hxxp://scratch[.]mit[.]edu/projects/636930645

Analysis

max time kernel
593s
max time network
595s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://scratch.mit.edu/projects/636930645

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3968 created 4752	3968	svchost.exe	114
PID 3968 created 556	3968	svchost.exe	118

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Executes dropped EXE 4 IoCs

pid	Process
4752	OneDriveSetup.exe
556	OneDriveSetup.exe
2856	FileSyncConfig.exe
2016	OneDrive.exe

Loads dropped DLL 37 IoCs

pid	Process
2856	FileSyncConfig.exe
2856	FileSyncConfig.exe
2856	FileSyncConfig.exe
2856	FileSyncConfig.exe
2856	FileSyncConfig.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_CLASSES\INTERFACE\{A87958FF-B414-7748-9183-DBF183A25905}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\FileSyncClient.AutoPlayHandler	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\ = "NucleusNativeMessaging Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID\ = "OOBERequestHandler.OOBERequestHandler"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ = "BannerNotificationHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CurVer\ = "SyncEngineCOMServer.SyncEngineCOMServer.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib\ = "{082D3FEC-D0D0-4DF6-A988-053FECE7B884}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2200	OneDrive.exe
2016	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2200	OneDrive.exe
2200	OneDrive.exe
4752	OneDriveSetup.exe
4752	OneDriveSetup.exe
4752	OneDriveSetup.exe
4752	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
556	OneDriveSetup.exe
2016	OneDrive.exe
2016	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: 33	452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	452	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4752	OneDriveSetup.exe
Token: SeTcbPrivilege	3968	svchost.exe
Token: SeTcbPrivilege	3968	svchost.exe
Token: SeIncreaseQuotaPrivilege	556	OneDriveSetup.exe
Token: SeDebugPrivilege	1012	firefox.exe
Token: SeDebugPrivilege	1012	firefox.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
2200	OneDrive.exe
2200	OneDrive.exe
2200	OneDrive.exe
2200	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
1012	firefox.exe
1012	firefox.exe
1012	firefox.exe
1012	firefox.exe
2016	OneDrive.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
2200	OneDrive.exe
2200	OneDrive.exe
2200	OneDrive.exe
2200	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
1012	firefox.exe
1012	firefox.exe
1012	firefox.exe
2016	OneDrive.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4168	firefox.exe
2200	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
2016	OneDrive.exe
1012	firefox.exe
4364	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 2216 wrote to memory of 4168	2216	firefox.exe	81
PID 4168 wrote to memory of 396	4168	firefox.exe	83
PID 4168 wrote to memory of 396	4168	firefox.exe	83
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 232	4168	firefox.exe	86
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87
PID 4168 wrote to memory of 1772	4168	firefox.exe	87

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://scratch.mit.edu/projects/636930645
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" http://scratch.mit.edu/projects/636930645
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4168.0.1929582216\766451418" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 1 -prefMapSize 219944 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4168 "\\.\pipe\gecko-crash-server-pipe.4168" 1768 gpu
    3⤵
    PID:396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4168.3.263403815\1349579968" -childID 1 -isForBrowser -prefsHandle 2468 -prefMapHandle 2380 -prefsLen 112 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4168 "\\.\pipe\gecko-crash-server-pipe.4168" 2404 tab
    3⤵
    PID:232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4168.13.210674612\794056231" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3588 -prefsLen 6894 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4168 "\\.\pipe\gecko-crash-server-pipe.4168" 3592 tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4168.20.1375233318\1333632899" -parentBuildID 20200403170909 -prefsHandle 4676 -prefMapHandle 4524 -prefsLen 8049 -prefMapSize 219944 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4168 "\\.\pipe\gecko-crash-server-pipe.4168" 2248 rdd
    3⤵
    PID:3488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3576

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2200
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Modifies system executable filetype association
    - Checks computer location settings
    - Executes dropped EXE
    - Registers COM server for autorun
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:556
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Drops desktop.ini file(s)
      Modifies registry class
      PID:2856
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Modifies system executable filetype association
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2016

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1396
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1012.0.538608915\1687135158" -parentBuildID 20200403170909 -prefsHandle 1724 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 220183 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1012 "\\.\pipe\gecko-crash-server-pipe.1012" 1804 gpu
    3⤵
    PID:1812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1012.3.1493190223\1236290714" -childID 1 -isForBrowser -prefsHandle 2532 -prefMapHandle 2476 -prefsLen 27 -prefMapSize 220183 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1012 "\\.\pipe\gecko-crash-server-pipe.1012" 2280 tab
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1012.13.895333707\602443113" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 1560 -prefsLen 6183 -prefMapSize 220183 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1012 "\\.\pipe\gecko-crash-server-pipe.1012" 3592 tab
    3⤵
    PID:3376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ApproveFind.wma

Filesize
329KB

MD5
02253bda658195ebf09d792d9f5e3cb2

SHA1
2b9c86400b3722ffb030daef2bb9e27ef8fa2525

SHA256
249c17df098c409391cb2ea98a141f5a9c9b9254a7b093bf57981ba46c336411

SHA512
2962c86d1149f135987d2f096a0d0a5d7e840522c6130d15001fc61e7bdb8c7cf5153f5ab3cdb400aa38f9ede7c279fe2a0470e623c8e25db4e67b478df9103e

Download Submit
C:\Users\Admin\Desktop\CompareInitialize.asx

Filesize
752KB

MD5
6a2d1a943ea04420dba93f44dfd5f17b

SHA1
557c98df7aadeb46f00de273f71e8ed041d48406

SHA256
a8084761aff13b93f93b6edc79ed1cfb83eead104da1bb08ac7fecd3df4d449b

SHA512
ae3a1b8a58134563e3378ef80628e6f6f2ca1daeee2a4c352b03f5837a2ea032238f2d9e6923121cd5441a412dac8ca90adc593aeb253870d985b98ca38c3264

Download Submit
C:\Users\Admin\Desktop\ConvertFromSelect.mhtml

Filesize
540KB

MD5
2c98af1e82e76e5b1d9ab12e6b2f9380

SHA1
16af641e0da610a0130e7ed18497aa21cee99f44

SHA256
a710ca0e708c742a604b62490a58a6c6b3130bd1c931a228154ca2016e439c4c

SHA512
9865741ed39fafca5885979e4ff6b04bef9d273aea8e637d85a24bff4bfcc8195dc1928c98d444a0a63d75626e06887122a1e1669c74b16e18bc12e999869441

Download Submit
C:\Users\Admin\Desktop\DenyFind.bat

Filesize
775KB

MD5
3bcf1e01896890dc889dede960046d2d

SHA1
24fb6501c6f17a7129452acde153bc42de32c576

SHA256
3d84aa8689ad3fa553d897ed161945a39d2d8606af8c9e421ef69f351e5bd0f8

SHA512
ad48b3a3b6bdf3896d2ed718844c5252311df71f66b06bcd7656d9d8793d19b169a0cdda0049aaa30e5dbcbc19a9ac4683d2f34ab3ffc3802ca70c17ab17cd72

Download Submit
C:\Users\Admin\Desktop\DisableSkip.eprtx

Filesize
893KB

MD5
e1c986ce08a70c722932fe71dc692b6b

SHA1
51ea672126c40e023bc121954cdbf8acb1351de4

SHA256
b8c114943e9321cfb1b9f8e46239598fb37aee71ab98baedc4be91083fffc468

SHA512
66e83b780d64b664dcd63412d12fbea460fcedefc30889d93aea090f236fd7f06d782431226a29e3dfb35440c5ddf575a030cf252523e4bee75cdefc82831a32

Download Submit
C:\Users\Admin\Desktop\DisableUnblock.gif

Filesize
1.3MB

MD5
52c956a54e82c2e7841144c984e97e30

SHA1
98a0a2464630551cd488350edcb82dc074a0451f

SHA256
0cbd6ac361c4774dce9786eb2ef0feeb6562f02eb41164f1c08d069d64d167bc

SHA512
9cba92cd7ac8433b680b5a9854031ad3aa4815e47874e4cf9bd86855319105c748726343bf1ae7ca986bdda0fb6b9e729f05f55e76b100078acc82529d3dc946

Download Submit
C:\Users\Admin\Desktop\DismountBackup.rm

Filesize
846KB

MD5
0907710cdc6463221b5627df8d8cbe70

SHA1
c2dfad61287d79ee54b2b570685285741936a097

SHA256
97a0e483e140de93aee75d74b2c998675e4f612e2583a7a5007114040be71f97

SHA512
2b302f52af05fbf7601f26299c0d33ce491a61f03fca0811f900f016f8ee2b7ec85a974c671d8d7d7399f531101e9a6b1d4943e094919739b62422b4a0bfe31a

Download Submit
C:\Users\Admin\Desktop\EnableRemove.odp

Filesize
564KB

MD5
81ce68e1cd790d7c65ecdb2aae47da4c

SHA1
34dde1ed77b547b0d3feba6c6a068089615cf4ae

SHA256
977b8b1ebed25e38542935b171f5872cd067433620313d66fcb4a60fedac1815

SHA512
b8322b39e9a3fc37839c4a2b38aca51fa820c0b46177c20280ff665c1e816ecde013ab946277c690d03a9e173ca5e5d1ab08bcbbc67b4fe10be5a5b1a1e8022a

Download Submit
C:\Users\Admin\Desktop\FormatAssert.mhtml

Filesize
493KB

MD5
7f46941546133113c76fe5feddc0afe0

SHA1
3930c7506b061f18fede046c719c6dbc163d19a6

SHA256
5047639e97ba70f25d28edf0c1ff0273da51c88f7e1b5be933cdeb422149dcf7

SHA512
4860601b0fa3cdeb209c21c07785657b1b90509f2f5944bbbccf63a1d92ee84c83c9f1846d15e980cce0fdbac9662766c750af27d4c9301204d7e2c31119882e

Download Submit
C:\Users\Admin\Desktop\GrantDebug.wmv

Filesize
799KB

MD5
5c37f893c1411203773486582ebc3599

SHA1
476a0e6bedbc9f593a49fec928849b88c9d7ded8

SHA256
e98156db3dd91c838e750a7d37f699e28f6325be20e6f1f9ce2677009e443360

SHA512
f96a4106a5c0bcfc24c37a439f1b8cee6a2b992cc3b06067136b33bda48880bc74e828d6e566f74427511e2ca46b432250b33214281395eccd36a72bb66a6899

Download Submit
C:\Users\Admin\Desktop\JoinOut.xltx

Filesize
446KB

MD5
ce3d01a1ba2e82682899eb655cd467de

SHA1
a5611c5d17aba85c029f64b0659ba7de3fae6752

SHA256
5356e84a91865dd120a150424dfa907a473ffc6925537d227dd7be084b8ccc60

SHA512
ffb25ea987b930079725d5ef72dd69507479c4a00ce2212d3670a7692aff525b7037057b1a87393853eb58614391fd5339b8e54ae01abf45a3eef26e8d65e8c9

Download Submit
C:\Users\Admin\Desktop\LockRestart.pub

Filesize
658KB

MD5
e6b2f57b5177021e19198ac46d9d6e22

SHA1
cbd55ee3e0a650e771a11bd01c8843d366c0d889

SHA256
03037de1be66bbf7ea9befe8dea3b4350e1492523c7e33c3bd186bfa5405ecd7

SHA512
a31eecdba83ab8c27a8d6e9255419c6c7002bebad8f087beaa846d5d8daf48c43692f34b51fd3274134aedf272cc7e1c32caca3a6e426ee3f8aea0ef1b8168cb

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
3999dd504588a2440b0ae8b836516c2e

SHA1
272bdddaee28dad295bbe2c2e101f05d4745b8ed

SHA256
669caaa5d4a98abd27868816cf17c664cef8b391c5f5e7f87332e6ba17667bd1

SHA512
f4c3ae7f721c47d5282c412e434b03f10786af0b54ff139b309d2f172a4fd3aecce4bffd1e1219a0f3a78577dbf05a1e22aebe46421b529ee61742e79851ecd2

Download Submit
C:\Users\Admin\Desktop\MoveEdit.png

Filesize
822KB

MD5
c99bc431bf50de8021156ee0ad188afd

SHA1
8a014f9decfb93d07c7cb5f4ff9f54259d70d05f

SHA256
13c4fd6ab386bc9c48091bda585f0854fed7e62d078bec4a3c5a12f14244af84

SHA512
2acec9812fafcdc51e8c4a2e06fbf8c79c707f59c23d44bfb27c49a939421c7208fb394c6125d9782cd89fe2dad524678a367c246a8540149bd55721f34a05ef

Download Submit
C:\Users\Admin\Desktop\OpenUninstall.htm

Filesize
399KB

MD5
495489be59573b94dab8e21616cf462e

SHA1
8ac4be6a6b88b92b9fa251a2f26902733d2cb7bb

SHA256
ce19e7fc632bf3b44ca352d13e15bc78c2bb439d1dc7d15f04994e71fb15b41e

SHA512
91eaa011219019297a27d2bd414364a7be3281a8d5ad330125d6a697c96b15ae44d38745c476416af2ea4f2647b4448559bc3c70cfbbb3081506b523d4aa1733

Download Submit
C:\Users\Admin\Desktop\ProtectImport.au3

Filesize
517KB

MD5
ef6c0997dd821e1ed445a68bd2fcd30d

SHA1
09b73fb19cccb003c20517479bac667ecc025f3a

SHA256
4593177efa14c4c076936e16dcebc7e08265220765dbaa5bebc8523a49ebac91

SHA512
1382973a5c26f792b19bce5272447a335966d1f71432c108ccc6946a01207c8743f5373b2c3a10835acd78d0f3d797ad1003725fc760daa3409d435835fbd4a4

Download Submit
C:\Users\Admin\Desktop\ReadUnprotect.xlsx

Filesize
611KB

MD5
9927f874afd0cac44ae172c405fcbae7

SHA1
ca6a7d1fa4cd58da877acc4416362f890bf7dcf0

SHA256
894d94067391dfe7fdcc97960ef31efce66e2f62a68ef1bb5047f94a71bc2f87

SHA512
f50532e2d8a7897cd0bd2af2aaee6368dde3d7e593d7a2ddb5758e54df75ad368351db31981f1c081e7e6459f6f8ce32f754d8e87c46bb1b30967578d1ef2187

Download Submit
C:\Users\Admin\Desktop\RegisterReceive.DVR

Filesize
470KB

MD5
3cf219e4700fa2c84e4ad0fc329fe286

SHA1
61a3746b16778a14970dd684adc169492094b913

SHA256
15cc286bd70040ab8063c0fd448de86646d68b27bd6debebea15d17f13f87078

SHA512
72dfc9ea14d40e16f0fee4cce35ef80ddfcd6156529fcf45fdf127c3a269f54379c827f4cb3a1272f31d7d09c9efa3aa8b2b3e3194f048dcb528422402f2451d

Download Submit
C:\Users\Admin\Desktop\ResolveBlock.7z

Filesize
728KB

MD5
21e65dbfac183f37fd0b12c1e29a0a30

SHA1
1abe21bc65c121ea52f0362a957bb66655a3e6ac

SHA256
8e948922c55d7152801249a4a052a06ee0f834b43438fd295fe475c5429b1ca9

SHA512
f52df39d25ca00b6aebc299d099526342f12b9f92cb10b077b56bf7f423788d495949d9451085b6370cdadf1dbf9c88de95c954a262f95308f475d4c313f058a

Download Submit
C:\Users\Admin\Desktop\SelectImport.TS

Filesize
352KB

MD5
7b2310d09e4887c70a4dbd7d627c6294

SHA1
ac2bdf704e0443f89f0b54f7df09394b875c6f76

SHA256
03db3a8325ed57efaeb3e200b9f2bcc03f6198ae45037050f881e5b0151f4f14

SHA512
1fa998ebdaab900ca33b1d1204073f747ece7fb9b6cd99e111d6c34e120edfdab3eedaee6c7a10b81c459f921710633db501b898caa39491b238dcb4528f599f

Download Submit
C:\Users\Admin\Desktop\SplitNew.tif

Filesize
916KB

MD5
15221f6a2cafaee220ea4593a93d9c33

SHA1
4ebb1ddd5fae8c4a5830031780378796c004cdab

SHA256
8f8eed396d5d7fc455dccdee5c3d16cd3a8cb6e29a2addf3f1b384cbc1d85e00

SHA512
317b5d51e236382d0b9ef5964dce83bd7ded1ae19ee13d818b07a3066b3c5e1df988234308025a902a98ded31101494fd7ac6f1de5baf985cde20a3861ea5139

Download Submit
C:\Users\Admin\Desktop\StepUninstall.hta

Filesize
376KB

MD5
6bdbe8a062141bf01788dd575a2edf28

SHA1
9902db6b07ca6de1b1a36bd0e5be92ec8709701b

SHA256
7b17b85293e6f4b5cc220b01ed4a4dc2e7566b726077605a7aaf03d28fd31699

SHA512
36de0b9405ddbf81a7d2ca5ff2b620e147aab0bab677a31116dd2c28505153ed9ba4d0f920db2add8849810024184dad67f87c1d6571e83af9654618a6695802

Download Submit
C:\Users\Admin\Desktop\SwitchGroup.i64

Filesize
705KB

MD5
8c84e8208b44aa967473310ef0409aa2

SHA1
f020c5d500a334f3772b12bc4d0670b366a434a8

SHA256
51a069808b00ce0457510e1a61608f0af226f710de7a51a253c38cabeab8ccc2

SHA512
ba1f8a52f42a18bb2f52eb70aa08e544797cb5cab168f60a40e005db48aa599a6bfa4b844d5e093542611c67f7c98f90e6a14923d063019bcabba4d30a719ac4

Download Submit
C:\Users\Admin\Desktop\TestRegister.dib

Filesize
940KB

MD5
0eba1e7f3e55b629dfaa23b94bf40b8a

SHA1
9a59b51e68afff83377cf656702480c939435c42

SHA256
c16003a2c968b6529d81f07e25e418c910e655dab1a815e8f7cfd77d96071466

SHA512
26b7e0dc03031098366ddaa1e4dff2580d24e011612928d5e9f8497026f04bd6035e34f4d1aaf22fa274302280095b2a19e72136b35da6caa50ce036cef776f5

Download Submit
C:\Users\Admin\Desktop\TracePush.pptx

Filesize
423KB

MD5
d452a9736974d84c8ccc57b1c534af74

SHA1
1f16bec2390c732ee4d2aed5e8f05cafe9e70592

SHA256
49d1ac831ff211c13603ad2bc3701c2efec21a6f87abe86436b829442ed89fda

SHA512
eda4d144c8d24dd3e5945d1237cc4ed84c1cf1bd751ead283e277fff67244fafb3e931b4358dd2e813a0b7c803708828346e1d3dd091ae7334bf80e72141ee6e

Download Submit
C:\Users\Admin\Desktop\UninstallUnpublish.7z

Filesize
869KB

MD5
0ad05f6e670cf835c81381a921af6899

SHA1
bfcf83a1042fdc64d0ad7c57729348d5ce8fd05c

SHA256
ab0ca3e2d1e755f8f4b2b5d378affa1e11cb35f22f7ff9cfee5205bb98a3679c

SHA512
d2bac68e71c811efec7537311c31dd68335460f1b06181383218a31e938ccc5e431afd86fdad78d25e2a7a40d8961d1ef84bac15698d2af105729dce7df64dd3

Download Submit
C:\Users\Admin\Desktop\UninstallWatch.avi

Filesize
681KB

MD5
673f0cf8cb2a2d99ccea2601d4e4a830

SHA1
77aeada89b740cfe94fceecc9904d84062c4a886

SHA256
1a5f0ef2de475fb1ef1c87c799aaddd0db5253400db5fcbcf800a3ed2c73767a

SHA512
4ae8986a5313258fe8f1e21754f7e8dd059a763e6fe4e4ed09cff27d90ef26f1a95e25af864be80fe79e993c9006d1aed9cb9679b8d69f9c8e4496b5497e9bcd

Download Submit
C:\Users\Admin\Desktop\UnprotectConvertFrom.txt

Filesize
587KB

MD5
2fa99c085e66fb2a9494b81b2dd73527

SHA1
3970e8081a84ea7ddf483e81d8e7daa7b4c5c390

SHA256
26f0a2a29861cb9f6e6edf67ce721041e7168d64951330058d89f14cd472ea8d

SHA512
0c1021cf5801b309e4e0127deefc32e4cfab763cab986cfb2c91e2e6a428598a2c7ee5de8b271a6aa818e440a1429789b37491f146eb3c821905bca6139c35c9

Download Submit
C:\Users\Admin\Desktop\WaitOptimize.mpp

Filesize
634KB

MD5
658adabc2fdad60778fa7ad128369ea7

SHA1
8bf89875b930bc31f842cadc5fb89b4273f309fd

SHA256
922d9fd594176e45c8c539dd2c1cf4a611d96c98554a3843479e567e367cf341

SHA512
7b7c74368a61e504b337f54a77134683b4d510b711dbe05e75e1abad574146875a1d53599d3e74ed9e1b5e06809e6c2691aa20f6a2082368848fd24b5ac13047

Download Submit
C:\Users\Admin\Downloads\CompleteUpdate.mp3

Filesize
522KB

MD5
0556b6d24b66b8a9bc6b6dac07d2c54c

SHA1
aba2988cd60eb7739352332b56e7ae0715f289bf

SHA256
58a7086934f3901071cb5fcd784482577d97903ae8b8ecb6a32942ef56f25b3b

SHA512
3223843b144e5e813072e23944b4c79dc048f4f8677eab8ae4e4603e10c0aba507c50463f1b65c4d5f62c170e4c0e53a8bf45a63a95b36ef5153e447ba9dc6da

Download Submit
C:\Users\Admin\Downloads\CompressConnect.jtx

Filesize
1.3MB

MD5
5d7b006891339d87c3db35d22803405d

SHA1
2791c5eace0e8b04ea7433b8878024724ec5513b

SHA256
27a1141945aec8e1d47e6ed0c0785cbbefd3a008fb5c39041d02ce835acfd642

SHA512
31faafcc8158fd286aa587c714c054b879a8eb500d3bf0fbfe2437d3ec409364f1bf693a818d4b4df0b51a23cb4c585682e6b30f470f28d929bb3a02db18e377

Download Submit
C:\Users\Admin\Downloads\CompressSync.contact

Filesize
641KB

MD5
e50845dd9424854c338f806e66be53e2

SHA1
d3398360f93a5d39d22e21a0a47745c3d3086465

SHA256
26522bf38b080a5f86ca241b097fc9f4f8c914e63a08486bd8f74d925f3e19e4

SHA512
5d942c005d9e5314be2896d53d6a99f9c1f5d52d0cda8a2aedbfbfa03a58cf17027107310a6188b625efb27b4a82e1d6a50145b1836a041ee11c88013b1cf58e

Download Submit
C:\Users\Admin\Downloads\CompressUnlock.xps

Filesize
701KB

MD5
cc377e996bad9dacbbee0731aea3c6c5

SHA1
203609a12ce80fc5db361960768e2f30db7082eb

SHA256
d61b4bbf87181918f19e8a5b98bffae61549d1b2c83e6623a0116c6f2f988594

SHA512
d892197d918bfd61e9b41faf6cb6bebebf6eb7cc3dfbe015054c180ed5bddc9379fcb8e12571a8092688a24a404d7a1cfaa4b610c67e6c3382099d8f2a30e954

Download Submit
C:\Users\Admin\Downloads\DebugUnprotect.wmv

Filesize
1.1MB

MD5
baace6f9463ed3de0adeb6b2badcdcaa

SHA1
e5e0b75e0e75b5bd31fc2acf7dc26499a28f7bd2

SHA256
c51cb54a9e58de6c787f70efdbdc5d6d9695a2480d56d7a20c9c1ea06fc611cc

SHA512
5856c6199758dfeb5b0e16d6445a34f985007d2d01e5253d42881e366ba2f66572736799ad685268a54ed504e85ca0134bce8ee51e3d0a53b728215b403ff617

Download Submit
C:\Users\Admin\Downloads\EnableUninstall.xml

Filesize
1.8MB

MD5
eb40202a61cb7057e1ce522c3b27d266

SHA1
da4975d2299427661d05d5225fbf2e3dcb6fec2d

SHA256
1fdeea71ca381c737124e33d13cd8575236b1858af6a72d2cd6171e315566886

SHA512
60f475e76a5689713677b02fb29d8d8c4667c28e5c27e70d65d681029fb31ae596552254870f417938bf10996d6f06577639e09228e76418767a482e8c4be172

Download Submit
C:\Users\Admin\Downloads\GrantReceive.lock

Filesize
1.2MB

MD5
bd08245bab6adb3c417d23356fac36d8

SHA1
876ce9dd37fbbf8d8bf24914b65a5febaf4af6e7

SHA256
0ce674090276cad4ae2d9b80f080c91cd43eac2ccabedb781ba9d98a146c36d4

SHA512
db258a94573d0fd4b089f96798ce1fae0f3a374303823d7766f15cc6f27a1566a4023881f74b4ec0a0d6f565c0bd4e75036d790bdb430546f7654ed9726bcc29

Download Submit
C:\Users\Admin\Downloads\GrantSync.pot

Filesize
999KB

MD5
3e21a49a67802fda80fafd2c935d226c

SHA1
242a411b51821499ce537e238676aa0b3b490571

SHA256
a3e2d4970b9edc3a8e6edc45bef69ed4450e5f673158fd9b1c2c21cd7fc33b59

SHA512
3082673ba410368fe865d3f481c3a68ec4de89be1ae1ce96cf5f7584dcc31929912b331e5abeac9089ac67a36686f9b8c256b1d7c4389befe3c8163a1ec9e78a

Download Submit
C:\Users\Admin\Downloads\GrantTest.mpeg2

Filesize
820KB

MD5
cea1e04bbe0bf22c11804fb352ee059b

SHA1
ca0dd59129905711af5f574f3e10f2a63d20c908

SHA256
7ba6cffea5283cb6aa75cbe2ac009db35e212988b4648bd71b846565731ba4eb

SHA512
8f6cc4ac4def47447175e486811dbca0aecb4caa4664ebcbed992f900b2e296f0d77d0ad2744f9e4a1cae23b21cef172a0a0364646806ad25dd8bd975769a0f2

Download Submit
C:\Users\Admin\Downloads\HideJoin.vstm

Filesize
611KB

MD5
3d2f60a3edf4e7d537be878eeb9f7a9b

SHA1
2b42eda8e0ccd964e85f47e08f8b016c92e8cf11

SHA256
82438058598253e11952b0008c390ae1b80528bd2784be60fbda6f41723bbf17

SHA512
d4d72490effafb1e2ce06c6dade42593fee88e177d9459359806b06d17c4249e837f4e297ca41457cac29a7307283f91f8d06d7c24b29652abaff6b20b4e0bb0

Download Submit
C:\Users\Admin\Downloads\JoinInstall.cab

Filesize
1.0MB

MD5
f62c853355783fface3d163c86eeedee

SHA1
78e6b1558acef11f6d5f70dcd37720ce7603892f

SHA256
c0e3ea96b8425d8d0e57e1427d0711b17257ec87705005d24fc1784dc56795ff

SHA512
6ab941f35fad838b78eba7541c6d8a25eb51b3bc6b9bd3f05dcd42bf58f8b74d8a22796c86f29ba83ea06a3504af828b2c4bff268bee7a5cc0f0fbaa9e440090

Download Submit
C:\Users\Admin\Downloads\LimitMeasure.au3

Filesize
1.2MB

MD5
a71da631c3d026cbb33c6f805174feb3

SHA1
96b85d1166a9eea04179c049b953c707e6aaec7f

SHA256
6276b9a20f9a0cfe98afdb3b610a12459e5e142b8eaa514967346ff52ef11b24

SHA512
764c86e214f4ed144e735cb2012130ea1989dade93a7a15414a13478d9864088f08f1d62575361cc832ac84742dabc674e34b47c6908796a5c4f5dff02815464

Download Submit
C:\Users\Admin\Downloads\MountInvoke.vb

Filesize
760KB

MD5
2fd04a764ada0eef364ae7049403a912

SHA1
03b858420575d6c6883bc73ac92ed9109980c599

SHA256
7081a3b472d3e82f0e22049c6e0ea450a1839e7e2433d4f8a80aaa491469dcf4

SHA512
9552bb1f8d8772761f54f8bb2554b7a6865d6f7368a80f9d5e5213b4c214abe3de987ccef673de1632fb83be37262b008626b62868765ad5490645a668f51b44

Download Submit
C:\Users\Admin\Downloads\MountSelect.xls

Filesize
492KB

MD5
b34492f3e71121970e2bc52d7cdc2da8

SHA1
736fdda9fe6924873253b2c236a78e6851431344

SHA256
9ec1ddb9949f00d0b4bb54f76ec4fa0299873084cebbfc3afe24ffb7c7380cae

SHA512
1dfda8fe386f89b44d5f113174619cfc336f4802fc44897119d9f11452356c2683cb3fb0c3d2000ec3787a426e399f3f37f8e8664ce0f0c42af2c72b074ac43b

Download Submit
C:\Users\Admin\Downloads\NewUninstall.ppsm

Filesize
1.1MB

MD5
dc4c6787165edc624274187c79eb0dfc

SHA1
c4bed73ac68250dbd05d78084d72f5d9b0c07151

SHA256
f3cf04cd4d6f2bfcf44eb2c6c3fba788cdec845f431c57c00f7ac2feb7f390cc

SHA512
981efa1c2fb4f4e0d68d28d1bc338e78cade731165e8c212e201b4aaa95c3848dbab4e10e7c4335f970a41fd3e5b1664e8f33551a72b54383c61d08123a07b06

Download Submit
C:\Users\Admin\Downloads\PingDismount.mp2

Filesize
790KB

MD5
2f52bb2ff96c20796e321b65078e8dc0

SHA1
eb9dca1ba2b0f91e14c564640d813ad95be8153d

SHA256
f2091bed191ca9e00c513e425b90469f2c45b829a14cb94b9a30f40ae109147f

SHA512
eb4f8f25aab785f0e3df36b3fb91d636410eed57a18d790309bec50d6da5a4e794e51eaed6c2e778a948e07ccebe18f1ba6a15549a75b9c5d0ba05ac05a032fd

Download Submit
C:\Users\Admin\Downloads\PingTest.docx

Filesize
1.2MB

MD5
8593aa627dd0c269e75094f61a9ea01c

SHA1
cbd2605a528b409c7cdb161f31f15ebb12fdad58

SHA256
2c50d966dd8f4d8464a2024ad14346e48567bd638e98597426769c985825ee19

SHA512
5f5e1bc6bad95d2517e4e818b57806c72f484c57dbe304576003da1ef08ec836dce13dc3b112a8ec79c0ea4505269e18ee48841ba99f163e829cb03f8157fa70

Download Submit
C:\Users\Admin\Downloads\PingUse.xhtml

Filesize
1.2MB

MD5
e87cd451ec7bd638dc271cbd02d4f5a9

SHA1
8678afddc48293d678ea35bd1bfcacd363f43d2c

SHA256
ecc7ee8c1bf992726d91ae2add1cbd2ea72d811ec216f258f72f98936cf7e9b8

SHA512
86b84126c1165d914c18411978294f8a116b1e154ecf2b3a6bec4ae146b9620e8a4ca6c7654492efa1b1c49420993fbf29c2617708765e35985a8897db0c8737

Download Submit
C:\Users\Admin\Downloads\RemoveJoin.wax

Filesize
880KB

MD5
eb1f034a6af6b683a52329783faa9634

SHA1
e8a412198351f65d0860173259e56b8bf546f888

SHA256
c2af4090fc277e80975456d4a541d6771a52175d0563a56865b25791a6a3489a

SHA512
26f0eb9c5c2a41db29c03634356e28eb3132258099e320b96d90e9632efc2489e9fa1d2f80789a231802992294c6e2191aef166f32fd2ac9ab37a8433336d0b5

Download Submit
C:\Users\Admin\Downloads\RemoveResume.mpeg

Filesize
730KB

MD5
34e820db6cc8db95042d8350504bae2d

SHA1
3c565882b1587dbbc4b8e5563fbe5d565769fcc7

SHA256
dc9d8c54a55619a0633befe84b510840ca80a54a4bdeef0f4e1edf2fe9b7d063

SHA512
f226c470a4d4b6a70cd46d5923e10be937554143deed8662702a82aaeb7adb1162bd2315302131f85c56ac6212db51e72b7c70a5aacc9753509cab7f78c9f756

Download Submit
C:\Users\Admin\Downloads\RestoreReceive.cab

Filesize
1.0MB

MD5
9ccbc05735ba45937c656ab5ec8862e0

SHA1
0649b96887b831a579ced0ad0656109ca82fa77d

SHA256
3f911771ab3a403825700ca6e3097aee6f0f53f6b284630e2ace15a25494b33f

SHA512
81a61785d34280749488809b02e0385d72289f8dec7440feaf8937ffd238cb585e57c89f628407debddd46044e6624575a2246dae8475c377989ad31f6306cef

Download Submit
C:\Users\Admin\Downloads\RevokeWatch.vst

Filesize
551KB

MD5
62d722c71f579ebdcd13041cf35b51d8

SHA1
f7358b23450fea78a7fda0d27692b5180c4ae436

SHA256
305918f7e06053186d3cb70b4fbc77822d371266b0b7cc949d06eb7774579078

SHA512
c0c2d1bd4f95147c04ed30fe5d0bf0c7916655cb6e373c7420e89017065e5b4bcb90481cb3068f19a1b0e5cfe4d01ec9f41e1946bc77832418958ae8a1db03c8

Download Submit
C:\Users\Admin\Downloads\SearchOpen.mhtml

Filesize
581KB

MD5
21bc24179e9c6e700b7cb06fe2c6bf6f

SHA1
07c10738c644921ce4801a8d53abeb757247d6a5

SHA256
2a0658f66f9fcae01372b59aa589c37b0cb253779d53294032b96eb2ddcd7308

SHA512
0b7902b1e4511b6ddd6d4d9a42475634fd85fa92b8bc1cbbf61a4c0aa6ff3823441c2117f907b0c146f412e52a9188d5474727b7ef3b56d28d6ff4b7567032a0

Download Submit
C:\Users\Admin\Downloads\SkipUnlock.midi

Filesize
939KB

MD5
6b1824c0e3635ac9dfddeb5af6fe47c5

SHA1
fd55f5b412df303ca98e3bad377f1664d521b23a

SHA256
dbfcc512f117e00b6c0989af65e4dcb431da439c38b15979c151285f7a3797fc

SHA512
72dc23dbad3e4e9c5c406ea90cc0d3a9158dc3a30b42e71fbfb11446da83131c9691eedb15c20b2ef0df42cc38f3e33020751eb489a7dbe9aaa91dc6b134f7ee

Download Submit
C:\Users\Admin\Downloads\StartOut.vstx

Filesize
850KB

MD5
3db95dbecf82fdecbc5388fb0f3e0d97

SHA1
3f5db5657ef41e4952d050b27c0596eb59348348

SHA256
eea283100b8920d11ac37096454f869ac2060bf90f178fc3c522517e98b39395

SHA512
9aafae3f764a2b79c38626069857aef6a8ce985a11d802c940d8a17a9f03d34e400d28d9c45fca1939b64849253412ee365b80d8b47acd3048a8ee8dcfef185a

Download Submit
C:\Users\Admin\Downloads\StopConnect.3gp2

Filesize
969KB

MD5
6c3e6f0e482fed2fc867ed28d0407bab

SHA1
902d5cd87c6f983e1340e36a3bbffa7cd17d7785

SHA256
ef21f7266134ebf93abf69efe101009a12bb0a7544e8b8a9948a524e842211a5

SHA512
9fddb1fdf808709c02e830af4f060e44f18f53ca68f3643e6e350b877d103e98824a5f1603d5b2f811ca795680d286fbe12a999515d8f848bb3443bd9f85d494

Download Submit
C:\Users\Admin\Downloads\UninstallTest.7z

Filesize
671KB

MD5
fd2a0bf5f6d3e241726e39d4ab1e0c2f

SHA1
74c548f76c4b2ba88d18c870545713185687560b

SHA256
b7f1b395ac034d4255dfe8a7651c58eee713687b2c25dd93a3004061885254d5

SHA512
329b1d7bffd68c5a6db00fda7258f5611d2834edd1098f1ce15b444ee57a6f8dfd50fc91be038886eeb45ea7c9a3303a5239783931631eb98d1a0f7fd6c7cce7

Download Submit
C:\Users\Admin\Downloads\UnlockBackup.vstm

Filesize
1.3MB

MD5
7f4305f1d60e0db564aa6bb87fe63935

SHA1
1cb3964e0af644fd071b547501b001bec3fb86e6

SHA256
57b9c95d4bb771b6760874954667391edeb17fa0930f4051dcfd39bc6533491b

SHA512
d4d6ca6004847fecc0da75a961f80c55d08902a4ccabcecadcbe928249883a6bffe1caafb9b11ee48efdc3ecf9a6bf33778562c918d562905282981a44d0c513

Download Submit
C:\Users\Admin\Downloads\UnlockCompress.dib

Filesize
1.1MB

MD5
b22ce6b96acdddb313ddaba72f4fdfce

SHA1
ce64c44636c6367f1889548c12d46a4ae98f9eae

SHA256
19789016b92bc4e9091b7fc93fadb631dc998bf1bffd1c3b4a0e6274e73ea49f

SHA512
03764310936e26998bfb1d64c6b582b56f8da9ee811b9f393b5f41f44f1e962f906236e6960373317cbedb7fc2303518256cde5900fb5ca691fcfa8dfc4f32fa

Download Submit
C:\Users\Admin\Downloads\UnlockFind.otf

Filesize
909KB

MD5
d4a4bd2b0a093b200c7628142c179738

SHA1
aaea46145094a20fa017e8b3bf1d8937f8f11554

SHA256
b268d458b0b0917a053cc325fa6b1ca907091462c4849a8633b0d01a244c1dff

SHA512
8109323eb7552948407ffae473393ec730cda377d95fd0daafd6bedf27f3fdff6c228049bb57807fec4d9114a02e88e48e723fcaee2d4ebc466ec48e79adb3a5

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
27438940e90bb13d42de20df37fa3880

SHA1
4708c17ab8085bb738693c37e02dbca237812a63

SHA256
f738e20c0e1810a8b112fc170a18137f26f8ac97a1f6a0da8d8cf350ba40a87c

SHA512
13b09e3abe33dc3c4857ce329ea963cfe441da8f18ebbc5653d71989e1198fabeec0ea9699b17546137f4406f2a04e9bea26f72f2902c2707b8e3a5db38760c4

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
efbb9ea4f87b538bf3839bc9989fa658

SHA1
c6e644d3760b9e7041cc0e26ed18eef5c1c665ba

SHA256
9e62f95eb36860acbf0f2fde5bb23ebd5f545370354c23d0e9b48fe81b00abde

SHA512
bc724d49d98172aef7c119cdb2a9a6309a979ebba634b21f79fa607646a0013dcd1a19268734aa84e58b85050394aee1ce92d93d90f33ce87aefb67a04d88c3a

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
3565ba20a2c68b6c1f7b7e1d9aeb886f

SHA1
a56b20dcd9bd5c469f6639924663cf045500add8

SHA256
f8259b98a8da12dce877f2417cfa69f98021ad614a7a33e14722dedf27f2ecc0

SHA512
b38404a8c312940b8bb6a98ca6c37e5e3eb3d012e826ba1b7423fc3f04c40ee5455a16e397a2e543e4e12f4c89db1eebbd7c5d6d168d1dc1a9ce41759bf0b58f

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
fcefb66f7abe70ca156d2c48d477619b

SHA1
dd85d201f0e7d346016e7834f47eb70970d40040

SHA256
234c692d59d8cfce9d66b474f212673f6453accf534f3db20313e88f0dd787b2

SHA512
c20930889a46d620e70b4005e42a73d2ed073b61f2715c8007828521820bd3ed3664a8eab529a951ac8fe595947272915fcf60a4aa714d43ef70f9a2f4605c96

Download Submit
memory/2016-199-0x00000000040C0000-0x00000000040D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads