive.exe
2888	OneDrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
2888	OneDrive.exe
2888	OneDrive.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2888	OneDrive.exe
2888	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2888	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4924	4732	powershell.exe	86
PID 4732 wrote to memory of 4924	4732	powershell.exe	86
PID 4732 wrote to memory of 4924	4732	powershell.exe	86
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 4924 wrote to memory of 3804	4924	updater.exe	90
PID 3804 wrote to memory of 3332	3804	BitLockerToGo.exe	91
PID 3804 wrote to memory of 3332	3804	BitLockerToGo.exe	91
PID 3332 wrote to memory of 5020	3332	chrome.exe	92
PID 3332 wrote to memory of 5020	3332	chrome.exe	92
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 1256	3332	chrome.exe	93
PID 3332 wrote to memory of 2808	3332	chrome.exe	94
PID 3332 wrote to memory of 2808	3332	chrome.exe	94
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95
PID 3332 wrote to memory of 4080	3332	chrome.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\73d7870b-b99c-4fdc-b289-2cbd4b6daf14\updater.exe
  "C:\Users\Admin\AppData\Local\73d7870b-b99c-4fdc-b289-2cbd4b6daf14\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff805eacc40,0x7ff805eacc4c,0x7ff805eacc58
        5⤵
        
        PID:5020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=1928 /prefetch:2
        5⤵
        
        PID:1256
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1564,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2144 /prefetch:3
        5⤵
        
        PID:2808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2152 /prefetch:8
        5⤵
        
        PID:4080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3160 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3792,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4512 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4248,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4232 /prefetch:8
        5⤵
        
        PID:1112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4232,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4712 /prefetch:8
        5⤵
        
        PID:1488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4624 /prefetch:8
        5⤵
        
        PID:2080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4212,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4760 /prefetch:8
        5⤵
        
        PID:3064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4632 /prefetch:8
        5⤵
        
        PID:3716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,9656335760815597887,8417424115399579277,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4832 /prefetch:8
        5⤵
        
        PID:1020

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0NBRTY4MzAtMDlDNS00NTQ2LUJDODMtMkRBQjYzRkM3RjMwfSIgdXNlcmlkPSJ7NDlDMzREN0ItQzQwRC00MjUxLUE4Q0MtOTFENUU4MThDNzkxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTE0NjA0MjItNUM0RC00RjBELUI0QkMtRkQ3MTM2RUM0QUVBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNjIyNzg0NDkiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:660

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3412

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3740

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:2716

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:464

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2888
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Modify Authentication Process

T1556

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\73d7870b-b99c-4fdc-b289-2cbd4b6daf14\updater.exe

Filesize
5.1MB

MD5
7ca1a467d3565e8827428ac7be5b7bf6

SHA1
63a893bf674933c34cbe216b49722ad18d625fc6

SHA256
efbd528c8ed8c5253b5e191eedc85e30f75778a417b5f427da115e7f44d9dd47

SHA512
9be0926ef5c388853cd7560afdbd97d0f47265b3bef47cefbaaa65c33593e2eb525da9f58079c9411e87ad4a184eff49021fc982bfafe030a55272a311228720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
25.9MB

MD5
f5fac832c5fd84e6f1be98b1f70a8435

SHA1
c6b074505d209cde48bfc42266398e63a2171e40

SHA256
642ed65d84bdfadcc36ff7683a288e54aa02da3288889139c1fe07abd9ec3b13

SHA512
be0f9dc9932071a72df76a450fd55d6be18d6110b5071df538a60a30de37a431b632c7e2287a67a60e0941d03b5e17504cfa324f158aef6005e149f84ac658a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
a004e8ac63a0f7b33c7c7af9d76df8a3

SHA1
e73a182fdbf5336be7efcdc9e0f69ecd8340def2

SHA256
279560371bae32d24780ef678d46714c75810fb07bd8eed89f529e94f72d1ccf

SHA512
5395fcad796924f981e6b5ab1d49ac7344b0618bb9a388216d7b6693f550969f15eb7704c187d1743738e11a09fe650632d6f18e002052368f80c39a2f10f812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2LCUVJRY\PreSignInSettingsConfig[1].json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6CCMQ4P5\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7e1edadd-8f79-4175-a3f7-a607227da7b9.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ma1jhswp.pmm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB7F.tmp

Filesize
19.4MB

MD5
27ba1f44f4d3ebbeb2b05d63fa61dd04

SHA1
6515b867d86bd127ce5f6dd5fbbc5dd41e4c25bd

SHA256
bf6af2f79e042ac1e259d58a5ce2b9d48a4ca87cbd749e9525c5d00c351551d1

SHA512
482c5c991f78314f3c7f88751c3757d742655082fe048d58d4b259087d4acc323f42a8d8d11c4362c0af93678077ae8246d991c5f1f436cc8b013238f8def8ca

Download Submit
memory/3804-111-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-110-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-58-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-67-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-68-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-69-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-70-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-53-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-118-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-54-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/3804-114-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4732-0-0x00007FF80CB53000-0x00007FF80CB55000-memory.dmp

Filesize
8KB

Download
memory/4732-17-0x00007FF80CB50000-0x00007FF80D612000-memory.dmp

Filesize
10.8MB

Download
memory/4732-16-0x00007FF80CB50000-0x00007FF80D612000-memory.dmp

Filesize
10.8MB

Download
memory/4732-15-0x00007FF80CB53000-0x00007FF80CB55000-memory.dmp

Filesize
8KB

Download
memory/4732-13-0x000002BF2F1E0000-0x000002BF2F986000-memory.dmp

Filesize
7.6MB

Download
memory/4732-12-0x00007FF80CB50000-0x00007FF80D612000-memory.dmp

Filesize
10.8MB

Download
memory/4732-11-0x00007FF80CB50000-0x00007FF80D612000-memory.dmp

Filesize
10.8MB

Download
memory/4732-10-0x00007FF80CB50000-0x00007FF80D612000-memory.dmp

Filesize
10.8MB

Download
memory/4732-9-0x000002BF2E5A0000-0x000002BF2E5C2000-memory.dmp

Filesize
136KB

Download