Analysis
-
max time kernel
1800s -
max time network
1805s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
BedrockLauncherSetup.exe
Resource
win10v2004-20240221-en
General
-
Target
BedrockLauncherSetup.exe
-
Size
42.2MB
-
MD5
e23f5ebb6e7cdd27ee2bcb948528464c
-
SHA1
0b521cdccc28b5a29ec6c740feadb6b43560113d
-
SHA256
ca740321cef658dd9854d4c514522d96ca115152757f734a631e48031e21692a
-
SHA512
d3da956fed61562c5c826a8451a37af3fca15c89ff6e25f7e21eaf51a03ff43c939127586a24f91c7e68c3ec84c7b04f9024d0d7da4d5f3464dfc02588463353
-
SSDEEP
786432:XZOKhWoD9Q3LdkE4huMWJ7pegGWgKJ6LiAEYoebh/6BO8J5YNHVE+J:XwKh38KAMtgmlOuhzPVDJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation OneDriveSetup.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation StartBedrockLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation BedrockLauncher.exe -
Executes dropped EXE 6 IoCs
pid Process 4260 OneDriveSetup.exe 4832 OneDriveSetup.exe 3340 FileSyncConfig.exe 2456 OneDrive.exe 4384 StartBedrockLauncher.exe 3904 BedrockLauncher.exe -
Loads dropped DLL 40 IoCs
pid Process 3340 FileSyncConfig.exe 3340 FileSyncConfig.exe 3340 FileSyncConfig.exe 3340 FileSyncConfig.exe 3340 FileSyncConfig.exe 3340 FileSyncConfig.exe 3340 FileSyncConfig.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 3904 BedrockLauncher.exe -
Modifies system executable filetype association 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\INPROCSERVER32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 OneDriveSetup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" OneDriveSetup.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast DeviceCensus.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 6 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OneDriveSetup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OneDrive.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OneDrive.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OneDriveSetup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OneDriveSetup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OneDriveSetup.exe -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx DeviceCensus.exe File opened for modification C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx DeviceCensus.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\System32\services.msc mmc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache DeviceCensus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DeviceCensus.exe -
Checks processor information in registry 2 TTPs 41 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DeviceCensus.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 49 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion DeviceCensus.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\IESettingSync OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch OneDrive.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring|\"M9cDq0sMvqdhz5fs5dpIDGKls0nGPa2/MFdckOhu6+w=\"" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133531622292212195" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib\Version = "1.0" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ = "IFileSyncClient11" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\FileSyncClient.FileSyncClient\CLSID OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\ = "SyncEngineStorageProviderHandlerProxy Class" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER.1\CLSID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ = "IFileSyncClient7" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 OneDrive.exe Key deleted \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\ProgID\ = "NucleusNativeMessaging.NucleusNativeMessaging.1" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\ = "ShareHandler Class" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1672 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 3772 vlc.exe 4216 OneDrive.exe 2456 OneDrive.exe 2012 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 2280 taskmgr.exe 3772 vlc.exe 4516 OpenWith.exe 2200 taskmgr.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 664 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe 3324 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2280 taskmgr.exe Token: SeSystemProfilePrivilege 2280 taskmgr.exe Token: SeCreateGlobalPrivilege 2280 taskmgr.exe Token: 33 3268 mmc.exe Token: SeIncBasePriorityPrivilege 3268 mmc.exe Token: 33 3268 mmc.exe Token: SeIncBasePriorityPrivilege 3268 mmc.exe Token: 33 2280 taskmgr.exe Token: SeIncBasePriorityPrivilege 2280 taskmgr.exe Token: SeTcbPrivilege 2840 svchost.exe Token: SeRestorePrivilege 2840 svchost.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe Token: SeCreatePagefilePrivilege 3324 chrome.exe Token: SeShutdownPrivilege 3324 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4348 BedrockLauncherSetup.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 4896 OfficeClickToRun.exe 2804 OfficeClickToRun.exe 3268 mmc.exe 3268 mmc.exe 3268 mmc.exe 3268 mmc.exe 3772 vlc.exe 4216 OneDrive.exe 3200 mspaint.exe 2372 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 4516 OpenWith.exe 2456 OneDrive.exe 2456 OneDrive.exe 2456 OneDrive.exe 3904 BedrockLauncher.exe 2012 explorer.exe 2012 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 3268 2280 taskmgr.exe 106 PID 2280 wrote to memory of 3268 2280 taskmgr.exe 106 PID 4996 wrote to memory of 4224 4996 msedge.exe 118 PID 4996 wrote to memory of 4224 4996 msedge.exe 118 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 2924 4996 msedge.exe 120 PID 4996 wrote to memory of 4348 4996 msedge.exe 119 PID 4996 wrote to memory of 4348 4996 msedge.exe 119 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 PID 4996 wrote to memory of 4684 4996 msedge.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BedrockLauncherSetup.exe"C:\Users\Admin\AppData\Local\Temp\BedrockLauncherSetup.exe"1⤵
- Suspicious use of FindShellTrayWindow
PID:4348
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3268
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4896
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2804
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\051264e811124f94bd99a7f0420f27b4 /t 5020 /p 32681⤵PID:636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault515dc851h9273h44eehb1b2h30d51947c97f1⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbae7346f8,0x7ffbae734708,0x7ffbae7347182⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,14994983321342570853,2887816837812713555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,14994983321342570853,2887816837812713555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:22⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,14994983321342570853,2887816837812713555,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:4684
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2936
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3084
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\w.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1672
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExpandUninstall.mpe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\system32\dashost.exedashost.exe {4c9bb161-e3a9-494d-89f835261b6f0e7a}2⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbae7346f8,0x7ffbae734708,0x7ffbae7347182⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:32⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:12⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:3204
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbb8a99758,0x7ffbb8a99768,0x7ffbb8a997782⤵PID:3380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:22⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:1176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:4888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4676 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:4468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=244 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:1248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2272 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3324 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:3492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4008 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:1656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:3060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5476 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:1032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:82⤵PID:3208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6208 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:12⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:1716
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4216 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart2⤵
- Executes dropped EXE
- Checks system information in the registry
PID:4260 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Checks system information in the registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:4832 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3340
-
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe/updateInstalled /background4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks system information in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious use of SetWindowsHookEx
PID:3200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:2288
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4928
-
C:\Windows\system32\dashost.exedashost.exe {7a85202a-e5bc-46d6-987ac1e145081481}2⤵PID:1016
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_win10activator.zip\win10activator.bat" "1⤵PID:3112
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q992⤵PID:1780
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM2⤵PID:2416
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH2⤵PID:536
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk PVMJN-6DFY6-9CCP6-7BKTT-D3WVR2⤵PID:5012
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX2⤵PID:516
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG92⤵PID:1604
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB22⤵PID:4388
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB22⤵PID:3256
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ2⤵PID:4636
-
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:2352
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\win10activator\win10activator.bat"1⤵PID:2600
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q992⤵PID:2404
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM2⤵PID:5096
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH2⤵PID:2472
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk PVMJN-6DFY6-9CCP6-7BKTT-D3WVR2⤵PID:2416
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX2⤵PID:3832
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG92⤵PID:5092
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB22⤵PID:3976
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB22⤵PID:428
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ2⤵PID:4688
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT432⤵PID:1704
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk DPH2V-TTNVB-4X9Q3-TJR4H-KHJW42⤵PID:4984
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk WNMTR-4C88C-JK8YV-HQ7T2-76DF92⤵PID:2268
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ipk 2F77B-TNFGY-69QQF-B8YKP-D69TJ2⤵PID:3016
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /skms kms.chinancce.com2⤵PID:900
-
-
C:\Windows\system32\cscript.execscript //nologo c:\windows\system32\slmgr.vbs /ato2⤵PID:1200
-
-
C:\Windows\system32\find.exefind /i "successfully"2⤵PID:1704
-
-
C:\Windows\system32\choice.exechoice /n /c YN /m "Do you want to restart your PC now [Y,N]?"2⤵PID:3348
-
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:4976
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:616
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3712
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal1⤵PID:1916
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal1⤵PID:4448
-
C:\Windows\System32\winver.exe"C:\Windows\System32\winver.exe"1⤵PID:3864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵PID:2952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicePickerUserSvc1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵PID:1948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc1⤵PID:3212
-
C:\Windows\system32\CredentialEnrollmentManager.exeC:\Windows\system32\CredentialEnrollmentManager.exe1⤵PID:1736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc1⤵
- Drops file in System32 directory
PID:1584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:460
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:1236
-
C:\Users\Admin\Desktop\BedrockLauncher\StartBedrockLauncher.exe"C:\Users\Admin\Desktop\BedrockLauncher\StartBedrockLauncher.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4384 -
C:\Users\Admin\Desktop\BedrockLauncher\app\BedrockLauncher.exe"C:\Users\Admin\Desktop\BedrockLauncher\app\BedrockLauncher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3904 -
C:\Windows\explorer.exe"explorer.exe" C:\Users\Admin\AppData\Roaming\.minecraft_bedrock\installations\Latest Release\packageData3⤵PID:1972
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2012
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:2200
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CarJem_Generations\BedrockLauncher_Url_mj1roedl04f02hckqgobxuxm2215kcic\2023.4.30.195\rnjt2kgi.newcfg
Filesize778B
MD512dc94768232eb197348ebfba7270b87
SHA100d9a6efd1e2eab4df2e854d447772693a9b6b15
SHA25624f5f3c85b2091ccef597d51aca5e83c84fc49b13f7d6c612c71d37f861c518e
SHA5120b8d1ce5b5c19ca513ce961022d676db139faeb8a3de981c6ba698f87c5bdf5923bd5da24215aec3aea51a056716987dcf219ece6675a3bcf262c777c89688a4
-
C:\Users\Admin\AppData\Local\CarJem_Generations\BedrockLauncher_Url_mj1roedl04f02hckqgobxuxm2215kcic\2023.4.30.195\user.config
Filesize778B
MD5e6024554eab63c31826942f1f5e74c10
SHA1b5451632d5c4c12571e9a93144de1e83c3d8a55e
SHA256396830126f73dfb58e9a4ac3e7543ac4763efb02851bbc68cf00f4b796777494
SHA512335a540aaf637474f946ffd95e79347b85e73f20acba1ef3115a89a823af43c720f903df1dc1a74f5a3e1f2e9e8d6fff4f2c2a2e3eff4f20fa34f3f77a6ea01d
-
Filesize
16KB
MD5b218015593f18d900f49a2fbc08a53cc
SHA1312eea1169f88d6d1bbd060b8a78d1bf6916ce9b
SHA256d2c9325e72757430bb43d30b12d4cfd966f9c27e5723319c93a490757c21794f
SHA512fc06d50ceb11cd45ae1c7d864338a332ee6d1bb3d7b79c6c19c2f21d2014ea68fc81eb783839e89eccfd8e9e791e83547c5329d683ff189f6cadc83848feeba8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9943c64f-8281-447a-8b6f-25106f70fbd6.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
504B
MD5de4a305c28904e09b9f96b4783242ed2
SHA13e3152e234442a918b98f4efb587251135a496fd
SHA2566e190b955c4cedc04dca8e35fc3caae5145c615c0ddb71297a0b8cc7c13be594
SHA512a7cb4c70ad9b9ecff78cb74b7744c26e6e82f8fe871f0a247b3b593fc3ebe451222805a6d286f6e959bff64e0b92eff799142f79b6a07aa4999697813ec4ec89
-
Filesize
1KB
MD52037e3864b2501c978691791ae7b07ed
SHA15fa0a131fba038dab2a16808ffee853a0dbcb16d
SHA2564ddd956b8df6d5cbfb87d6c6b35e3eb7eb727757229254b9eca9dfff62853803
SHA51276051d5ab3d65b62742ccfb2c672e1008d3115292960e3fb9cc11d73c3f5daf245f74f85edebefd5b198a7f9a388775ec5420308ab91ecfcc221866dcdad2469
-
Filesize
5KB
MD50c22b990295e66164ef2aed7131cf458
SHA166e4036b1e6bedbedcc79a695c89d665ca99f3b7
SHA256c8fd40e3a6c44765887e213d1da2a62df0a290122529da75a5710db2d90263f8
SHA5124d32e102ec062356247f8fa412cf76e788278b3cc1fc3faa1fd858451d76f5c683efeb2fd8501506334cbb3ebdae19e0b79be469d985228878febd028771cb05
-
Filesize
371B
MD51f8719d55d1c75e296fc9d115e5a159e
SHA12fa8afc92470b74338e243ba2bd4c80006a56cb9
SHA256d43611cef101684068f1379f8d872854e2d173f342c5a8cb9eb9418bdf060141
SHA512d78054d65332ec2fc8b199df4c00418887c1115861bb40ba6fd10cae3bcf7a9f598ff80cf43a070c58e971a23a2e75c9d7f96da04374f125d57bab38ab57b529
-
Filesize
1KB
MD58fa8d1a939b772a748462d3f90f478f9
SHA154dfa707c66d37a7438b5ae619a94340a7a789d5
SHA256843a451ef2eae41837210b3c784b6161a21ab919e6c899a62e8b77e10cf782d1
SHA512e062baad79311e88af85d90014e584fcf95ecba25a87e26cf9038471b8cfa02b80709cf9db67cee7fa4aaf212ed6381e3b8fae6175dd0b8ed49bee527cba45b2
-
Filesize
6KB
MD5a97facb01e07071a5c4920dd106459c3
SHA176bbd32adcc66b4b9f7941183449d67d058f43e0
SHA25660cf1fac12b0ee697799852a36ea1c2b1c3ccffb0849257199aba47b8cd7be43
SHA512eafa7d95f41da0bb536578b5fb7a8aabd58171a6febfac4ffdb2572431614a97174f5dfc50dc0e68cb42fc8321fe1c41b722497b5d01430bd4c5dce758e952cc
-
Filesize
6KB
MD5329e8c57b564b3df8c506b494b012692
SHA16181964c922c0339177f24f04d23bb7b97d56683
SHA256a42327774c4fa3be84e911f1543921d9abf0c12d5d6a8911cb97737a1cdfb558
SHA5121a634768d7164e6f0807431540b0173b19f5d31fd90c27a3ce22f8b38d54e50587cb845f82e98fd6fd63d01b93b0f138bd602ca18d5314c66326aa02c76de793
-
Filesize
6KB
MD522851f0b22dc403f5c5087a664f14de5
SHA1ea300ebeae4461fc1dc2609048e80f631e87a9c1
SHA256d30751ade271f86478024681a4e00294241c902390003ca6b26a8d9760daf2f2
SHA512e4bf9149367f682b4c5e6cf9a692df1abf899e97f64a1ae62c6c087712cb8b11d73f5b5f65b179efa729559ebbcf920e5b954d605918ce50dab000ab441bbc7f
-
Filesize
7KB
MD5a0329aebbe5003307a8c787753abb399
SHA1d1e53b6918f058870d57e64f2a01a4bc617e6709
SHA2565ff10055320d865948aab89601c4a7d6cb7c8dc424f5cf33b69491133be54ae3
SHA51237e709a2c287a0d5e587f9aa56ca587be140abf216d3efab4c1b6a9da94e97cde1402c955c86f4caa56706f225e1a3fb03e45f32c7fa3dc5d17df70d96231074
-
Filesize
7KB
MD5feacce8b850cae84dd8d2b61a0dbe4cf
SHA14329967cad58803031a499f09088eed53bc72d1e
SHA25646325040fd48013625232c888400af8e09689c3fc3cbffa7f47b1884c7c85595
SHA51233c1aff7467778f80e384eba545f83cd369efcc7b0b10bc5d1ba6d4f9c63f4e9eea1177afec6d3d2a3bc0a4c31ad5c469d134a66183b35bd0902bc7b49dcacbc
-
Filesize
15KB
MD53e433d562c1c255d8ab05c801b78388f
SHA19ca7bf163a1b33c007d15bb04e3de5941c60e575
SHA256fc697c06db97c7b6baaddb5b811f10d444054485085eb0ca6b58d11953176fef
SHA512d49d0aafa310968bdf5aebcdd1a655d42149a9799c29fbf05c9588185516e3557d87f34e6e4dbffc72fa465a5e2011227ed4b7edd5ff1d1a29008a9f517bf01b
-
Filesize
256KB
MD57b8e4c058d1c127685135f4e49e6d307
SHA16e8b30b6c576441064b6550d6ec0174715346289
SHA25635809c393aeb5b0f5e007105d91ebc8ac365f5ee561c58913c29a53b1b8c0f79
SHA5126efe2ad576366cd9d16847df777ef828c6d3cafe5625786aaba8e17cd06fb73af3311138e7aa4f6a13175da040a2dac50795beba7d7dcdc89044544ccf2ff7a5
-
Filesize
256KB
MD553c8d8f7423a4c32911ef4c7ffd36c22
SHA119f5d3896d83e634d22dc90af03c0ff6df78fe17
SHA256c605e473c0d25f25e2411f146ef99153515c34e73c612b3cf91e1fc9538bd83c
SHA51201e949298a327ab29db1e1bb4014de42b7781a9716cbb5a2e14f483624245cec9ffa6464e08b1b89ed7676b4ba6d7b0af720e05214f86865898874f8d0a87537
-
Filesize
100KB
MD5fd8604e4a15f2117c9e87c82b00d4229
SHA1b8e26f9849b01aed0ac9fb22355f974526104e0f
SHA2562efc7b8bb33d678c8fa0d8909ef9efaa4d8bf9bfc6af362e5d21377b8724335a
SHA512596c08caaff6c45b16d13855ac3921237ed5ba68c89701d294fb468c7b6d9c4e0d09857341d7f446a06341bec2bc2a257991ccc35a41975e429cb8c83120b545
-
Filesize
97KB
MD5b23b452b24a46186bfadf7e4f93efbd2
SHA1c7d24729e55a4d99e6296947c899a2b08d3b76cf
SHA256e312a2ad2b96426814e9be46302b89312dcd39edf84ab463b05cf7e2ec832285
SHA5121aaed3618db1eb4474916e2668cd5b0c49096dc9c279cdc033be85f86661fd61c02655533c507fed2db4231504f8d09c748389e15c1e3a1d6c3ffc307c4fa6e7
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
152B
MD57ee1c6757da82ca0a9ae699227f619bc
SHA172dcf8262c6400dcbb5228afcb36795ae1b8001f
SHA25662320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31
SHA512dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f
-
Filesize
152B
MD5d62cefeb0c8fbab806b3b96c7b215c16
SHA1dc36684019f7ac8a632f5401cc3bedd482526ed7
SHA256752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01
SHA5129fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b
-
Filesize
152B
MD52004249c3696d26d03138a0e4475ee4a
SHA1aa7edacc18ed5abc12318d9e3f03dfb1ed1a96c1
SHA25644308f2e0ddf1336826b136581dc83dcf4bae4081be9833fb9317787e0424573
SHA512e691bdbaea8504a6b306d68425998fa67bedfbc6e1a7a1ee18cf670da1251e9a577d82e8a4e3566005579a444488cc288c369e02cf4222e1eb34302983213264
-
Filesize
264KB
MD5019c27a2c7a17b9a1f7faa3d6c2a3da4
SHA1427c085de411421398f7210ec72d2f93afd75d06
SHA2563444465298b8eb96b6e675f81c1363a326643f085cdaca8164a611876381e517
SHA512800ddedaaacf89f5e697f0e46780a15a1a5319616e40a9a2a04c09dd5798cadb2b44ae863feb7caaeab42f5bd8e1eec92fcded5ad039be2a5126f53e5d78d9e5
-
Filesize
331B
MD5adb762ec4e89e016691f91aac122333d
SHA1ef2184c9e7bff75b3c52a0fc9b85bb01659c3ab5
SHA2564e760bcc8bb798ce57a67e0cf541679cd623424d94c8488ce7fb487ca4e70b7f
SHA5125a39857e2f77626a8f71a875dd9d9f7248343ed15d3020007fe5c3a781905560a2f0325ab19c2a96d3085b72b5f79061ac454c91fe1362e79bbb404cd3dd0186
-
Filesize
6KB
MD51f943602155608add5f793d4c52ed605
SHA1c3682ac65a70d0cb86f7428385cf5bbfe1fd81d0
SHA25673d0483cc3da87cdbe097d20c860e984b3b3c58609fbf90c4852c1dead1e90a2
SHA512f946b51892715fd1f4be858e82ecf4247036c0e9732f86e8a3c1f12f1c0f3b5ca175503119f6d50f8e0c37194ad520d77de304174302b405898c4db341effc07
-
Filesize
6KB
MD5b234b064a49dd223eecdd07df3c313e2
SHA1420694e5b081cbaf4f12b7875f779dddd03f890a
SHA25636786b3d07729558f33ab047a81613720bb33e6c46ec1af45f0fae486610e788
SHA512836b5aef1d278cdf3af56ffe0325238735637f3bc149e18f698cfeb2e94909b3633c25a95301ec7cfaf6f404fba6b402faa816cc8ebc6aba7c3a8c9396204c17
-
Filesize
6KB
MD548efa2e632d384b146cbe0c8903ec96a
SHA1d9fdaa8495728161fce479f1a75215e104d15520
SHA25694a7411fdaf87ee46cce91b0c1cf72286449751de5ba403cdd2c633f3745610f
SHA512a7a70d8016edba820cb2c37c41affea7982200f7573ebc479d78f39fe8a4bc3945a2f4e68cf4e2204cd1657b9fdf272e72538d41ec065c0b970162503c117694
-
Filesize
347B
MD5afaa794de37b385f4952b60d3355edbd
SHA1e9065e522bbf99a31ba24956b8d87c8186daf1f4
SHA256d3f88bd8469ab6685e57e6de5438c94d4d76102380ab6580d76818add5f36181
SHA512f6bcc4d8d70bbe2a53c09bd96dcba74ee1ba7e4bf2067f4015de2cb50f52660d73fa3dd51c164d34dfe54b0429ae15779ebd83a04874292f749ce4037af8491c
-
Filesize
323B
MD5cb397e2ce48f347ba7a0a5c81d1743aa
SHA19574f8e71e9d726cfee908d7ce8988ed2cd157f2
SHA256af9c6cfde70f3992f128583d024d15c5084e5727e60c7fd9d5d113a47ab8bad7
SHA5124991c3defacea247a278a823809071d3573c573846e1a37064edc7e32654a26d6c1cc4811183c7d6eae165b665b63ed09333ade4280d5974feaed51117c7503e
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
9KB
MD5bd8f6ab0422b576f22da67a44184e90a
SHA1508e78c99645d892937c00d0eac4947f74667b82
SHA25611f3af8031009c034f7597f69a02c9a721255b00aa5cdbd8006c440990c1b837
SHA5122dda72c38a78bd50cf163a05cfb1c95df408898e8bc988772eb3fc02c955522bfed55549298634e93a6c46b13be41a66e943a970988f020c101c337f79104e8c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
553KB
MD557bd9bd545af2b0f2ce14a33ca57ece9
SHA115b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1
SHA256a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf
SHA512d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
Filesize1KB
MD572747c27b2f2a08700ece584c576af89
SHA15301ca4813cd5ff2f8457635bc3c8944c1fb9f33
SHA2566f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b
SHA5123e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
Filesize1KB
MD5b83ac69831fd735d5f3811cc214c7c43
SHA15b549067fdd64dcb425b88fabe1b1ca46a9a8124
SHA256cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185
SHA5124b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
Filesize2KB
MD5771bc7583fe704745a763cd3f46d75d2
SHA1e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752
SHA25636a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d
SHA512959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
Filesize2KB
MD509773d7bb374aeec469367708fcfe442
SHA12bfb6905321c0c1fd35e1b1161d2a7663e5203d6
SHA25667d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2
SHA512f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
Filesize6KB
MD5e01cdbbd97eebc41c63a280f65db28e9
SHA11c2657880dd1ea10caf86bd08312cd832a967be1
SHA2565cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f
SHA512ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
Filesize2KB
MD519876b66df75a2c358c37be528f76991
SHA1181cab3db89f416f343bae9699bf868920240c8b
SHA256a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425
SHA51278610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
Filesize3KB
MD58347d6f79f819fcf91e0c9d3791d6861
SHA15591cf408f0adaa3b86a5a30b0112863ec3d6d28
SHA256e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750
SHA5129f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
Filesize3KB
MD5de5ba8348a73164c66750f70f4b59663
SHA11d7a04b74bd36ecac2f5dae6921465fc27812fec
SHA256a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73
SHA51285197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
Filesize4KB
MD5f1c75409c9a1b823e846cc746903e12c
SHA1f0e1f0cf35369544d88d8a2785570f55f6024779
SHA256fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6
SHA512ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
Filesize8KB
MD5adbbeb01272c8d8b14977481108400d6
SHA11cc6868eec36764b249de193f0ce44787ba9dd45
SHA2569250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85
SHA512c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
Filesize2KB
MD557a6876000151c4303f99e9a05ab4265
SHA11a63d3dd2b8bdc0061660d4add5a5b9af0ff0794
SHA2568acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4
SHA512c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
Filesize4KB
MD5d03b7edafe4cb7889418f28af439c9c1
SHA116822a2ab6a15dda520f28472f6eeddb27f81178
SHA256a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665
SHA51259d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
Filesize5KB
MD5a23c55ae34e1b8d81aa34514ea792540
SHA13b539dfb299d00b93525144fd2afd7dd9ba4ccbf
SHA2563df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd
SHA5121423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
Filesize6KB
MD513e6baac125114e87f50c21017b9e010
SHA1561c84f767537d71c901a23a061213cf03b27a58
SHA2563384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e
SHA512673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
Filesize15KB
MD5e593676ee86a6183082112df974a4706
SHA1c4e91440312dea1f89777c2856cb11e45d95fe55
SHA256deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb
SHA51211d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
Filesize783B
MD5f4e9f958ed6436aef6d16ee6868fa657
SHA1b14bc7aaca388f29570825010ebc17ca577b292f
SHA256292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b
SHA512cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
Filesize1018B
MD52c7a9e323a69409f4b13b1c3244074c4
SHA13c77c1b013691fa3bdff5677c3a31b355d3e2205
SHA2568efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2
SHA512087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
Filesize1KB
MD5552b0304f2e25a1283709ad56c4b1a85
SHA192a9d0d795852ec45beae1d08f8327d02de8994e
SHA256262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535
SHA5129559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
Filesize1KB
MD522e17842b11cd1cb17b24aa743a74e67
SHA1f230cb9e5a6cb027e6561fabf11a909aa3ba0207
SHA2569833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42
SHA5128332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
Filesize3KB
MD53c29933ab3beda6803c4b704fba48c53
SHA1056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c
SHA2563a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633
SHA51209408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
Filesize1KB
MD51f156044d43913efd88cad6aa6474d73
SHA11f6bd3e15a4bdb052746cf9840bdc13e7e8eda26
SHA2564e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816
SHA512df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
Filesize2KB
MD509f3f8485e79f57f0a34abd5a67898ca
SHA1e68ae5685d5442c1b7acc567dc0b1939cad5f41a
SHA25669e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3
SHA5120eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
Filesize3KB
MD5ed306d8b1c42995188866a80d6b761de
SHA1eadc119bec9fad65019909e8229584cd6b7e0a2b
SHA2567e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301
SHA512972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
Filesize4KB
MD5d9d00ecb4bb933cdbb0cd1b5d511dcf5
SHA14e41b1eda56c4ebe5534eb49e826289ebff99dd9
SHA25685823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89
SHA5128b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
Filesize11KB
MD5096d0e769212718b8de5237b3427aacc
SHA14b912a0f2192f44824057832d9bb08c1a2c76e72
SHA2569a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef
SHA51299eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
Filesize344B
MD55ae2d05d894d1a55d9a1e4f593c68969
SHA1a983584f58d68552e639601538af960a34fa1da7
SHA256d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c
SHA512152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc
-
Filesize
2.3MB
MD5c2938eb5ff932c2540a1514cc82c197c
SHA12d7da1c3bfa4755ba0efec5317260d239cbb51c3
SHA2565d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665
SHA5125deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441
-
Filesize
2.9MB
MD59cdabfbf75fd35e615c9f85fedafce8a
SHA157b7fc9bf59cf09a9c19ad0ce0a159746554d682
SHA256969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673
SHA512348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236
-
Filesize
4KB
MD57473be9c7899f2a2da99d09c596b2d6d
SHA10f76063651fe45bbc0b5c0532ad87d7dc7dc53ac
SHA256e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3
SHA512a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45
-
Filesize
40.2MB
MD5fb4aa59c92c9b3263eb07e07b91568b5
SHA16071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA51260aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace
-
Filesize
38B
MD5cc04d6015cd4395c9b980b280254156e
SHA187b176f1330dc08d4ffabe3f7e77da4121c8e749
SHA256884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e
SHA512d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940
-
Filesize
108B
MD5b754f0ca6e8b1c31b0e81f932440be20
SHA132c99389e134434b20d802220cc56a47b6befd75
SHA2565a466c8338681122ac301426b75dd382fb17646211c45278287313b6639a7738
SHA5128c2ff9ac3fbef3cb50f58d9dd289f82b37c58758d6c911791e1223f9fc593589783f0b447f00ed099041a40b2cddda2ee2aff4dcf2e09fb58ec2ac659d6aaeab
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
77B
MD5699dbae2ae558db67cf398e2cb442655
SHA127a8fb5e33ec8ca527d201f07ab6d3501e1038db
SHA2564d9822ec35b177fbd64abb943506bc81c319f03a8a8903fa1cc7468d695a0885
SHA512982c43063ccd3598b5bb5bb9d113a123b4912810d4f56f226e0ae066d1caac1f1d329483133048720b364363de054329b21d62366e541a73206605e42671ee8f
-
Filesize
726B
MD553244e542ddf6d280a2b03e28f0646b7
SHA1d9925f810a95880c92974549deead18d56f19c37
SHA25636a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA5124aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62
-
Filesize
25.1MB
MD5f567e7c00d81a6db9c1259150f5cb8ca
SHA1e51f9613b46d971e95eba4aa25d5933b3c860952
SHA256f07d6928606f40d2c56c13db2316bbcbdad5e77fa0fc0a1bc1eb6d135877a04b
SHA512728bc4e9ea78d88bfd57de32e611089dd48166cb6946c11994138d48d274d34df02c49f0d755305f15682d7616c58bdd635d0ac842f04887d620698b157445ed
-
Filesize
1KB
MD5c8e6e9b9e1a01843374b2b50aaa17d3e
SHA1cc6a8554d3627703ad5fe33a0cc6649d7ae86270
SHA256b85117e678c391b098af93c44668a11eea837811d6b76c8ae6c8c7dc7d2b4592
SHA512b5ab936231efde0e92e7f62aa129f0eade36ba25bbf4b7cd517b170636352987eb9de66352992a6db19f029e4255a2792e329703e5255727473f85ab870404e9
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
127KB
MD5d3be596263970529eb516cb8669a6358
SHA1cd77f205512a6136c44e0bf068aacb4c6e3c0ee3
SHA256a1565d8c0f0f12005ce65fa889cd9c2d81f38f90bac4c241881c2d7008e0d76c
SHA512f6dab2c034a55fb7ee1e005aa671cff5e800e1f3d920a1cb7b4c83355197107d61835b7b82aff4c6b1f8d0a26b71b6827a10c79a4adc544ffdbb726ce153f6f3
-
Filesize
172KB
MD54017f1ffbb2cf73e62ab07609f51a37a
SHA107683a47e7cf0f1f6bc91d7ddfb16ccae470ba67
SHA25646a85f9bfb2f8b9ec6deb05728a08369e1160b9e4d3ca4305c0ba1df2eec0968
SHA512ede09a728631dee6e7ca61514c12eb7f9430e29a54df96829c7bf741658a6d5c63c4a2273db1b7aecbfa537f0d14658199a531240b71f98be5005305bd7de911
-
Filesize
536B
MD50459cce84092e8fcad8fad21649cc171
SHA13ade443a3c1a08e9c347569e814a07faab6bf832
SHA2568379e49b936b26b363d202bb37c63ec9c1487d092323dc566710c8bb585cb793
SHA512a01174eca7137911998a8868afd033d6dbbc00b9f4a38dbeaa84759416ccce64d8c4528b733ee7ece7b2da1a556b5515dd970a25ffa05f975839714808acc8de
-
Filesize
118KB
MD57438c440e34289e1c4f9e54d523fc03d
SHA18335e18e15d5b5706a2bee1181e2fbae68fedb87
SHA256397d8cf15dd604b6defd7e2413522bf83cc8ea561455ce6ea468324ebee29006
SHA512e9008bd79d4e3c8fe7d1d87b5d1a5c2c264a0a454bd1d82e6eb300750cdf1405c52578aedda240559cee8e5b60058ff8145be8f327f52f5d1b99236ea134c406
-
Filesize
299KB
MD5d153fe1f5b5786e7e38cba604940264c
SHA1c7b84f1b8bf5780fb06233e2c7956f986e788368
SHA256f936b69e0836af72c7598ec4d0d3095cdd37de58ad2ca0b6a9ba7ea4e712f4df
SHA512d838b080a73efb84cddd1439f6a9e29b444acc100975d24904c30f5d98d5125e4e2707f314c920b14a9ca42453c354d5bb576a97100efafc40bc9a7335c972f3
-
Filesize
145KB
MD5eb6e0e3ac1800af0936803ebd6876523
SHA148a9f98dd28450f61c6fbe2652f898ccfb906d9a
SHA25686bd63ff11705097a280face0de372cac0a8da8ba6d13d57ba08b08dbf2c4adc
SHA512f3dcb2ee4ffcf7baa1cf014590b173c82b50a07170ff545f55b5cab7c1e2503c3ade4f57547d7e5464c1082a4e8857a8e79f2093f2244155eb082dd56b5a7250
-
Filesize
281KB
MD5d4037741f76d5de3059d43369b49a4f6
SHA160f8e9a48301eacf802fbe13163f71f49a3c60e4
SHA256f48e5eb40e3f02939f2ba505b5b178ace6acd479ed527fdfa89d79a5d0c52d7b
SHA5125e4cf1998cfd2498a75f5032977a4f356847989933deefad8ade379d3955aba79ac41a27bd3dd75aeb975d9db5a4acdf94af197062c39cbb31490d6e78cdcbce
-
Filesize
245KB
MD5bda9f068476ea9b1e479e61275a24794
SHA11e140510841b5baee2918ac5472d38f8e75dfb53
SHA25614fdbc2cc4a03381129effbbf5a9464a0a737bdc6388b520c2ac8de455a7dcbb
SHA51206d59fb5b3d5936624530e2a58cc7f6540e27fde35d62a11cbbbefac75bf4709b8f454232d95b309c0f5a0df6c4a63ae04858274de02b35908f98dfefa2c9e1d
-
Filesize
136KB
MD55680ddd973fa9f4bd0720a15ef4edd51
SHA1ea6de5aaaac7c28212b4f2341d0d09c25db42b6f
SHA256fb4201e6c04285c0755fd66ae14fc3089f3d6b5b6d1c33f383d76c1ad5eb6547
SHA5121397a2185042d74f7ef3a895960eb364c4c1e2401fef2b8e713d6672104d229fe2771b96294d1dd6fbc9e50d99205968019d2465e4bd2c8a8ad4fd37b8555ab8
-
Filesize
516B
MD50f5a09a40b7ea2b8fba680f5cfd994ce
SHA1befd35fcf3b9519749b79f29af51e635f98bbdac
SHA25639cfe04538ad0ef3cc4da8c917e37f6edff78725caf9d9a983a44abc04da9239
SHA512039ec8d99b4643b9d9ab583ef086eda2f882fe96d4546c19f141f98563c0c0051d51fd42fb34718a6cca5e5925c25074ac71c5f729594c99e117a1eff5468c96
-
Filesize
290KB
MD5d3adcc818084b716a99c8c0b88d46e79
SHA142e45f48371df8bd87efbd018298d5629759b6d2
SHA25605313ea5a53c630d9c96c8c8e54f9cc2139384ef82960b589dd5f089c33effcd
SHA5123bad148f45ad9fe8e314afb8e4b2e77427d4869b243b35d8500aae6bb783e7ae1a31f820d4310bd25dbec436d9ba9e4821d95902853c9e1a39ac2f0ae0c8afa0
-
Filesize
336KB
MD536c2e9906e2fa7a9dc209c1cc68571c5
SHA148a8e3e4900207e44960cc67695feda11dcf295e
SHA25645065757798925477bdb17a9bbfd59b13f6d8de2c8a0d199538fa7280966c6a6
SHA512b83d928ee73ef3e9e91c36d161bf4eee9ad377a1a1bf2efd70e618cadccbe15f8f77de5413afa184dc3be8ef4ed8806db46debe07050ecf4ab78bddef3bbeb26
-
Filesize
318KB
MD54aeaa64a935bddad75241865783034fb
SHA1941c489babae9e793f2b4ecf6685c33f2d460217
SHA256825c5d767804aefbb5c7639ae5b906fa5002e8832a60d95139b99051058afc77
SHA512afc24de2a716525f8eb20f44a4ff7134c81aad9007ead06b4fe771c045aa39b35a8c306732b193614b4076d4244c041c638c21aa1747ffc25161c1f78c8725df
-
Filesize
227KB
MD5414f40a0e3f33ca21d7d4911d99f210d
SHA1a0415f4cb2718e6cc0151e6b3b7649d38eb05b82
SHA256a13a2052a200497e28b9704266fdf334662395b37985abe21064439eb7ecf3d2
SHA512d44550c40476576467bbd58f2b8a2e7db0d4d250c4abbb85cfb087f4331e8d7684d8d053e2d1b39fa9665058f78477070ba87070e4c823d7b82efdd9b736493e
-
Filesize
209KB
MD542eccc0426e90f44b14db909d0a926fe
SHA1a41d8d0a345c3bb9a7c480144309f4e21340ae35
SHA2564cf938210a9b40b903cdea604c80f0fc819a17856549e4879cb44d4cf288a544
SHA512b13a0dc9313fccfffa55a3a4d1df539938636f2251348dbb454fb7d1c669dd6a3edd69d8c0cabe5e7eeb25d1301c9ae0836f6ce704388a798277ab5e2061df6a
-
Filesize
2KB
MD534d0a8b51ca0882df7b32c69a4ff48d8
SHA1311b321e0e755d053f9dedc1dca3b13eae1f7729
SHA25651e76209e2782183a9f3d28a272767655019a5e2e46005cc2f8f9969d198a082
SHA512609cb9c2ab1a3fb824077883d237205467ac5dbdd71480003d76be0adcf84fb80f9b1bc615c3d8b673465386df0a168fdda6c9f4f95274712929c5951386c488
-
Filesize
327KB
MD5c852c77f8735437f42503e73faa41da2
SHA170b4ce02a0d9b9fe03e41114670c466ce61a187c
SHA256d565bf8feb757b73b88b628214603627c22a63c9ddc022b18a9af16432001b73
SHA512e8b65ba7d372fe2abbf895c98e679590511e3849b35721f84657e060b396a4e40e00ccaf5ffdf9b834ef7ac00a89ef078205332e49ed0fcebc88f0aa755a83cd
-
Filesize
199KB
MD500753ffa82ebeaf08854b10b27de2a09
SHA14c083c933ef109c26caae3f61924a69fe1e9c081
SHA256733458460a71de21eddc6ae33a38fab9121ae5177453d6f21db738fe952bef16
SHA512899645132ac7ae2e8b3346a133fe6185099233f9cf0c7da6251267b2a3fd7f6c8e23a8a9f82ca1077f805f07f3d7c419b247cf1c5b960cb99d567975982cf017
-
Filesize
263KB
MD5c0bb2e14529e3fac98076f49a3519a71
SHA1a5981d689ba27f1b2dc7f812a11ca51729d67683
SHA25653d15705f3235f734ada75bef7ebbcd3c64dccd16973f90ed82fba3d96013edf
SHA51243d75635bf0d2a065e9a3e8daddf4aaeb2ce7ee27b4b218a2efcc968d0d426ebaef7c2f5dc8bdec45698fa8a726d0e0005388307a47a3db0d5dc35df7b66dd07
-
Filesize
154KB
MD570ccbddb73b8d9e42ed3eb9e5f3fb4d9
SHA10cf4caff3ce1ab0b7a90545125e2c0bc6a76dcd4
SHA256bdfa113b20087a86cefd464e97cf8da94679be73ea2347d3f029492575b4a1ce
SHA51219a8bdf8db56fb30e39eae9d8ce1eed4397ce560b020386a6bd2e1e48047a1340afcc76f0954aeb01211644ee3ce890a2b737d4a1471c0a8b957d00055c43501
-
Filesize
254KB
MD572571450f83ea77b37bcb31bd9d03800
SHA116e9487841a95db571c8cdc2a8525c5e9828320a
SHA25630954c327ac99060e054867b9072aba66c6803fa98afde31aee4cb43315748a8
SHA51279949f05247462aa5b309fcd99da27a8c445f012529b42af5c2440bb33398198bc6b7d5e754412a0669f63897d2a5c42c28c06a49579f8380c953832553e44db
-
Filesize
181KB
MD572de62f32ff8e59fda5052462de109c5
SHA15e8f7d4860288f04deaca7d6f2d732a3151dc01a
SHA2560d004b53868e7315dcd8eea9b50d1649c6341515af415da48e5bd58f79408631
SHA512f85cc4929562d6dd9739e7f70785e3a7c8787fcfaddc2b32609a5e9edffc7052dca805dea4e1bcb9f16157a47d70d08917b22c39cc055edb754b50aa00a7f41e
-
Filesize
541B
MD5560a52da7492f76a7fdba13e17904fa0
SHA19ffa47763e4e751ccf61cd7bdc0b6528c98f01cc
SHA2566bb98b14ad021e91153b2e92d73b213a6aa66e8955116b72eb5c394281452def
SHA512c3e6676c96fde1f7e15c085f6d94bebcb55f515cada15ab54f0f01d103ac69c32b7c2c92426014c024e0f7c271d8e145dfacc999cafd1df15748fdef5361ef6b
-
Filesize
309KB
MD5baec6525b3ce86c0028057930ce0ed38
SHA166ccad6c58694a9627ee11df8f73c7b7eb886377
SHA2565193a5055c73bc08f3d81491b0c6e3564d85d1df5ed8154c691eca426fd4a7e4
SHA51256f2f9b5b40e784c75943b2aebad69b39488337e1fe91427742057acf764262a64c8fe66d53b3510e8408b6dec65b1b6edfc77081564bcdda7904c0546a346ac
-
Filesize
163KB
MD572a8c73b78eeb3bc842b0d80f17bac0e
SHA1ac25c5b41f1801827af3cc09e1b72fb85bbebe4c
SHA2567a53793e46d00611c444acedf331a7c3fac6cd15b31e82331858406868af0a22
SHA512342a10ae5a1438e3cf7c76269d9d197e20a660ee6bfe226a85b4ea7109d32de4c568016c135b4a677f715b5474d2bfc7e8d31f80f3eb81d53f379b32c6351406
-
Filesize
272KB
MD56ea486f8167636fd629afa885aeeb96b
SHA15d1a8cfb3a41c156e0a096b65fa0511117fa874e
SHA2561ec7f2ad42ad6f50bafda5b23309e9de8e03287c009d1e7177720fa8e63e5ef5
SHA512d1d6fe62619df7ad20b963a7baa6e96768c271b0b5b72f95176e2ff2ddff14efb4b535d8890fac33b3c374e70bb9e3d73dbe358cf2472a27b64a18544197ed87
-
Filesize
236KB
MD5b02205cc8f38419e7c5115d255afc256
SHA1cbfd1572c8a9769055c575930c01869c441d3778
SHA2565d90b4fe411ab3bb4661a59195017959c0462424cb7f0406efba8236d0116ca5
SHA51271df68059a0908a77f6d4fbf3df675416fd304d5ce7800ee4e37bb0968e77f968b24d94a164300ab53a2dbedfabce34d3cd92a5725c4f1996e3de2c63ccbca51
-
Filesize
463KB
MD50f399251ec73a1fe03e356b8b1049762
SHA100a3a34a5bda47719fe6952587b4f33d6cdfa75c
SHA2560c2221d39a5678301b46e019420b51c863c1a65e67de010b1b71a5af712ff458
SHA512a052b8cd304ffd3b47024620b57d8afa0d084de1fe37416e9eaac176d6f4371f6253994e00cb36e338ec7764c835eb35f20c9be743511bfdf9d04a06c5554126
-
Filesize
190KB
MD580d4862cf0306532fdce2c03684dd4f3
SHA188a2fadf11ac7211c3f1d3e767cd0dea55d91104
SHA256337e29eba4ee5f92d7a508b303fc7f835df4df8a885d97daf9763662941153c2
SHA51217d51205968edda0c5c8f29c555ee128feba7e7ef73cdf1db4bfd11c4ede22b9ab779748b55bebd964fcced3442813fd6850831420ae4aff53a9e05db9f4e1f3
-
Filesize
526B
MD5da6101ae0480a7e062ef80ec532ad532
SHA1e22e103a490c626105a38e8f799a9880fe5accdc
SHA2562c93794f0a73edc252ea351eeaa42ffe2094522dc275d8acc5a6df0d4b86c6b2
SHA512f21b39d55c66af0dc5771d1e646ad5cc9bbb48ce8e22e60be1b95264c2d21873e4de7b63857cc261bd6cb331e0b1afe266b35de06f3e78499015abd5ea8b4de3
-
Filesize
218KB
MD5e8434470e78b562d88629629ca6471b7
SHA143aebc47a9c518ab4888f1951de376cc8a34bb34
SHA256ed27ee88f7ca88b41f56e69344ea3b5ffbd78c3299e09270cd72b13283e92a5e
SHA5127cfac26132b097923b662d13fd5d323a8ca51c5284121431f067749afabcca87fae7bc8b3505ec283dacf843fcc5b853fd962567e52ee80c10c4684b97e7aedf
-
Filesize
923B
MD5953aef80fcf55082e1c6df695e1f7dfb
SHA178ed36082c09dbddf19737b60abf335783695163
SHA256f84743df7ea23293907ba7e6cdee1208a7683c04c9500b85e9e7d6b135a8356a
SHA5125f8c8d3eb8d0bc5ff90fb6123e3ec34e9661ea0b3bb0bc75036f5d6992f4127e2ad1070fbe4f30a73b447053116695b7f4be1267c2424f167140cf1a107d0371
-
C:\Windows\System32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal
Filesize12KB
MD53d71fecb16802db72511d30457ecd26d
SHA19c9d59f7c44f7e7f431ae626eb7b5de772e7e6dc
SHA256aaec13a513d5712938c395bc13a6ef8a4290de6bd3bd6b58f0a13e20ddca60ef
SHA5124d1696878bc5675ea74cf345805cb591fbf75cb384fafc1d51bccecafb0c3daac38592376c6569ec1a9f985776d57d2a2a1e44efbbecdf2d932ced1f2f7ace2c