73a21f160ff3711fbd7d7bc4d682f0caf32c90cdf715ca8fabeed1a7efbc78ed

Analysis

max time kernel
83s
max time network
150s
platform
windows10_x64
resource
win10-es-20211208
submitted
28-12-2021 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E12933-ANEXO 3 PARA REPLICA DEL SISTEMA V.3 F.pdf
Size

324KB
MD5

9bfe59ac954df58cdb65c6b41cf515c0
SHA1

bfcf8a974efb75757d9763755c18d918f8c4ed02
SHA256

73a21f160ff3711fbd7d7bc4d682f0caf32c90cdf715ca8fabeed1a7efbc78ed
SHA512

852a768a3de1f27f086e806f694d89bc0c642171427ad6cb9748f998d9ecde38aa88ac3217bfce20282f18dc40542901758937532aeb3ccaaab9f8c7e5ab3587

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 1 IoCs

Processes:

FileSyncConfig.exe

pid process

1888 FileSyncConfig.exe
Loads dropped DLL 6 IoCs

Processes:

FileSyncConfig.exe

pid process

1888 FileSyncConfig.exe
1888 FileSyncConfig.exe
1888 FileSyncConfig.exe
1888 FileSyncConfig.exe
1888 FileSyncConfig.exe
1888 FileSyncConfig.exe

pid	process
1888	FileSyncConfig.exe

pid	process
1888	FileSyncConfig.exe
1888	FileSyncConfig.exe
1888	FileSyncConfig.exe
1888	FileSyncConfig.exe
1888	FileSyncConfig.exe
1888	FileSyncConfig.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exeOneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeFileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\TypeLib\ = "{F904F88C-E60D-4327-9FA2-865AD075B400}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib\ = "{082D3FEC-D0D0-4DF6-A988-053FECE7B884}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\mssharepointclient\shell	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\FileSyncClient.AutoPlayHandler.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\PROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\INTERFACE\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ = "IContextMenuHandler"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\TypeLib\ = "{F904F88C-E60D-4327-9FA2-865AD075B400}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\AppID\OneDrive.EXE	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\ = "{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID\ = "NucleusToastActivator.NucleusToastActivator.1"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

AcroRd32.exeOneDriveSetup.exe

pid	process
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe
4740	OneDriveSetup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

68 AcroRd32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

AcroRd32.exe

pid	process
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe
68	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 68 wrote to memory of 4360	68	AcroRd32.exe	RdrCEF.exe
PID 68 wrote to memory of 4360	68	AcroRd32.exe	RdrCEF.exe
PID 68 wrote to memory of 4360	68	AcroRd32.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 4468	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe
PID 4360 wrote to memory of 3928	4360	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\E12933-ANEXO 3 PARA REPLICA DEL SISTEMA V.3 F.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:68

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2AE04F4FE28BC4B0BE798797FC68BDE --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4468

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=21632822F215E2133CE80F6AF7C48C7F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=21632822F215E2133CE80F6AF7C48C7F --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3928

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1EE10259C13156839853449F6CB14A42 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1EE10259C13156839853449F6CB14A42 --renderer-client-id=4 --mojo-platform-channel-handle=2100 --allow-no-sandbox-job /prefetch:1
3⤵
PID:804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4741971DEF24C719E05900C3CC74CA10 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC2A167CBE779101BB4F69EACD5B8539 --mojo-platform-channel-handle=2604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1955A531F77B7C2840BB8F4F903D5E0C --mojo-platform-channel-handle=1820 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3752

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
MD5
57bd9bd545af2b0f2ce14a33ca57ece9

SHA1
15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1

SHA256
a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf

SHA512
d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.DLL
MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\MSVCP140.dll
MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\VCRUNTIME140.dll
MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll
MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll
MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll
MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll
MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
memory/804-127-0x0000000000E27000-0x0000000000E28000-memory.dmp

Filesize
4KB

Download
memory/804-128-0x0000000000000000-mapping.dmp

Download
memory/804-126-0x0000000077632000-0x0000000077633000-memory.dmp

Filesize
4KB

Download
memory/1508-132-0x0000000077632000-0x0000000077633000-memory.dmp

Filesize
4KB

Download
memory/1508-133-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1508-134-0x0000000000000000-mapping.dmp

Download
memory/1888-144-0x0000000000000000-mapping.dmp

Download
memory/2360-136-0x0000000077632000-0x0000000077633000-memory.dmp

Filesize
4KB

Download
memory/2360-137-0x0000000000FE8000-0x0000000000FE9000-memory.dmp

Filesize
4KB

Download
memory/2360-138-0x0000000000000000-mapping.dmp

Download
memory/3752-141-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3752-142-0x0000000000000000-mapping.dmp

Download
memory/3752-140-0x0000000077632000-0x0000000077633000-memory.dmp

Filesize
4KB

Download
memory/3928-124-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3928-125-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3928-122-0x0000000000000000-mapping.dmp

Download
memory/3928-121-0x0000000000E1D000-0x0000000000E1E000-memory.dmp

Filesize
4KB

Download
memory/3928-119-0x0000000077632000-0x0000000077633000-memory.dmp

Filesize
4KB

Download
memory/4360-115-0x0000000000000000-mapping.dmp

Download
memory/4468-116-0x0000000077632000-0x0000000077633000-memory.dmp

Filesize
4KB

Download
memory/4468-117-0x00000000011BA000-0x00000000011BB000-memory.dmp

Filesize
4KB

Download
memory/4468-118-0x0000000000000000-mapping.dmp

Download
memory/4468-120-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download