b9dcfa849b5ce3e96e715144476547b64d92b6cd3e25fd588aecb846de666cdd

Analysis

max time kernel
131s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.one
Size

2.8MB
MD5

04a5d6ec984ec8792a2fd7a99fcfb8e1
SHA1

b48365d8824be054acf1476eda12c31749711980
SHA256

b9dcfa849b5ce3e96e715144476547b64d92b6cd3e25fd588aecb846de666cdd
SHA512

fd8636f3793acfe002d61a68ffa200db527e91beab20457c9e6560c8527a3000c80174e045ac47365e14c1a5dca2851c554d39f13e4cac9ab51684d52e164a9f
SSDEEP

49152:x9/jsOOTLCTFQq5iNZ4KS5WPvwaqX/nREYVoB5JSHawNxs:orTLmIp+/nREYKdD

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process	4900	4460	msiexec.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	664	rundll32.exe	62

Blocklisted process makes network request 4 IoCs

flow	pid	Process
54	4344	WScript.exe
57	4344	WScript.exe
72	4340	powershell.exe
74	4340	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	aipackagechainer.exe

Executes dropped EXE 1 IoCs

pid	Process
2144	aipackagechainer.exe

Loads dropped DLL 7 IoCs

pid	Process
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5FB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6255.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64D7.tmp	msiexec.exe
File created	C:\Windows\Installer\e575f0b.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F2B0DF6-4010-4F62-BA54-CAFC72ACC942}	msiexec.exe
File created	C:\Windows\Installer\e575f08.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e575f08.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6459.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69EC.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000036d9561f42561000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000036d95610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900036d9561000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000036d956100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000036d956100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	aipackagechainer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4460	ONENOTE.EXE
4460	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4668	msiexec.exe
4668	msiexec.exe
4340	powershell.exe
4340	powershell.exe
4372	powershell.exe
4800	powershell.exe
4372	powershell.exe
4800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4900	msiexec.exe
Token: SeSecurityPrivilege	4668	msiexec.exe
Token: SeCreateTokenPrivilege	4900	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4900	msiexec.exe
Token: SeLockMemoryPrivilege	4900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4900	msiexec.exe
Token: SeMachineAccountPrivilege	4900	msiexec.exe
Token: SeTcbPrivilege	4900	msiexec.exe
Token: SeSecurityPrivilege	4900	msiexec.exe
Token: SeTakeOwnershipPrivilege	4900	msiexec.exe
Token: SeLoadDriverPrivilege	4900	msiexec.exe
Token: SeSystemProfilePrivilege	4900	msiexec.exe
Token: SeSystemtimePrivilege	4900	msiexec.exe
Token: SeProfSingleProcessPrivilege	4900	msiexec.exe
Token: SeIncBasePriorityPrivilege	4900	msiexec.exe
Token: SeCreatePagefilePrivilege	4900	msiexec.exe
Token: SeCreatePermanentPrivilege	4900	msiexec.exe
Token: SeBackupPrivilege	4900	msiexec.exe
Token: SeRestorePrivilege	4900	msiexec.exe
Token: SeShutdownPrivilege	4900	msiexec.exe
Token: SeDebugPrivilege	4900	msiexec.exe
Token: SeAuditPrivilege	4900	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4900	msiexec.exe
Token: SeChangeNotifyPrivilege	4900	msiexec.exe
Token: SeRemoteShutdownPrivilege	4900	msiexec.exe
Token: SeUndockPrivilege	4900	msiexec.exe
Token: SeSyncAgentPrivilege	4900	msiexec.exe
Token: SeEnableDelegationPrivilege	4900	msiexec.exe
Token: SeManageVolumePrivilege	4900	msiexec.exe
Token: SeImpersonatePrivilege	4900	msiexec.exe
Token: SeCreateGlobalPrivilege	4900	msiexec.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeBackupPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe
Token: SeTakeOwnershipPrivilege	4668	msiexec.exe
Token: SeRestorePrivilege	4668	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4900	msiexec.exe
4900	msiexec.exe
2144	aipackagechainer.exe
2144	aipackagechainer.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE
4460	ONENOTE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 4900	4460	ONENOTE.EXE	90
PID 4460 wrote to memory of 4900	4460	ONENOTE.EXE	90
PID 4668 wrote to memory of 3736	4668	msiexec.exe	96
PID 4668 wrote to memory of 3736	4668	msiexec.exe	96
PID 4668 wrote to memory of 3684	4668	msiexec.exe	98
PID 4668 wrote to memory of 3684	4668	msiexec.exe	98
PID 4668 wrote to memory of 3684	4668	msiexec.exe	98
PID 4668 wrote to memory of 2144	4668	msiexec.exe	99
PID 4668 wrote to memory of 2144	4668	msiexec.exe	99
PID 4668 wrote to memory of 2144	4668	msiexec.exe	99
PID 2144 wrote to memory of 4344	2144	aipackagechainer.exe	100
PID 2144 wrote to memory of 4344	2144	aipackagechainer.exe	100
PID 2144 wrote to memory of 4344	2144	aipackagechainer.exe	100
PID 2144 wrote to memory of 4340	2144	aipackagechainer.exe	102
PID 2144 wrote to memory of 4340	2144	aipackagechainer.exe	102
PID 2144 wrote to memory of 4340	2144	aipackagechainer.exe	102
PID 4340 wrote to memory of 4372	4340	powershell.exe	104
PID 4340 wrote to memory of 4372	4340	powershell.exe	104
PID 4340 wrote to memory of 4372	4340	powershell.exe	104
PID 4340 wrote to memory of 4800	4340	powershell.exe	106
PID 4340 wrote to memory of 4800	4340	powershell.exe	106
PID 4340 wrote to memory of 4800	4340	powershell.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\1.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{0889552F-5F9D-45A0-B491-B2673ECB3B11}\NT\0\3.msi"
  2⤵
  - Process spawned unexpected child process
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F766A0BBBBA3CB19B3FD29931046D35
  2⤵
  - Loads dropped DLL
  PID:3684
- C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\aipackagechainer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\1\603201.wsf"
    3⤵
    - Blocklisted process makes network request
    PID:4344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_BD35.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\aipackagechainer.exe' -retry_count 10"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\aBwFudPLMOx.tmp,Motd
1⤵
- Process spawned unexpected child process
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575f0a.rbs

Filesize
9KB

MD5
ef3e1e9e6f6c04e990bfba8951337d12

SHA1
d92a9af8fa09fcd05f2c6d90d5a711dc55fcdac7

SHA256
40e0b1afa4d118be25ee45b4029770f0c1017f6c57f064ae91a8517b8d1e1698

SHA512
7656082dd8e2c7bea997060b692bda917769e6b272e14f74f90f17d4da659ecf6f19b294a6d21c31dd9eda4ba3d51a1d9dd180d21ed2a02f3e03cb9c6baffb99

Download Submit
C:\Config.Msi\e575f0c.rbs

Filesize
392B

MD5
ea5ff7e57c9108ea76ca9bcadb52ca19

SHA1
41eff612f3e0e060e4de9ee3f763256c5fd1381b

SHA256
86e7170a4a1b2cfeabd3fedbebc65f47aa5c11a325fdd9ea913cba5b6a0ab2d4

SHA512
03333816566d1bdec62dc83f7470ba6bb5425264d645118a599a89da6513d27dec6c5a337618bcfd1ce37b5189729039a3f9f036564178df16bafed8f2c61706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
70KB

MD5
b5bb2cede3bcf84d1eb9fa003e18097e

SHA1
6090bc9594d7ac8fc0430e55bd963f704946c10f

SHA256
33cf7f76de3c18dae7d6c9aff7aff3f394151ef55812b68c2152fb2e7921720a

SHA512
f38eafa198cffb9dd4c349d11f659ccf0222ac7cf86715f3b74a79ce31c0ae360620e35d40c8453775d7cd22ac4ebff11cc1a2c8203286f6308e915090a5d97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
1KB

MD5
df42de22f39ea1917a34e802b16af206

SHA1
291993e10df2db8585729e11ffad7c719cb087cc

SHA256
c062af67778bb2b7893e871b16898014a907ba82fb3e3765fb954ab217775c89

SHA512
c6bc8f3857411b57506431928b4c4eb52ed6a20c3af271ee5889a2e89deb25111c497b5ef60475145feb929d23fda9fa716284fbde233f6f34e2f9bc33869dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
276B

MD5
c1dfd596b0bfc3ffd047d155ccf3b5b3

SHA1
d17e4dab7fa5f7e241dbadab4273a37b9478768a

SHA256
04a5e1fdb2e82b9346254eaa2cf5201308948a0c1f7be997791011e8999108e0

SHA512
65763868fe78d55bd4a1da79143e5cc6262bae79937d2f2a73b83b61509dbc0e38f43dee34732f8263f6d793823ec2310aec92e48871aed4caa2a443381d055c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
4KB

MD5
8aad8a45f3aa9a41a09e5da3ebccca11

SHA1
07164513df37f6e0f1ac471e7947976d4cac70d9

SHA256
e578e4bb5726e5d0d3542c986ded781384489b842a0b71f33e0cd27a51e54956

SHA512
bacda28d229a81f54dd4bdd8b62597196cd949875a675a10696e413719ab4e5e16ada9d28b9b125d64dda06c0702c6df4cc4ff3ea15e8b66582d3d190bcfa397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BP.bin

Filesize
2.7MB

MD5
43b3f50bf3ce55ab5070af36d5ec665c

SHA1
f45ee884ef27a84bf2922640a4203d8a529d61ef

SHA256
ad7fdfbdeeeabf9d4b838ec13ef2c910c5d2ee3ecae434319e1567c2ef1f40ba

SHA512
e77ce945c33923e13694ff23353b7360e9ce2acec04333fc55e3fd0e47b1709f8d1709880e1394fe0bb19fbc8cad2312e02ae886a3ee1f0e0f20eb0fce5c910a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_BD35.ps1

Filesize
22KB

MD5
e1031ce77dde7a368159a9dd0ed7e6d4

SHA1
916b6d3ce889af580ede3042312b2b3b90b22ba7

SHA256
35fb99c59c455149681bf4f4ee45db416d45488a7451ac353b0758ab5793d0dc

SHA512
b1b873c1b38fd60c80a352174ee62de966d816c7b9fecb74994dbfdf7a2b0963ff823330385114208a70e41ce3296c766777fa8832b5163a5ae689e4823787e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{0889552F-5F9D-45A0-B491-B2673ECB3B11}\NT\0\3.msi

Filesize
2.7MB

MD5
43b3f50bf3ce55ab5070af36d5ec665c

SHA1
f45ee884ef27a84bf2922640a4203d8a529d61ef

SHA256
ad7fdfbdeeeabf9d4b838ec13ef2c910c5d2ee3ecae434319e1567c2ef1f40ba

SHA512
e77ce945c33923e13694ff23353b7360e9ce2acec04333fc55e3fd0e47b1709f8d1709880e1394fe0bb19fbc8cad2312e02ae886a3ee1f0e0f20eb0fce5c910a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_owsabx3p.d4p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\1\603201.wsf

Filesize
94KB

MD5
8dc113907b557a684ca63639fb10084d

SHA1
7e97e90a3ac0ecf2d4f9c57cf10f1ded47e44182

SHA256
21a6721f308b5c7f021e7a2a2a3368d2acf758f00a721fd95d1124b1559c72e9

SHA512
bcd77403b24492bacee7c251e20407bb73c431c95b9f086bd67ed57bac8abef2aee5cdaadf2fee003e19b65955bf3f6e608fa97bb16a48885825f5a5bd2f2017

Download Submit
C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\aipackagechainer.exe

Filesize
871KB

MD5
9c56fa0aafd93cab6bd9c1d81353cc92

SHA1
0beef69d227a90a980e7583b0e0d17520826add6

SHA256
0861d3f77cecd494022492c36106ac9383bac27e29942191acf80f900ea9b2b5

SHA512
4be2734474b29c8f8a51073eaf3d2eef9bcb1f29bfa52289455f5e88d5643c421607adc4fe68b714e5af2dda6d23f2413520b8166388a75e82a0e45230ed4dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\aipackagechainer.exe

Filesize
871KB

MD5
9c56fa0aafd93cab6bd9c1d81353cc92

SHA1
0beef69d227a90a980e7583b0e0d17520826add6

SHA256
0861d3f77cecd494022492c36106ac9383bac27e29942191acf80f900ea9b2b5

SHA512
4be2734474b29c8f8a51073eaf3d2eef9bcb1f29bfa52289455f5e88d5643c421607adc4fe68b714e5af2dda6d23f2413520b8166388a75e82a0e45230ed4dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\aipackagechainer.ini

Filesize
1KB

MD5
65032c61c93b606ea37fa79d51161d05

SHA1
c522d1a4e7b0615a51606d2e35f4bf69e4db8847

SHA256
ddeda122551b16dcfaa6316b69b143a87dc14dc57c37f588483d1c9aafe807b3

SHA512
b311b6c3da20e361986da67fbbe6c7605da4948ffdf2e98bbd2d96cf400a95ab2d335be39de6674961af492900750c4779a361896b04bdb25d5540b1fb7fb01f

Download Submit
C:\Users\Admin\AppData\Roaming\Azure\Microsoft Azure\prerequisites\file_deleter.ps1

Filesize
22KB

MD5
e1031ce77dde7a368159a9dd0ed7e6d4

SHA1
916b6d3ce889af580ede3042312b2b3b90b22ba7

SHA256
35fb99c59c455149681bf4f4ee45db416d45488a7451ac353b0758ab5793d0dc

SHA512
b1b873c1b38fd60c80a352174ee62de966d816c7b9fecb74994dbfdf7a2b0963ff823330385114208a70e41ce3296c766777fa8832b5163a5ae689e4823787e9

Download Submit
C:\Windows\Installer\MSI5FB4.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI5FB4.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI6255.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI6255.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI6459.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI6459.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI6459.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI64D7.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI64D7.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI65C3.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI65C3.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI66AE.tmp

Filesize
709KB

MD5
130a4e28b3349aff8a444f6fcebbac91

SHA1
fee5efe0a1b9aea337e607f417bb091c3017537b

SHA256
750bf3e65d692ff255620c5b8d7c951d93d3deb65586ebb5a3e3b7ba2de10e39

SHA512
1564306e22db0000a78076e6811f0e4f9ca31c7fea95e1070a6ce422c408863810a2f55376b8db1aec2512e23d926d5d61ac280d4babc31c52dd645440ef510a

Download Submit
C:\Windows\Installer\MSI66AE.tmp

Filesize
709KB

MD5
130a4e28b3349aff8a444f6fcebbac91

SHA1
fee5efe0a1b9aea337e607f417bb091c3017537b

SHA256
750bf3e65d692ff255620c5b8d7c951d93d3deb65586ebb5a3e3b7ba2de10e39

SHA512
1564306e22db0000a78076e6811f0e4f9ca31c7fea95e1070a6ce422c408863810a2f55376b8db1aec2512e23d926d5d61ac280d4babc31c52dd645440ef510a

Download Submit
C:\Windows\Installer\MSI69EC.tmp

Filesize
709KB

MD5
130a4e28b3349aff8a444f6fcebbac91

SHA1
fee5efe0a1b9aea337e607f417bb091c3017537b

SHA256
750bf3e65d692ff255620c5b8d7c951d93d3deb65586ebb5a3e3b7ba2de10e39

SHA512
1564306e22db0000a78076e6811f0e4f9ca31c7fea95e1070a6ce422c408863810a2f55376b8db1aec2512e23d926d5d61ac280d4babc31c52dd645440ef510a

Download Submit
C:\Windows\Installer\MSI69EC.tmp

Filesize
709KB

MD5
130a4e28b3349aff8a444f6fcebbac91

SHA1
fee5efe0a1b9aea337e607f417bb091c3017537b

SHA256
750bf3e65d692ff255620c5b8d7c951d93d3deb65586ebb5a3e3b7ba2de10e39

SHA512
1564306e22db0000a78076e6811f0e4f9ca31c7fea95e1070a6ce422c408863810a2f55376b8db1aec2512e23d926d5d61ac280d4babc31c52dd645440ef510a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b2cb3bcc01b37bd1cb2dda81e3a00f7e

SHA1
99651b7ed84a402cd166d7e9cfac9d7749133b72

SHA256
d8a5ea252df497af1cce243225a69691997c11ff80780f29d7eb4cee0dde8498

SHA512
0712f243bcb20e0671ad0dc3ddd1b72a3a99f0530942f254a37896b00f63224eec76f19cacaa6564273ed73ef4fd40637bc8586cda1f7b30894a3c688c1fa886

Download Submit
\??\Volume{61956d03-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{495b457a-c0f8-4c82-8401-692e91f152c1}_OnDiskSnapshotProp

Filesize
5KB

MD5
a806979c4f16d7077b91426f2ebc93df

SHA1
0e0d13fb120c1315083d382151d1bfe02a73786c

SHA256
a52aaf8558987a95b7bd9df9311a8fc357e2e5be0133f094e46d0740896597ef

SHA512
1c47c38851a1d6624cdc1bdc28ae7cc4c91adf25aeb3bd250bab6399210859e7a9cfdbce45fc92c4fb940798c2318b4899ea52d826bd681044068c4019877c3a

Download Submit
memory/4340-303-0x0000000005370000-0x0000000005998000-memory.dmp

Filesize
6.2MB

Download
memory/4340-305-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4340-334-0x0000000007350000-0x000000000737C000-memory.dmp

Filesize
176KB

Download
memory/4340-318-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4340-302-0x0000000004C90000-0x0000000004CC6000-memory.dmp

Filesize
216KB

Download
memory/4340-356-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4340-304-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4340-308-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/4340-306-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/4340-307-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/4372-353-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/4372-361-0x0000000006640000-0x00000000066D6000-memory.dmp

Filesize
600KB

Download
memory/4372-362-0x0000000006360000-0x000000000637A000-memory.dmp

Filesize
104KB

Download
memory/4372-354-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/4372-364-0x0000000006CF0000-0x0000000007294000-memory.dmp

Filesize
5.6MB

Download
memory/4460-135-0x00007FFAD4910000-0x00007FFAD4920000-memory.dmp

Filesize
64KB

Download
memory/4460-138-0x00007FFAD2190000-0x00007FFAD21A0000-memory.dmp

Filesize
64KB

Download
memory/4460-136-0x00007FFAD4910000-0x00007FFAD4920000-memory.dmp

Filesize
64KB

Download
memory/4460-133-0x00007FFAD4910000-0x00007FFAD4920000-memory.dmp

Filesize
64KB

Download
memory/4460-137-0x00007FFAD4910000-0x00007FFAD4920000-memory.dmp

Filesize
64KB

Download
memory/4460-139-0x00007FFAD2190000-0x00007FFAD21A0000-memory.dmp

Filesize
64KB

Download
memory/4460-134-0x00007FFAD4910000-0x00007FFAD4920000-memory.dmp

Filesize
64KB

Download
memory/4800-355-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4800-360-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4800-363-0x0000000007080000-0x00000000070A2000-memory.dmp

Filesize
136KB

Download