8cfe620c739729eb82839dffb37a67213b8f4aa2ba480a9dd8fd6b0f02e5d360

Analysis

max time kernel
114s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 13:42

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-22T14:08:23Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_9-dirty.qcow2\"}"

Report Analysis Logs

General

Target

Fluorocarbomorpholide.exe
Size

249KB
MD5

5a3a24e9f5cb29cc1c5dbfea45ee6286
SHA1

7631d6d2e0464b7555b35aae09c4f77a73306722
SHA256

23289377de8b747b51dff08fd6321714fd834d2bd3d2b8845eee228e073b1e60
SHA512

c9fc63bc585511c1fe33c67471394a6ba540567e3881e55d20bab73d255e2de2173c3bcb5a181552b9875a9b419ced86b6822205182f3f06d8fe30331c47836d
SSDEEP

3072:B5bKZ+EdP/kDsCnO79mznWSppD1bzjg/rP+PVJ2qPkYFJ12ChYSN8R/2ONglXxf8:Bw4EdwTbDDKGtlrl5FBf1wGD4XdJIM

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

6600 icacls.exe
10144 takeown.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

6600 icacls.exe
10144 takeown.exe

pid	process
6600	icacls.exe
10144	takeown.exe

pid	process
6600	icacls.exe
10144	takeown.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cleanmgr.exe

description	ioc	process
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

8124 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5520 5324 WerFault.exe ctfmon.exe

pid	process
8124	sc.exe

pid	pid_target	process	target process
5520	5324	WerFault.exe	ctfmon.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkntfs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

10124 NETSTAT.EXE
7736 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

6452 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

10676 taskkill.exe

pid	process
10124	NETSTAT.EXE
7736	ipconfig.exe

pid	process
6452	systeminfo.exe

pid	process
10676	taskkill.exe

Modifies registry class 23 IoCs

Processes:

certreq.exesvchost.execalc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	certreq.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718508534-2116753757-2794822388-1000\{FB151D6E-6145-4C5A-88B6-E42FC649018B}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	calc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Key created	\Registry\User\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\NotificationData	certreq.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

10188 PING.EXE
Runs regedit.exe 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

10436 regedit.exe
10988 regedit.exe

pid	process
10188	PING.EXE

pid	process
10436	regedit.exe
10988	regedit.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AUDIODG.EXEsvchost.exeauditpol.exevssvc.exe

description	pid	process
Token: 33	4212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4212	AUDIODG.EXE
Token: SeShutdownPrivilege	5116	svchost.exe
Token: SeShutdownPrivilege	5116	svchost.exe
Token: SeCreatePagefilePrivilege	5116	svchost.exe
Token: SeSecurityPrivilege	3168	auditpol.exe
Token: SeBackupPrivilege	3904	vssvc.exe
Token: SeRestorePrivilege	3904	vssvc.exe
Token: SeAuditPrivilege	3904	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.execertreq.exe

pid process

4152 OpenWith.exe
4932 certreq.exe

pid	process
4152	OpenWith.exe
4932	certreq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fluorocarbomorpholide.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 4564	452	Fluorocarbomorpholide.exe	cmd.exe
PID 452 wrote to memory of 4564	452	Fluorocarbomorpholide.exe	cmd.exe
PID 452 wrote to memory of 4564	452	Fluorocarbomorpholide.exe	cmd.exe
PID 4564 wrote to memory of 1568	4564	cmd.exe	reg.exe
PID 4564 wrote to memory of 1568	4564	cmd.exe	reg.exe
PID 4564 wrote to memory of 1568	4564	cmd.exe	reg.exe
PID 452 wrote to memory of 2648	452	Fluorocarbomorpholide.exe	agentactivationruntimestarter.exe
PID 452 wrote to memory of 2648	452	Fluorocarbomorpholide.exe	agentactivationruntimestarter.exe
PID 452 wrote to memory of 2648	452	Fluorocarbomorpholide.exe	agentactivationruntimestarter.exe
PID 452 wrote to memory of 4408	452	Fluorocarbomorpholide.exe	appidtel.exe
PID 452 wrote to memory of 4408	452	Fluorocarbomorpholide.exe	appidtel.exe
PID 452 wrote to memory of 4408	452	Fluorocarbomorpholide.exe	appidtel.exe
PID 452 wrote to memory of 3120	452	Fluorocarbomorpholide.exe	ARP.EXE
PID 452 wrote to memory of 3120	452	Fluorocarbomorpholide.exe	ARP.EXE
PID 452 wrote to memory of 3120	452	Fluorocarbomorpholide.exe	ARP.EXE
PID 452 wrote to memory of 3124	452	Fluorocarbomorpholide.exe	at.exe
PID 452 wrote to memory of 3124	452	Fluorocarbomorpholide.exe	at.exe
PID 452 wrote to memory of 3124	452	Fluorocarbomorpholide.exe	at.exe
PID 452 wrote to memory of 388	452	Fluorocarbomorpholide.exe	AtBroker.exe
PID 452 wrote to memory of 388	452	Fluorocarbomorpholide.exe	AtBroker.exe
PID 452 wrote to memory of 388	452	Fluorocarbomorpholide.exe	AtBroker.exe
PID 452 wrote to memory of 4584	452	Fluorocarbomorpholide.exe	attrib.exe
PID 452 wrote to memory of 4584	452	Fluorocarbomorpholide.exe	attrib.exe
PID 452 wrote to memory of 4584	452	Fluorocarbomorpholide.exe	attrib.exe
PID 452 wrote to memory of 3168	452	Fluorocarbomorpholide.exe	auditpol.exe
PID 452 wrote to memory of 3168	452	Fluorocarbomorpholide.exe	auditpol.exe
PID 452 wrote to memory of 3168	452	Fluorocarbomorpholide.exe	auditpol.exe
PID 452 wrote to memory of 5004	452	Fluorocarbomorpholide.exe	choice.exe
PID 452 wrote to memory of 5004	452	Fluorocarbomorpholide.exe	choice.exe
PID 452 wrote to memory of 5004	452	Fluorocarbomorpholide.exe	choice.exe
PID 452 wrote to memory of 4704	452	Fluorocarbomorpholide.exe	BackgroundTransferHost.exe
PID 452 wrote to memory of 4704	452	Fluorocarbomorpholide.exe	BackgroundTransferHost.exe
PID 452 wrote to memory of 4704	452	Fluorocarbomorpholide.exe	BackgroundTransferHost.exe
PID 452 wrote to memory of 2548	452	Fluorocarbomorpholide.exe	cmd.exe
PID 452 wrote to memory of 2548	452	Fluorocarbomorpholide.exe	cmd.exe
PID 452 wrote to memory of 2548	452	Fluorocarbomorpholide.exe	cmd.exe
PID 452 wrote to memory of 3388	452	Fluorocarbomorpholide.exe	clip.exe
PID 452 wrote to memory of 3388	452	Fluorocarbomorpholide.exe	clip.exe
PID 452 wrote to memory of 3388	452	Fluorocarbomorpholide.exe	clip.exe
PID 452 wrote to memory of 3100	452	Fluorocarbomorpholide.exe	ByteCodeGenerator.exe
PID 452 wrote to memory of 3100	452	Fluorocarbomorpholide.exe	ByteCodeGenerator.exe
PID 452 wrote to memory of 3100	452	Fluorocarbomorpholide.exe	ByteCodeGenerator.exe
PID 452 wrote to memory of 1248	452	Fluorocarbomorpholide.exe	cacls.exe
PID 452 wrote to memory of 1248	452	Fluorocarbomorpholide.exe	cacls.exe
PID 452 wrote to memory of 1248	452	Fluorocarbomorpholide.exe	cacls.exe
PID 452 wrote to memory of 3932	452	Fluorocarbomorpholide.exe	calc.exe
PID 452 wrote to memory of 3932	452	Fluorocarbomorpholide.exe	calc.exe
PID 452 wrote to memory of 3932	452	Fluorocarbomorpholide.exe	calc.exe
PID 452 wrote to memory of 952	452	Fluorocarbomorpholide.exe	CameraSettingsUIHost.exe
PID 452 wrote to memory of 952	452	Fluorocarbomorpholide.exe	CameraSettingsUIHost.exe
PID 452 wrote to memory of 952	452	Fluorocarbomorpholide.exe	CameraSettingsUIHost.exe
PID 452 wrote to memory of 3944	452	Fluorocarbomorpholide.exe	CertEnrollCtrl.exe
PID 452 wrote to memory of 3944	452	Fluorocarbomorpholide.exe	CertEnrollCtrl.exe
PID 452 wrote to memory of 3944	452	Fluorocarbomorpholide.exe	CertEnrollCtrl.exe
PID 452 wrote to memory of 4932	452	Fluorocarbomorpholide.exe	certreq.exe
PID 452 wrote to memory of 4932	452	Fluorocarbomorpholide.exe	certreq.exe
PID 452 wrote to memory of 4932	452	Fluorocarbomorpholide.exe	certreq.exe
PID 452 wrote to memory of 2864	452	Fluorocarbomorpholide.exe	certutil.exe
PID 452 wrote to memory of 2864	452	Fluorocarbomorpholide.exe	certutil.exe
PID 452 wrote to memory of 2864	452	Fluorocarbomorpholide.exe	certutil.exe
PID 452 wrote to memory of 3456	452	Fluorocarbomorpholide.exe	charmap.exe
PID 452 wrote to memory of 3456	452	Fluorocarbomorpholide.exe	charmap.exe
PID 452 wrote to memory of 3456	452	Fluorocarbomorpholide.exe	charmap.exe
PID 452 wrote to memory of 2572	452	Fluorocarbomorpholide.exe	Conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4584 attrib.exe

pid	process
4584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Fluorocarbomorpholide.exe
"C:\Users\Admin\AppData\Local\Temp\Fluorocarbomorpholide.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 1 /f
3⤵
PID:1568

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
"C:\Windows\System32\agentactivationruntimestarter.exe"
2⤵
PID:2648

C:\Windows\SysWOW64\appidtel.exe
"C:\Windows\System32\appidtel.exe"
2⤵
PID:4408

C:\Windows\SysWOW64\ARP.EXE
"C:\Windows\System32\ARP.EXE"
2⤵
PID:3120

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
2⤵
PID:3124

C:\Windows\SysWOW64\AtBroker.exe
"C:\Windows\System32\AtBroker.exe"
2⤵
PID:388

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe"
2⤵
- Views/modifies file attributes
PID:4584

C:\Windows\SysWOW64\auditpol.exe
"C:\Windows\System32\auditpol.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\System32\autochk.exe"
2⤵
PID:2388

C:\Windows\SysWOW64\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
2⤵
PID:5004

C:\Windows\SysWOW64\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
2⤵
PID:4704

C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe"
2⤵
PID:2548

C:\Windows\SysWOW64\bthudtask.exe
"C:\Windows\System32\bthudtask.exe"
2⤵
PID:3388

C:\Windows\SysWOW64\ByteCodeGenerator.exe
"C:\Windows\System32\ByteCodeGenerator.exe"
2⤵
PID:3100

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe"
2⤵
PID:1248

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
- Modifies registry class
PID:3932

C:\Windows\SysWOW64\CameraSettingsUIHost.exe
"C:\Windows\System32\CameraSettingsUIHost.exe"
2⤵
PID:952

C:\Windows\SysWOW64\CertEnrollCtrl.exe
"C:\Windows\System32\CertEnrollCtrl.exe"
2⤵
PID:3944

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\System32\certreq.exe"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe"
2⤵
- Manipulates Digital Signatures
PID:2864

C:\Windows\SysWOW64\charmap.exe
"C:\Windows\System32\charmap.exe"
2⤵
PID:3456

C:\Windows\SysWOW64\CheckNetIsolation.exe
"C:\Windows\System32\CheckNetIsolation.exe"
2⤵
PID:2572

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\System32\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:5096

C:\Windows\SysWOW64\chkntfs.exe
"C:\Windows\System32\chkntfs.exe"
2⤵
- Enumerates system info in registry
PID:4304

C:\Windows\SysWOW64\choice.exe
"C:\Windows\System32\choice.exe"
2⤵
PID:5004

C:\Windows\SysWOW64\cipher.exe
"C:\Windows\System32\cipher.exe"
2⤵
PID:2420

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
2⤵
- Enumerates connected drives
PID:3668

C:\Windows\SysWOW64\cliconfg.exe
"C:\Windows\System32\cliconfg.exe"
2⤵
PID:4864

C:\Windows\SysWOW64\clip.exe
"C:\Windows\System32\clip.exe"
2⤵
PID:3388

C:\Windows\SysWOW64\CloudNotifications.exe
"C:\Windows\System32\CloudNotifications.exe"
2⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3552

C:\Windows\SysWOW64\cmdkey.exe
"C:\Windows\System32\cmdkey.exe"
2⤵
PID:4016

C:\Windows\SysWOW64\cmdl32.exe
"C:\Windows\System32\cmdl32.exe"
2⤵
PID:1404

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\System32\cmmon32.exe"
2⤵
PID:3672

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\System32\cmstp.exe"
2⤵
PID:4068

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\System32\colorcpl.exe"
2⤵
PID:3756

C:\Windows\SysWOW64\comp.exe
"C:\Windows\System32\comp.exe"
2⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2572

C:\Windows\SysWOW64\compact.exe
"C:\Windows\System32\compact.exe"
2⤵
PID:4820

C:\Windows\SysWOW64\ComputerDefaults.exe
"C:\Windows\System32\ComputerDefaults.exe"
2⤵
PID:4304

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
2⤵
PID:4268

C:\Windows\SysWOW64\convert.exe
"C:\Windows\System32\convert.exe"
2⤵
PID:3684

C:\Windows\SysWOW64\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe"
2⤵
PID:1444

C:\Windows\SysWOW64\credwiz.exe
"C:\Windows\System32\credwiz.exe"
2⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe"
2⤵
PID:5252

C:\Windows\SysWOW64\ctfmon.exe
"C:\Windows\System32\ctfmon.exe"
2⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 736
3⤵
- Program crash
PID:5520

C:\Windows\SysWOW64\cttune.exe
"C:\Windows\System32\cttune.exe"
2⤵
PID:5432

C:\Windows\SysWOW64\cttunesvr.exe
"C:\Windows\System32\cttunesvr.exe"
2⤵
PID:5528

C:\Windows\SysWOW64\curl.exe
"C:\Windows\System32\curl.exe"
2⤵
PID:5712

C:\Windows\SysWOW64\dccw.exe
"C:\Windows\System32\dccw.exe"
2⤵
PID:5888

C:\Windows\SysWOW64\dcomcnfg.exe
"C:\Windows\System32\dcomcnfg.exe"
2⤵
PID:6016

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
3⤵
PID:6032

C:\Windows\SysWOW64\ddodiag.exe
"C:\Windows\System32\ddodiag.exe"
2⤵
PID:6076

C:\Windows\SysWOW64\DevicePairingWizard.exe
"C:\Windows\System32\DevicePairingWizard.exe"
2⤵
PID:6124

C:\Windows\SysWOW64\dfrgui.exe
"C:\Windows\System32\dfrgui.exe"
2⤵
PID:2548

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\System32\dialer.exe"
2⤵
PID:5948

C:\Windows\SysWOW64\diskpart.exe
"C:\Windows\System32\diskpart.exe"
2⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\System32\diskperf.exe"
2⤵
PID:6272

C:\Windows\SysWOW64\diskusage.exe
"C:\Windows\System32\diskusage.exe"
2⤵
PID:6420

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\System32\Dism.exe"
2⤵
PID:6576

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:6700

C:\Windows\SysWOW64\dllhst3g.exe
"C:\Windows\System32\dllhst3g.exe"
2⤵
PID:6832

C:\Windows\SysWOW64\doskey.exe
"C:\Windows\System32\doskey.exe"
2⤵
PID:6924

C:\Windows\SysWOW64\dpapimig.exe
"C:\Windows\System32\dpapimig.exe"
2⤵
PID:6972

C:\Windows\SysWOW64\DpiScaling.exe
"C:\Windows\System32\DpiScaling.exe"
2⤵
PID:6996

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ms-settings:display
3⤵
PID:7028

C:\Windows\SysWOW64\driverquery.exe
"C:\Windows\System32\driverquery.exe"
2⤵
PID:5176

C:\Windows\SysWOW64\dtdump.exe
"C:\Windows\System32\dtdump.exe"
2⤵
PID:6492

C:\Windows\SysWOW64\dvdplay.exe
"C:\Windows\System32\dvdplay.exe"
2⤵
PID:6576

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
/device:dvd
3⤵
PID:6644

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce: /device:dvd
4⤵
PID:6484

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
4⤵
PID:6884

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
5⤵
PID:6956

C:\Windows\SysWOW64\DWWIN.EXE
"C:\Windows\System32\DWWIN.EXE"
2⤵
PID:2816

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe"
2⤵
PID:6996

C:\Windows\SysWOW64\EaseOfAccessDialog.exe
"C:\Windows\System32\EaseOfAccessDialog.exe"
2⤵
PID:6884

C:\Windows\SysWOW64\edpnotify.exe
"C:\Windows\System32\edpnotify.exe"
2⤵
PID:6960

C:\Windows\SysWOW64\efsui.exe
"C:\Windows\System32\efsui.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
2⤵
PID:6884

C:\Windows\SysWOW64\esentutl.exe
"C:\Windows\System32\esentutl.exe"
2⤵
PID:6808

C:\Windows\SysWOW64\eudcedit.exe
"C:\Windows\System32\eudcedit.exe"
2⤵
PID:6936

C:\Windows\SysWOW64\eventcreate.exe
"C:\Windows\System32\eventcreate.exe"
2⤵
PID:5304

C:\Windows\SysWOW64\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
2⤵
PID:6076

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
3⤵
PID:6300

C:\Windows\system32\mmc.exe
"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
4⤵
PID:6288

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe"
2⤵
PID:7008

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
2⤵
PID:6716

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\System32\extrac32.exe"
2⤵
PID:6344

C:\Windows\SysWOW64\fc.exe
"C:\Windows\System32\fc.exe"
2⤵
PID:6956

C:\Windows\SysWOW64\find.exe
"C:\Windows\System32\find.exe"
2⤵
PID:1600

C:\Windows\SysWOW64\findstr.exe
"C:\Windows\System32\findstr.exe"
2⤵
PID:6228

C:\Windows\SysWOW64\finger.exe
"C:\Windows\System32\finger.exe"
2⤵
PID:6244

C:\Windows\SysWOW64\fixmapi.exe
"C:\Windows\System32\fixmapi.exe"
2⤵
PID:404

C:\Windows\SysWOW64\fltMC.exe
"C:\Windows\System32\fltMC.exe"
2⤵
PID:6276

C:\Windows\SysWOW64\Fondue.exe
"C:\Windows\System32\Fondue.exe"
2⤵
PID:1600

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\System32\fontview.exe"
2⤵
PID:7008

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe"
2⤵
PID:7036

C:\Windows\SysWOW64\cmd.exe
/c echo ".ses"
3⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
/c echo "2485799853"
3⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
/c echo "acrocef_low"
3⤵
PID:6248

C:\Windows\SysWOW64\cmd.exe
/c echo "AdobeSFX.log"
3⤵
PID:6092

C:\Windows\SysWOW64\cmd.exe
/c echo "aria-debug-1056.log"
3⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
/c echo "BroadcastMsg_1712930812.txt"
3⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
/c echo "chrome_installer.log"
3⤵
PID:6244

C:\Windows\SysWOW64\cmd.exe
/c echo "ddodiag.xml"
3⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
/c echo "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
3⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
/c echo "dd_vcredistMSI3F38.txt"
3⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
/c echo "dd_vcredistMSI3F52.txt"
3⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
/c echo "dd_vcredistUI3F38.txt"
3⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
/c echo "dd_vcredistUI3F52.txt"
3⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
/c echo "Fluorocarbomorpholide.exe"
3⤵
PID:6092

C:\Windows\SysWOW64\cmd.exe
/c echo "Fluorocarbomorpholide.harmless.exe"
3⤵
PID:6244

C:\Windows\SysWOW64\cmd.exe
/c echo "hsperfdata_Admin"
3⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
/c echo "JavaDeployReg.log"
3⤵
PID:7180

C:\Windows\SysWOW64\cmd.exe
/c echo "jawshtml.html"
3⤵
PID:7400

C:\Windows\SysWOW64\cmd.exe
/c echo "jusched.log"
3⤵
PID:7684

C:\Windows\SysWOW64\cmd.exe
/c echo "Low"
3⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft .NET Framework 4.7.2 Setup_20240412_140259204.html"
3⤵
PID:7336

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219"
3⤵
PID:7680

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219"
3⤵
PID:7616

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240412140333.log"
3⤵
PID:7964

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240412140333_000_dotnet_runtime_6.0.27_win_x64.msi.log"
3⤵
PID:8052

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240412140333_001_dotnet_hostfxr_6.0.27_win_x64.msi.log"
3⤵
PID:7252

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240412140333_002_dotnet_host_6.0.27_win_x64.msi.log"
3⤵
PID:8112

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240412140333_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log"
3⤵
PID:7172

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240412140409.log"
3⤵
PID:7476

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240412140409_000_dotnet_runtime_7.0.16_win_x64.msi.log"
3⤵
PID:7620

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240412140409_001_dotnet_hostfxr_7.0.16_win_x64.msi.log"
3⤵
PID:7560

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240412140409_002_dotnet_host_7.0.16_win_x64.msi.log"
3⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240412140409_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log"
3⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240412140426.log"
3⤵
PID:7852

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240412140426_000_dotnet_runtime_8.0.2_win_x64.msi.log"
3⤵
PID:8036

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240412140426_001_dotnet_hostfxr_8.0.2_win_x64.msi.log"
3⤵
PID:8100

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240412140426_002_dotnet_host_8.0.2_win_x64.msi.log"
3⤵
PID:8064

C:\Windows\SysWOW64\cmd.exe
/c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240412140426_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log"
3⤵
PID:7868

C:\Windows\SysWOW64\cmd.exe
/c echo "mozilla-temp-files"
3⤵
PID:8124

C:\Windows\SysWOW64\cmd.exe
/c echo "msedge_installer.log"
3⤵
PID:8028

C:\Windows\SysWOW64\cmd.exe
/c echo "OneNote"
3⤵
PID:8000

C:\Windows\SysWOW64\cmd.exe
/c echo "RDUOHHNY-20240412-1407.log"
3⤵
PID:8084

C:\Windows\SysWOW64\cmd.exe
/c echo "RDUOHHNY-20240412-1407a.log"
3⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
/c echo "README.txt"
3⤵
PID:7352

C:\Windows\SysWOW64\cmd.exe
/c echo "tmp32875.WMC"
3⤵
PID:7620

C:\Windows\SysWOW64\cmd.exe
/c echo "wct5479.tmp"
3⤵
PID:8180

C:\Windows\SysWOW64\cmd.exe
/c echo "wct61B.tmp"
3⤵
PID:7848

C:\Windows\SysWOW64\cmd.exe
/c echo "wct6801.tmp"
3⤵
PID:7736

C:\Windows\SysWOW64\cmd.exe
/c echo "wct6C28.tmp"
3⤵
PID:7996

C:\Windows\SysWOW64\cmd.exe
/c echo "wct9039.tmp"
3⤵
PID:8184

C:\Windows\SysWOW64\cmd.exe
/c echo "wctD2B1.tmp"
3⤵
PID:8100

C:\Windows\SysWOW64\cmd.exe
/c echo "wmsetup.log"
3⤵
PID:8188

C:\Windows\SysWOW64\cmd.exe
/c echo "{4183BE3C-04B6-4246-A7E9-2F573420FE13} - OProcSessId.dat"
3⤵
PID:7864

C:\Windows\SysWOW64\cmd.exe
/c echo "{4912284E-FD29-4B00-87C8-9C629F50E5A1}"
3⤵
PID:8028

C:\Windows\SysWOW64\fsquirt.exe
"C:\Windows\System32\fsquirt.exe"
2⤵
PID:6352

C:\Windows\SysWOW64\fsutil.exe
"C:\Windows\System32\fsutil.exe"
2⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
2⤵
PID:7232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2e423cb8,0x7ffa2e423cc8,0x7ffa2e423cd8
3⤵
PID:7244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,4095569010460046740,5623820016130952681,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
3⤵
PID:7508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,4095569010460046740,5623820016130952681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
3⤵
PID:7516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,4095569010460046740,5623820016130952681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
3⤵
PID:7524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4095569010460046740,5623820016130952681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
3⤵
PID:7628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4095569010460046740,5623820016130952681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
3⤵
PID:7636

C:\Windows\SysWOW64\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe"
2⤵
PID:7312

C:\Windows\SysWOW64\GamePanel.exe
"C:\Windows\System32\GamePanel.exe"
2⤵
PID:7424

C:\Windows\SysWOW64\getmac.exe
"C:\Windows\System32\getmac.exe"
2⤵
PID:7864

C:\Windows\SysWOW64\gpresult.exe
"C:\Windows\System32\gpresult.exe"
2⤵
PID:8116

C:\Windows\SysWOW64\gpscript.exe
"C:\Windows\System32\gpscript.exe"
2⤵
PID:7408

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe"
2⤵
PID:7956

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe"
2⤵
PID:7616

C:\Windows\SysWOW64\hdwwiz.exe
"C:\Windows\System32\hdwwiz.exe"
2⤵
PID:8176

C:\Windows\SysWOW64\help.exe
"C:\Windows\System32\help.exe"
2⤵
PID:7960

C:\Windows\SysWOW64\hh.exe
"C:\Windows\System32\hh.exe"
2⤵
PID:8120

C:\Windows\SysWOW64\HOSTNAME.EXE
"C:\Windows\System32\HOSTNAME.EXE"
2⤵
PID:8172

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6600

C:\Windows\SysWOW64\icsunattend.exe
"C:\Windows\System32\icsunattend.exe"
2⤵
PID:8128

C:\Windows\SysWOW64\ieUnatt.exe
"C:\Windows\System32\ieUnatt.exe"
2⤵
PID:7288

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\System32\iexpress.exe"
2⤵
PID:7688

C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe"
2⤵
PID:7960

C:\Windows\SysWOW64\InputSwitchToastHandler.exe
"C:\Windows\System32\InputSwitchToastHandler.exe"
2⤵
PID:2480

C:\Windows\SysWOW64\instnm.exe
"C:\Windows\System32\instnm.exe"
2⤵
PID:6228

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe"
2⤵
- Gathers network information
PID:7736

C:\Windows\SysWOW64\iscsicli.exe
"C:\Windows\System32\iscsicli.exe"
2⤵
PID:8060

C:\Windows\SysWOW64\iscsicpl.exe
"C:\Windows\System32\iscsicpl.exe"
2⤵
PID:5876

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
3⤵
PID:5548

C:\Windows\SysWOW64\isoburn.exe
"C:\Windows\System32\isoburn.exe"
2⤵
PID:7288

C:\Windows\SysWOW64\ktmutil.exe
"C:\Windows\System32\ktmutil.exe"
2⤵
PID:7560

C:\Windows\SysWOW64\label.exe
"C:\Windows\System32\label.exe"
2⤵
PID:8160

C:\Windows\SysWOW64\LaunchTM.exe
"C:\Windows\System32\LaunchTM.exe"
2⤵
PID:6232

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
3⤵
PID:2056

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\System32\LaunchWinApp.exe"
2⤵
PID:7484

C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\System32\lodctr.exe"
2⤵
PID:5320

C:\Windows\SysWOW64\logagent.exe
"C:\Windows\System32\logagent.exe"
2⤵
PID:8008

C:\Windows\SysWOW64\logman.exe
"C:\Windows\System32\logman.exe"
2⤵
PID:7616

C:\Windows\SysWOW64\Magnify.exe
"C:\Windows\System32\Magnify.exe"
2⤵
PID:8116

C:\Windows\SysWOW64\makecab.exe
"C:\Windows\System32\makecab.exe"
2⤵
PID:8244

C:\Windows\SysWOW64\mavinject.exe
"C:\Windows\System32\mavinject.exe"
2⤵
PID:8496

C:\Windows\SysWOW64\mcbuilder.exe
"C:\Windows\System32\mcbuilder.exe"
2⤵
PID:8928

C:\Windows\SysWOW64\mfpmp.exe
"C:\Windows\System32\mfpmp.exe"
2⤵
PID:9064

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
2⤵
PID:9076

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
3⤵
PID:9096

C:\Windows\SysWOW64\mmgaserver.exe
"C:\Windows\System32\mmgaserver.exe"
2⤵
PID:9168

C:\Windows\SysWOW64\mobsync.exe
"C:\Windows\System32\mobsync.exe"
2⤵
PID:9204

C:\Windows\SysWOW64\mountvol.exe
"C:\Windows\System32\mountvol.exe"
2⤵
PID:8944

C:\Windows\SysWOW64\MRINFO.EXE
"C:\Windows\System32\MRINFO.EXE"
2⤵
PID:7616

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\System32\msdt.exe"
2⤵
PID:8184

C:\Windows\SysWOW64\msfeedssync.exe
"C:\Windows\System32\msfeedssync.exe"
2⤵
PID:8280

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe"
2⤵
PID:9008

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe"
2⤵
PID:2476

C:\Windows\SysWOW64\msinfo32.exe
"C:\Windows\System32\msinfo32.exe"
2⤵
PID:8256

C:\Windows\SysWOW64\msra.exe
"C:\Windows\System32\msra.exe"
2⤵
PID:8356

C:\Windows\system32\msra.exe
"C:\Windows\system32\msra.exe"
3⤵
PID:9064

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\System32\mstsc.exe"
2⤵
PID:9280

C:\Windows\system32\mstsc.exe
"C:\Windows\System32\mstsc.exe"
3⤵
PID:9296

C:\Windows\SysWOW64\mtstocom.exe
"C:\Windows\System32\mtstocom.exe"
2⤵
PID:9388

C:\Windows\SysWOW64\MuiUnattend.exe
"C:\Windows\System32\MuiUnattend.exe"
2⤵
PID:9444

C:\Windows\SysWOW64\ndadmin.exe
"C:\Windows\System32\ndadmin.exe"
2⤵
PID:9532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe"
2⤵
PID:9556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1
3⤵
PID:9600

C:\Windows\SysWOW64\net1.exe
"C:\Windows\System32\net1.exe"
2⤵
PID:9620

C:\Windows\SysWOW64\netbtugc.exe
"C:\Windows\System32\netbtugc.exe"
2⤵
PID:9760

C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
"C:\Windows\System32\NetCfgNotifyObjectHost.exe"
2⤵
PID:9868

C:\Windows\SysWOW64\netiougc.exe
"C:\Windows\System32\netiougc.exe"
2⤵
PID:9888

C:\Windows\SysWOW64\Netplwiz.exe
"C:\Windows\System32\Netplwiz.exe"
2⤵
PID:9988

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe"
2⤵
PID:10044

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\System32\NETSTAT.EXE"
2⤵
- Gathers network information
PID:10124

C:\Windows\SysWOW64\newdev.exe
"C:\Windows\System32\newdev.exe"
2⤵
PID:10208

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:10220

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\System32\nslookup.exe"
2⤵
PID:7344

C:\Windows\SysWOW64\ntprint.exe
"C:\Windows\System32\ntprint.exe"
2⤵
PID:7296

C:\Windows\SysWOW64\odbcad32.exe
"C:\Windows\System32\odbcad32.exe"
2⤵
PID:9460

C:\Windows\SysWOW64\odbcconf.exe
"C:\Windows\System32\odbcconf.exe"
2⤵
PID:9520

C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\System32\OneDriveSetup.exe"
2⤵
PID:9496

C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-2718508534-2116753757-2794822388-1000
3⤵
PID:9588

C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
3⤵
PID:9664

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncConfig.exe"
4⤵
PID:9824

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
4⤵
PID:10412

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart /updateSource:ODU
5⤵
PID:9804

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
6⤵
PID:10888

C:\Windows\SysWOW64\openfiles.exe
"C:\Windows\System32\openfiles.exe"
2⤵
PID:9576

C:\Windows\SysWOW64\OpenWith.exe
"C:\Windows\System32\OpenWith.exe"
2⤵
PID:9648

C:\Windows\SysWOW64\OposHost.exe
"C:\Windows\System32\OposHost.exe"
2⤵
PID:9628

C:\Windows\SysWOW64\PackagedCWALauncher.exe
"C:\Windows\System32\PackagedCWALauncher.exe"
2⤵
PID:9212

C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
"C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
2⤵
PID:9780

C:\Windows\SysWOW64\PATHPING.EXE
"C:\Windows\System32\PATHPING.EXE"
2⤵
PID:9784

C:\Windows\SysWOW64\pcaui.exe
"C:\Windows\System32\pcaui.exe"
2⤵
PID:1452

C:\Windows\SysWOW64\perfhost.exe
"C:\Windows\System32\perfhost.exe"
2⤵
PID:9768

C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe"
2⤵
PID:9936

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
3⤵
PID:9956

C:\Windows\SysWOW64\PickerHost.exe
"C:\Windows\System32\PickerHost.exe"
2⤵
PID:8252

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE"
2⤵
- Runs ping.exe
PID:10188

C:\Windows\SysWOW64\PkgMgr.exe
"C:\Windows\System32\PkgMgr.exe"
2⤵
PID:6888

C:\Windows\SysWOW64\poqexec.exe
"C:\Windows\System32\poqexec.exe"
2⤵
PID:5720

C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe"
2⤵
PID:9556

C:\Windows\SysWOW64\PresentationHost.exe
"C:\Windows\System32\PresentationHost.exe"
2⤵
PID:9736

C:\Windows\SysWOW64\prevhost.exe
"C:\Windows\System32\prevhost.exe"
2⤵
PID:9816

C:\Windows\SysWOW64\print.exe
"C:\Windows\System32\print.exe"
2⤵
PID:9680

C:\Windows\SysWOW64\printui.exe
"C:\Windows\System32\printui.exe"
2⤵
PID:9620

C:\Windows\SysWOW64\proquota.exe
"C:\Windows\System32\proquota.exe"
2⤵
PID:9800

C:\Windows\SysWOW64\provlaunch.exe
"C:\Windows\System32\provlaunch.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\psr.exe
"C:\Windows\System32\psr.exe"
2⤵
PID:3008

C:\Windows\system32\psr.exe
"C:\Windows\system32\psr.exe"
3⤵
PID:9768

C:\Windows\SysWOW64\quickassist.exe
"C:\Windows\System32\quickassist.exe"
2⤵
PID:9904

C:\Windows\SysWOW64\rasautou.exe
"C:\Windows\System32\rasautou.exe"
2⤵
PID:9624

C:\Windows\SysWOW64\rasdial.exe
"C:\Windows\System32\rasdial.exe"
2⤵
PID:9924

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\System32\raserver.exe"
2⤵
PID:9884

C:\Windows\SysWOW64\rasphone.exe
"C:\Windows\System32\rasphone.exe"
2⤵
PID:10900

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\System32\RdpSa.exe"
2⤵
PID:11192

C:\Windows\SysWOW64\RdpSaProxy.exe
"C:\Windows\System32\RdpSaProxy.exe"
2⤵
PID:6816

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\system32\RdpSa.exe"
3⤵
PID:10572

C:\Windows\SysWOW64\RdpSaUacHelper.exe
"C:\Windows\System32\RdpSaUacHelper.exe"
2⤵
PID:9788

C:\Windows\SysWOW64\rdrleakdiag.exe
"C:\Windows\System32\rdrleakdiag.exe"
2⤵
PID:10304

C:\Windows\SysWOW64\ReAgentc.exe
"C:\Windows\System32\ReAgentc.exe"
2⤵
PID:10428

C:\Windows\SysWOW64\recover.exe
"C:\Windows\System32\recover.exe"
2⤵
PID:10600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe"
2⤵
PID:10980

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
2⤵
- Runs regedit.exe
PID:10436

C:\Windows\SysWOW64\regedt32.exe
"C:\Windows\System32\regedt32.exe"
2⤵
PID:432

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe"
3⤵
- Runs regedit.exe
PID:10988

C:\Windows\SysWOW64\regini.exe
"C:\Windows\System32\regini.exe"
2⤵
PID:11048

C:\Windows\SysWOW64\Register-CimProvider.exe
"C:\Windows\System32\Register-CimProvider.exe"
2⤵
PID:10244

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe"
2⤵
PID:10268

C:\Windows\SysWOW64\rekeywiz.exe
"C:\Windows\System32\rekeywiz.exe"
2⤵
PID:10392

C:\Windows\SysWOW64\relog.exe
"C:\Windows\System32\relog.exe"
2⤵
PID:10640

C:\Windows\SysWOW64\replace.exe
"C:\Windows\System32\replace.exe"
2⤵
PID:9212

C:\Windows\SysWOW64\resmon.exe
"C:\Windows\System32\resmon.exe"
2⤵
PID:10428

C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
3⤵
PID:10620

C:\Windows\system32\perfmon.exe
"C:\Windows\Sysnative\perfmon.exe" /res
4⤵
PID:10336

C:\Windows\SysWOW64\RMActivate.exe
"C:\Windows\System32\RMActivate.exe"
2⤵
PID:10892

C:\Windows\SysWOW64\RMActivate_isv.exe
"C:\Windows\System32\RMActivate_isv.exe"
2⤵
PID:9796

C:\Windows\SysWOW64\RMActivate_ssp.exe
"C:\Windows\System32\RMActivate_ssp.exe"
2⤵
PID:11168

C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
"C:\Windows\System32\RMActivate_ssp_isv.exe"
2⤵
PID:6724

C:\Windows\SysWOW64\RmClient.exe
"C:\Windows\System32\RmClient.exe"
2⤵
PID:7388

C:\Windows\SysWOW64\Robocopy.exe
"C:\Windows\System32\Robocopy.exe"
2⤵
PID:10472

C:\Windows\SysWOW64\ROUTE.EXE
"C:\Windows\System32\ROUTE.EXE"
2⤵
PID:4636

C:\Windows\SysWOW64\RpcPing.exe
"C:\Windows\System32\RpcPing.exe"
2⤵
PID:10716

C:\Windows\SysWOW64\rrinstaller.exe
"C:\Windows\System32\rrinstaller.exe"
2⤵
PID:10932

C:\Windows\SysWOW64\runas.exe
"C:\Windows\System32\runas.exe"
2⤵
PID:9808

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe"
2⤵
PID:10376

C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
"C:\Windows\System32\RunLegacyCPLElevated.exe"
2⤵
PID:7868

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\System32\runonce.exe"
2⤵
PID:10816

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe"
2⤵
- Launches sc.exe
PID:8124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe"
2⤵
PID:10160

C:\Windows\SysWOW64\sdbinst.exe
"C:\Windows\System32\sdbinst.exe"
2⤵
PID:10624

C:\Windows\SysWOW64\sdchange.exe
"C:\Windows\System32\sdchange.exe"
2⤵
PID:3700

C:\Windows\SysWOW64\sdiagnhost.exe
"C:\Windows\System32\sdiagnhost.exe"
2⤵
PID:10596

C:\Windows\SysWOW64\SearchFilterHost.exe
"C:\Windows\System32\SearchFilterHost.exe"
2⤵
PID:10216

C:\Windows\SysWOW64\SearchIndexer.exe
"C:\Windows\System32\SearchIndexer.exe"
2⤵
PID:11008

C:\Windows\SysWOW64\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe"
2⤵
PID:572

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe"
2⤵
PID:10584

C:\Windows\SysWOW64\secinit.exe
"C:\Windows\System32\secinit.exe"
2⤵
PID:5640

C:\Windows\SysWOW64\sethc.exe
"C:\Windows\System32\sethc.exe"
2⤵
PID:9284

C:\Windows\SysWOW64\setup16.exe
"C:\Windows\System32\setup16.exe"
2⤵
PID:10924

C:\Windows\SysWOW64\setupugc.exe
"C:\Windows\System32\setupugc.exe"
2⤵
PID:10708

C:\Windows\SysWOW64\setx.exe
"C:\Windows\System32\setx.exe"
2⤵
PID:11164

C:\Windows\SysWOW64\sfc.exe
"C:\Windows\System32\sfc.exe"
2⤵
PID:7320

C:\Windows\SysWOW64\shrpubw.exe
"C:\Windows\System32\shrpubw.exe"
2⤵
PID:484

C:\Windows\SysWOW64\shutdown.exe
"C:\Windows\System32\shutdown.exe"
2⤵
PID:10984

C:\Windows\SysWOW64\SndVol.exe
"C:\Windows\System32\SndVol.exe"
2⤵
PID:9924

C:\Windows\SysWOW64\sort.exe
"C:\Windows\System32\sort.exe"
2⤵
PID:10608

C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
"C:\Windows\System32\SpatialAudioLicenseSrv.exe"
2⤵
PID:10728

C:\Windows\SysWOW64\srdelayed.exe
"C:\Windows\System32\srdelayed.exe"
2⤵
PID:8100

C:\Windows\SysWOW64\stordiag.exe
"C:\Windows\System32\stordiag.exe"
2⤵
PID:11116

C:\Windows\SysWOW64\fltmc.exe
"fltmc.exe" volumes
3⤵
PID:5348

C:\Windows\SysWOW64\fltmc.exe
"fltmc.exe" instances
3⤵
PID:7592

C:\Windows\SysWOW64\fltmc.exe
"fltmc.exe" filters
3⤵
PID:7492

C:\Windows\SysWOW64\subst.exe
"C:\Windows\System32\subst.exe"
2⤵
PID:7592

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
PID:10160

C:\Windows\SysWOW64\sxstrace.exe
"C:\Windows\System32\sxstrace.exe"
2⤵
PID:5828

C:\Windows\SysWOW64\SyncHost.exe
"C:\Windows\System32\SyncHost.exe"
2⤵
PID:7028

C:\Windows\SysWOW64\systeminfo.exe
"C:\Windows\System32\systeminfo.exe"
2⤵
- Gathers system information
PID:6452

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
"C:\Windows\System32\SystemPropertiesAdvanced.exe"
2⤵
PID:9444

C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
"C:\Windows\System32\SystemPropertiesComputerName.exe"
2⤵
PID:5616

C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
"C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
2⤵
PID:10584

C:\Windows\SysWOW64\SystemPropertiesHardware.exe
"C:\Windows\System32\SystemPropertiesHardware.exe"
2⤵
PID:3304

C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
"C:\Windows\System32\SystemPropertiesPerformance.exe"
2⤵
PID:10708

C:\Windows\SysWOW64\SystemPropertiesProtection.exe
"C:\Windows\System32\SystemPropertiesProtection.exe"
2⤵
PID:6724

C:\Windows\SysWOW64\SystemPropertiesRemote.exe
"C:\Windows\System32\SystemPropertiesRemote.exe"
2⤵
PID:10684

C:\Windows\SysWOW64\SystemUWPLauncher.exe
"C:\Windows\System32\SystemUWPLauncher.exe"
2⤵
PID:10444

C:\Windows\SysWOW64\systray.exe
"C:\Windows\System32\systray.exe"
2⤵
PID:10916

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10144

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
2⤵
PID:4252

C:\Windows\SysWOW64\tar.exe
"C:\Windows\System32\tar.exe"
2⤵
PID:11152

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe"
2⤵
- Kills process with taskkill
PID:10676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:1280

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5324 -ip 5324
1⤵
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5300

C:\Windows\system32\dashost.exe
dashost.exe {39a9afa9-407e-4f54-9e345061bc37c7a5}
2⤵
PID:5520

C:\Windows\system32\dashost.exe
dashost.exe {edf89460-172c-418d-826fe65f3da35a1d}
2⤵
PID:6188

C:\Windows\system32\dashost.exe
dashost.exe {91dd5562-baf1-4aac-88061d80ef2a5c42}
2⤵
PID:6412

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:4316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1860

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:6788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:7120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d5187a0c3df950416369e758184a2a17

SHA1
6b360d27e793995dc0bac684daefb7e74242bf04

SHA256
560d2a06ca6f41845874d926c7c25019f4f783dcdb83385b348055e957a9a3ac

SHA512
4d20134f713d50c044045ddbeb254bdca59c9a3135623c885e79ec8d681924cbf754e6edfa90955a58108f6c347bb2cb507f34933311233eeb598fe423512e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7f833b357a89b71283503aaea75c0c59

SHA1
cb4623b475fb7fd81a4e272497ef7d5e311bd395

SHA256
d20babee9a812d71a1137b96a33e01dc2fa10b24a712ab171b2b7ce41bcbae59

SHA512
f65d8b9fbecc05006662c84b296ef50b4f1c31eff070dc675e91eb18834a4805699b9f70439b8d2abc80e1239e5e9229a3c80a1ceb93f6778685ceacb5f9b246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
be33c6b83c46c89bdfe766ea5878d3b8

SHA1
f92ba1f17cd512cbf3769c1a05b54a698e2cab7e

SHA256
7159fa9d3d02995d10a22a71fd0301a27bc33050027a4d4168c7323989d649e5

SHA512
23bb14669f82fa363b90b133bc08336fa6ccfc802b9dbf04a627f762a3eb278659a46d90d7d6fe9bae59c8e91afb1f1edcd1ba8ea04ded656b347bbbb637a0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
512KB

MD5
d9403fb40cfea4dd4a74f2ad5f03cfac

SHA1
6f23b5f34c5ee194060a471546384f0ac0296f39

SHA256
d748266f0900159c1c1f8ceb74b9442965b86a19a17eee88961eb5d443c6f97d

SHA512
1f9dbc47f9172ecfb1547c0db4ad3b3d3fae892482da027e244bf53d0d5f95ba3f0594618d53f056ca82b0ee7235ccca01bfad97a7d9fe20ef2ece2a08045a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncClient.dll
Filesize
4.6MB

MD5
efce4ad20b267b830fe481f651a01cad

SHA1
0d16b8b951e34dd6c8f082428200e1eae364229d

SHA256
c9e1671633ed2e8a0cbfe02f982ae0e2ae41e979d13138408c5329a1282b01a4

SHA512
2efdf98e4a131efe721ef186d4f314b9c696b145a71cbdc9464f33264b73a26225515a413876afdb00439c117e1aaf0f4c36dd0f59172ba5e5d71d8c6b00e203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncConfig.exe
Filesize
433KB

MD5
744825e09c334ade152ce758b899f0ef

SHA1
880304dc61f1bb323c1db6ea46b804bd868fbbe9

SHA256
d6ef50b5d22c3bd1c9624f975b2a39bd3180e89a59f094becc7590efa2a6c79e

SHA512
95e64bbb4f58e0572abb76bb31e0205bdc98dca829bfb69028d9cff72052ffd317191baa28a7b52a6baec99ff17512f85cfe1cfae73aee2c84a2e1221802b37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncSessions.dll
Filesize
3.1MB

MD5
fa5be2452f0c1abac5f547375ed0b642

SHA1
5a94fa5c36b9ac1e7416297663cd9f4deaf41b82

SHA256
8d6f3177af6201914dc5415b69e60058c33f424ef6ae0c4b8cce46588fc23334

SHA512
0c26c314365ae3f6da310b24229a84825cde96200eba6c5156208c640c155c3e99825188b789d870352a8f01d2ff6fa406c17dd337d5547c52e0997bfb057b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncTelemetryExtensions.dll
Filesize
27KB

MD5
9586b31345d24efb7aa9059726033436

SHA1
c60f3d47a4acd631476bc85ed05105e359d502c0

SHA256
b963d9193aa064a3ca6bf9b2a9ae498f33901a0ca261741a0fe9c0df4529aab8

SHA512
333343ffbbe051398db32d746b7d537fe08e0dd9f522a64e52b22ef632e8db3b70bf3824a459e02b8eedb9b720304d59a39026037debd60d76b8e59618c63582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncViews.dll
Filesize
2.1MB

MD5
eaa949adecd84b64c75dbf9ed3730a1b

SHA1
8420d12eedc5001576ffa309e6bf7ce5ac7e0fe6

SHA256
39713e62d5b7280ffd85414151fafe4711817872561be47d417e6b8fc6efaa11

SHA512
d97398390819bc58873d0a491f26f43a89a2ced001a725523caca8e3996a1ca7020290813a599f7f2de183d21c480eefadf4ac2732bc07d6f6502a0d59fd017c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogUploader.dll
Filesize
626KB

MD5
e76598a9081e6ef607753908ad65b1a4

SHA1
807d5202ffc1b867dd28ebe447c36d40682a6aa5

SHA256
efe42d4f15d60b65ef735de4cb46f3f65863311b5193a510167ed67169341e33

SHA512
d9c91356751971f171ebbea33249872372b0dc5eacc44462482420b5f8bc9b41c3e1e5efb12a02b6fc0fdbc4a29c0d1422a9af5e17a853c557e760664f525946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LoggingPlatform.dll
Filesize
310KB

MD5
55f9372e3c6951b5ee3a4e6cd248a35a

SHA1
d663527b11349e4ac6e78bf350af0032db6cb03c

SHA256
3c8f09d36d11aa745392e1d5f42afd9672b502869ab3d518ea715e1d31255d32

SHA512
018b1bc0270d02ab762a5c1ae24ff042959a59fc84032684eb819080c446214ad600fbbf9b2d60027920df88e04c65f7002823ae1b11c3dd92a427d6ad4dc5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-100.png
Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-125.png
Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-150.png
Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-200.png
Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-400.png
Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-100.png
Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-125.png
Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-150.png
Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-200.png
Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-400.png
Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\MSVCP140.dll
Filesize
431KB

MD5
bd329995813712d94d83f8d61228cd3c

SHA1
a4b4346a1cd6fec54fe41d6aaabcc9dd120d29a5

SHA256
a33550c04e81f849fed5077e8a02e72277974d41644480e0e2f6d17aad19beca

SHA512
6b1878263895064eb3c11c50fee754552f67cb6cee6fb6fb2c9dc96e96afacd2c3db53f8f0115447e0d3b87b7e7cda6ca79328889010c9fdcb8daaad8e2c0e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDrive.VisualElementsManifest.xml
Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDrive.exe
Filesize
1.9MB

MD5
4592abdea88598149b6edf0acdf725b5

SHA1
0429e6697b13435dfc8c2c631d17d3140493d1f3

SHA256
28611d106d449e08374d674a3876cfac799f3b57e19e2dc283612e03623aaf67

SHA512
f3acb79214f9113b6d137c819e3180d79c54fea2f64b698d4cdd5c7101b1e5102a116f8b5b13d94d3d05d1b39ba203240ef7b59143a47fce1396b65d664087c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDriveStandaloneUpdater.exe
Filesize
2.8MB

MD5
0e5fd9e26ed643ca4bd7f16f725f9449

SHA1
baf005f55fa4f455b2dfee0901e14dac9bbbe4f4

SHA256
243b6499571730a5af85d90df9ebd089a1f82c7ff97a0cb19325d213b51b7c31

SHA512
3e4ccff546fd0afc7aeffa1a520d31b22a757cbb84bc1eace529d58b765f3de03b84d5ce659527bfee0ef94579eaf2fd96058128291eb56d4915a8d8f7a631f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDriveTelemetryStable.dll
Filesize
1.4MB

MD5
955d9c7c659c95df3170beb55e0f220c

SHA1
ba2bb2a7951a9675dc56b33954ddc74f4b9ab53e

SHA256
fd187e6c9b58fb52515b4b396e407dd36c0a38a87179074be483748a88f6f528

SHA512
e8cc3804f05e12d51c78f84a03d26c2495489244e15256d2f0a0917039edf7ddf3ff6844d0693ab62b6def3f8f2fbb087ec904f7ea023f90caf53b478542530b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Qt5Core.dll
Filesize
5.0MB

MD5
e7d523380f4f3a4cd162dbc9cf5f1c8b

SHA1
6b38a6fdb66833c767cdf43a5dc8637aed510a84

SHA256
3ac3eadee2d73655ad5dd103048c70f83e214f96c2816d7392369db04f185e60

SHA512
e9fa242195ad4389eccac08f5ae336357ed3f65afcaa363c16ff23154c3d17dfb5cc96cdd8359c3e24866ec62fff050b8b4357342f89eec1fdafe3a212d6a05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Qt5Gui.dll
Filesize
5.3MB

MD5
c9f6e3c3064dbc245f261952a61ffb9d

SHA1
04c36d07229129a6d16abe76477eb12a1c836394

SHA256
d4aa2eef060af4852a1f735a837c40eda95ed57b8aa492de92821b30aec43ce4

SHA512
c0d819d30373b3f2112d7a4d755ce80a3d664da8bba78e75c809d0341fc9c67fd063604196531630fda055ec100318327f7bc0de0cb8ceea1bae6ee3b7a8de06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Qt5Qml.dll
Filesize
2.7MB

MD5
ebe2ef5ae79118dee07f2a10b08eb860

SHA1
193ce9e5a7b8bfaa737c532f7993f9c34ea82b47

SHA256
f1f95ae0fa95a958359c26243f0f8384fc3687a71deba000e5c606542eb939ae

SHA512
6c92b63c2a8dc55e838a1dd33634fa0c1cde1f3bd75e85b4f270aa18e2b37c5aeffca40c495c6227be310406c9ca7d42511cd10310a4adb74ade5bb9aec781c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Qt5Quick.dll
Filesize
3.3MB

MD5
447dd09680c82009644e6865200ed48e

SHA1
162fb525d1fd103c1b2f05b0f4dc5f153b716d20

SHA256
05eecf716032307ae42666178b31e221b9dd10456dfe7e517d938ae9ad8384f9

SHA512
2822a7b7872483c74c42b0f85c193bd0ac2610110d397b66121c9aa49d24f5f4ec70c834be21da32290ff1a8a86cfcc330a0135afeebcd4213f6be940b47c692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Resources.pri
Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\SyncEngine.DLL
Filesize
7.9MB

MD5
59cecb8d0f5b2c3bf58f2358ff75a32f

SHA1
248efefe1c5105ca8a9298ea706ce098fadd6c57

SHA256
bea27e72482eeb9cfddc4881bd15c50abce02df72660c92d50b553edeeab5bd4

SHA512
b38436559dc39e294ea300cbafe700c962f9c55fdf5c2d68e841c5d8491885cc5e1df9adcac219a3f1157afa3fe91db0d1e6e3c2e210cb1c6e331ba4cc71fa1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Telemetry.dll
Filesize
229KB

MD5
d8483a39b24a75f34212c7ae71cec197

SHA1
cbe708750a41d91d08e764a0ec524bd74e463e7a

SHA256
dd0f93390a524918ef4717278c8fd77f9793505a314675f74da54baf98bdb8b9

SHA512
d8ecfa2891a1cc4dd927854c0fc3f49ad7fe3402047d5db46379f4923e7aefb89fc63d52e88ebc74842cf9ec096dda9d07c9d65f9350421332dcded3df717aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\UpdateRingSettings.dll
Filesize
257KB

MD5
a87c3012257c1be3a0ce588dbd57ebcb

SHA1
1c9000b3870d0164118b416ca46f0f6db1c0c6d2

SHA256
2e778b9665472b80295361e649df2b10c3b08065bc013f954d9a8753f27c9b24

SHA512
e650a89c17d3a6c301dcbbf373ae2e34ed2cbcb45b78b30ac16426e76914ebf8f500b6880e4c291b56e3d52687ee4113f3002e78b08d14dedfbb3a36bb42e3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\adal.dll
Filesize
1.4MB

MD5
91cad78c36e2a519a21fa0a1bde4a8ce

SHA1
a539ab64e940079a82368bfa62b577d52fc70e97

SHA256
f4f6a395573ce52b9fd00a873bfa50ebcf67ea722d70ee68839690777acf0324

SHA512
4187e438a68b3986d377a6ed1c757b0d7432c71c7f7f6d59c7f961a10bda6fc99ed553d481204d401f822f05226f1f17e4bf5a6c5b893631c0531358e61d8e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\ucrtbase.dll
Filesize
1.1MB

MD5
030ffb87a16778bf1c8c6996e03df43f

SHA1
33c85868f847377d1786d79b46d72113e8be9404

SHA256
95dd07d8afab753b0dc19db8e81c9a1d1ce4bf9e598fb5cf3d9a403af540838d

SHA512
55f75f50fc2bd01ef059d5008a2070475c3c774615f1cec4b6eef128c04d0dd77e31a9d92b33b92d5a238de7aeda63bebf666d8afc060d4a6a5608a7973a254f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\vcruntime140.dll
Filesize
73KB

MD5
f135dfc5ac026c9b6a29854774d71d71

SHA1
65dd44ad62f23474d664567234abb619f19f2d39

SHA256
c9ccfacf80630f47611d65e370bf3148caf3d3b5d6604bc5d277220f56d78ab8

SHA512
19f0b4cfa76f13a91c4f6ccd8317b3b3c71e06cf8ffd1d3c2054ef7b8159f8ae65443de4a7d85efbb626e7db58de1d983054ad4cde56df4691a15361f08dc2f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
Filesize
108B

MD5
1cd0c2821a9cf116e4e0943c8dff4a03

SHA1
6c9104fb647e816336eb05841dfd00e38792ab41

SHA256
514ac822a4705678bde6a84196b26741d5ac43d9fab6a3f4442399f4d475d9c9

SHA512
bfa35a92170f5ab3ae9f3fba72ee76428c5fc24c36aec61e179180ba7d81d6282259827553d99fea66a14f55e0b54c40926ef2d8ddb9fc58645906e3e46d5113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
Filesize
77B

MD5
a8ec8da7a2b514ba12977dcc8f3291df

SHA1
c46683cc06db3087d9170df0a5a04868c7ded9a7

SHA256
24a2cebe4f588fe904832acae83972bd612f8e8d4a5c627270696e77d94d29b9

SHA512
508f9a0c3a5462882f4abb317f84c879d678e3b3f6102ea3e23b1be1b524ea800399729db8e0e927ae6422faa81a6f8bfa997588192dd7019cc2cc43f55d79ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session
Filesize
20KB

MD5
be523753866bf6debb0f7fe9d33f3e09

SHA1
cd6171cb79513157520b456a858526e9039aa1e3

SHA256
649a242a7cc640eb78be329ed81bfedd2941839ef8aedcd27b82f19e04029c66

SHA512
6a4ceec21faac63e0ccec4e365dfb943313d4e00b81ea02d2f6b41e306bdb642a0b51a284574e1aa4c0c1181ff3a6bd307f7bb28c75ccdb7fdfc51c856d6bc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P3J30ITL\update100[2].xml
Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2p54ale.eyn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-9588.log
Filesize
470B

MD5
937f8c795663ae70c3e19c9fa997783f

SHA1
b7abdff9fd27c67816306c33d45e2f08ac13393d

SHA256
f5046b952e03bc5fa8ea9b5d3b9b450f4076a4ed5d72be7f83538fc8c56d8020

SHA512
b9f42d46f94dfa6312f4086a89944d26c4eb76c6757c92175b8f41fe3be64981f888d90ab8f3e6008a779c3fc1a7f3037c8649089aa0a16dc9c2cff99149439f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39AF.tmp
Filesize
28.5MB

MD5
229821a67d5eec1d4752d27be470ca0b

SHA1
a2dc1262c72bc67c506787103099eea5d8fb15e4

SHA256
8569c7c5b51ca75401e73071dde7f76d0abe6187840114d131072b73cfcf7f94

SHA512
363610435a4a76c5f525f48d87b4dc49af9f6b1badab7bec55690551a4ea1f677339ee695fe960047bd561db629bc2486d621e3b460e89c33d7722c911b07d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD334.tmp
Filesize
33.1MB

MD5
162e0458395e973b8ec1894a050bc4a0

SHA1
28ad9acf285eeb849542baa6b7407e4a243bb33d

SHA256
3a6924971813e9cc3e1da01e150add8532de225ee25d618a080df847b64142b0

SHA512
4ae46bf949c4c40ddaa339ec7cd4b14d5a9479ffd4bbd6fe0edf013861dbf3b96d5a44e6b47aa2d95c6bd87c62932c62c3cee9009d7dee5b4c09ebbcfbb06957

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
13KB

MD5
ac0702ae99591769035266f19e735fc1

SHA1
c2524d78bc82c6bad281367834f8611bd4f9d266

SHA256
dbbab03aeed55210deb0b479ea69f550febcbb7c45dbb5f321531dc821d8af89

SHA512
3fd7f3b505eca9c5cd9f870d9d621faf39b5dd7a334c83a850a62162155aa45abefc4758985972b98604fdc3765fe5d7aa3a2e2179824ec0cecca0ec534a5078

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
19KB

MD5
34b6144e643f1b652f3cebe873fda61d

SHA1
8748a43a211112d9447e60f2ad75599a69efc986

SHA256
3af9547fbe77dece79d51c8332847b9b7fdfb2300f1e65d8fc69089cfa581411

SHA512
e31271a16c43238aa9532bffc4615c735e504ae6f06860dafa8537afd6817883b3b5b8cc9027269f9adb447a1369f3e82f6bd348aba2b3f4b8c8cf9da2b2d27e

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
12KB

MD5
df40bce78298bf7a99a0975fbb3be53e

SHA1
0d51887bad30d36fbd34e459184d122df7768ad0

SHA256
2b47819964d2b54c3b036404d1ac56ea572b6da0e568f4c83586aa5ac2a9d364

SHA512
b606cde694fd53dd6cbe41692bcf635f8c9b2294407ae85597a506f524ce5b927e20807a5b25f68d93ee6c34b8a314ccd44d294b896dbf655935f9f61fccfd08

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
14KB

MD5
9fb67a7bf10e0908f6ff9cc5d5f41c78

SHA1
5fa02250787d093dfbbf959c1a7233e59848b51b

SHA256
f26ccedb924a2037bd7805c64b6d463620cb934b9fc1b05108fcda840c56fe6e

SHA512
12484546c7ae8b789f5d5fd96dfce6232b1abca5f9837e558cdc9b4063574f1ef94dcc2f591a2da690f7fd730a17b4c2a04b145aaef67724132f25a5911bfeda

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
17KB

MD5
03f007bafa1e2136076d9e425026f8c0

SHA1
342d57a285a342a60254478ffc3efa967d8913dc

SHA256
47c55c505ad4987940ae353e7ef2fd9a9fe489fbc016960b15e04770cf03c9c2

SHA512
4673126c034eb105d646be71d76d8606dd2da2a18b3a9e2a90656a4bcf34c537aa339451f62f35afbb2dd4f41df28572208cc2c0565befd0dfb90172be24eec7

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
17KB

MD5
b6fe6a90fcc828a8704c95b4c3311fd4

SHA1
cbdc23bc16414f75cd45bd9d74ed1a63c7d92d36

SHA256
7475e2d6a57186b9cf5bee34ddb6aa72f341c29e2eddca8b5e60327cc853787e

SHA512
8e8758fcabe20cbcb1db6c7bb901e44c57669700a0ffe046ccea8c4af2406e83cc6d0ecf0c2a6ab04a013a1b8af6db9f5ebeb65f6588b88cc669f6074f57c3f4

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
12KB

MD5
1c9ddd0bf160c2be921b54b832ee55ec

SHA1
815afde9610a107c30e24f2fdb705a0bb89e3e21

SHA256
7ed846e3fb3d08437a1e996f2c2d3ba7e7f95350e4de6d08710be19eba87e7b7

SHA512
00c7a6828ce657f8f202fbf3a665e299894e5f8cb166a81959dc2e53987d3ee47fd4ffa9bcc1d52797b8c4a8426b70c1bf6e5aa4b75c23bd75d633af8487a621

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
14KB

MD5
8343d845c185bac62ed56c06313b14ca

SHA1
637a0f06e795ffce87d9e12dc59609bcd2f22dd5

SHA256
42064eface446fc9c5a795897e3aac6674ad7c544ae95bf5a7e118db0bdbb784

SHA512
b3830bf7cd6509a2d5ec12a567188be318adf2dbdf299936f868dbaad2fa49482ba7be91522e29afcc6a51de397d5c3724d11c94ad92a89e72158ef556de65f4

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
16KB

MD5
93a000e3b8acc60e7c8a0f06a8344146

SHA1
bbcb3d88dcc443357ce2f0a68f797bab47c8be20

SHA256
0181bc22c2885e5e05cfdd58830329f2649b54bff67c648668fe88f7202bac54

SHA512
75721b5c041d120d83314ebde186c1a2c6b3608225a88587b6cf42189aa663bbcd91bdb951203bbe5c1cfbd4bb99b2af13c1cb308c8b135be95acbea1e55fb40

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
47KB

MD5
d659a0dfdac7e0fc69e4da1138ddf834

SHA1
c1610df3f8ebea3f22c3a0d13b7a5bd15db3c711

SHA256
394bf54b7235ebe57090b9d9ab515ac554c780fd8e9e92023e436c6075530481

SHA512
c3cce4a262fbc56a35781a5f64de8d392c01f2f060b89f4b3f639cb2129c042cfd9c60afa2abd4c255e1d292031180ba8b96c8615d682e85ee6b6be7f91af85f

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
46KB

MD5
a9ca7b32415b8be194488cfd54a6dd29

SHA1
fb85b3d80ccdbad54f556e582fef0777119d4ef0

SHA256
49823424aaba6b2d5919fe330694e64a73df7edda66e7f7839ecd1df665d7045

SHA512
f2cbec1a505d527dfba282a11f77adfc28a0a1876a7f65b9fb71d2f12db1d950c4e0e8ed3aa77e4eed7ae46ce80fc38fd7481161b5188ccf0ed1c2be56618b15

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
46KB

MD5
ac4a2d363ac62daabf44e2a3b15f6bba

SHA1
b1e9bae2ee612728b5be9209d8ee78bc5740a2cb

SHA256
172528180a2ee00e6dcc67315ba3f9cefc25546b87120fb5246e6edaed361bc3

SHA512
9dce698a5b53026e0c4c31c72d89fa5ce29b33fef8573d6557822d5db9cebefbdb685e252adacd57124d84b8cb6c847a989f54b2483f82f616b2bcf15258c69b

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
47KB

MD5
c57805f6140be7a6a5269c2afa6ca81b

SHA1
17c4bf0e538578da2c89febe6f3e125177c8b875

SHA256
473364f268a957d23e257b57ae23672fde64734f9a5c3633f8a17d9abb01da5b

SHA512
02fb543609d52b7e5fe7a2eb03598304435598729a19906b92e6e9dca77532ea5b4f61aeaa09a6f3fe0979774a34f7d8658826e8f0526d142f7d2893a8ea9755

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
547B

MD5
062f6569e742f6175108e6c8b568308f

SHA1
29fb3fedc21a016792f90b2e3843f5deffa06fe5

SHA256
af693054c59c1e2e90cf26f537050e252c946dd492ede2051122894720b161c6

SHA512
fc5ef33b68e9d6508d01990f47a5b359dddb69ed9ac48a42ebbc36db00c06b47d11300c035498c3c16b35735eef32bdf0a4ef74e0429d79e9f3a2d0e76ec6719

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
827B

MD5
384eda7830e6dc22d36e10d16db0cce1

SHA1
990d35ce13566277dbae8aa0188636e97b4de603

SHA256
5d189c03b9939d1235859de342609e9d410bd45a78cbd51131ec07c7c1086c76

SHA512
d2ad873ebd514dc57f5885764083c812dec8bada2238f5dd258029e91f4cbe533c762ff53141c90e55b1e1b46673415bfb2dd1df5662c7ee2bc1ed99218f46fc

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
1KB

MD5
59fc64575c1e8bf05fb13f666288c7e3

SHA1
455d1e0fbd36dc0960e66869af1a14acabe9656c

SHA256
0f0ab993e5037c73ff2238d1134a7990793b78e87c753383a382c658c1a392c1

SHA512
ae76c6c99d07b53f07ac375a1bd230cf0bf896f95348c9120fa3b1c0a9c4f59576c923bb4de293abdece9de8817fba17709e5ad31102db1d6170d46d9b8f0d95

Download Submit
\??\pipe\LOCAL\crashpad_7232_PWKBQQMUXGUIZGUI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/6032-164-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-1-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-159-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-69-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-68-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-63-0x00007FFA38D00000-0x00007FFA397C2000-memory.dmp

Filesize
10.8MB

Download
memory/6032-165-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-166-0x00007FF412E50000-0x00007FF412E60000-memory.dmp

Filesize
64KB

Download
memory/6032-4-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-2-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6032-0-0x00007FFA38D00000-0x00007FFA397C2000-memory.dmp

Filesize
10.8MB

Download
memory/6032-5-0x00007FF412E50000-0x00007FF412E60000-memory.dmp

Filesize
64KB

Download
memory/6032-3-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/6288-70-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-67-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-65-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-66-0x00007FF4DDA60000-0x00007FF4DDA70000-memory.dmp

Filesize
64KB

Download
memory/6288-332-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-252-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-239-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-241-0x00007FF4DDA60000-0x00007FF4DDA70000-memory.dmp

Filesize
64KB

Download
memory/6288-242-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-240-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-238-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-233-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-232-0x00007FFA38D00000-0x00007FFA397C2000-memory.dmp

Filesize
10.8MB

Download
memory/6288-64-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6288-61-0x00007FFA38D00000-0x00007FFA397C2000-memory.dmp

Filesize
10.8MB

Download
memory/6288-62-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/6724-1223-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/6724-1256-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/6724-1228-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/6724-1247-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/6808-45-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/6996-78-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-73-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-83-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-72-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-71-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-77-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-79-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-81-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-82-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/6996-80-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/9796-1240-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/9796-1206-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/9796-1208-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/9796-1232-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/9796-1241-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/9796-1235-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/9796-1209-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/10412-1163-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download
memory/10892-1230-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/10892-1196-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/10892-1224-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/10892-1199-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/10892-1198-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/10892-1221-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/10892-1231-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/11116-1322-0x000002349A680000-0x000002349A690000-memory.dmp

Filesize
64KB

Download
memory/11116-1326-0x000002349A600000-0x000002349A624000-memory.dmp

Filesize
144KB

Download
memory/11116-1325-0x000002349A600000-0x000002349A62A000-memory.dmp

Filesize
168KB

Download
memory/11116-1323-0x000002349A5C0000-0x000002349A5CA000-memory.dmp

Filesize
40KB

Download
memory/11116-1324-0x000002349A680000-0x000002349A690000-memory.dmp

Filesize
64KB

Download
memory/11116-1311-0x0000023480000000-0x0000023480022000-memory.dmp

Filesize
136KB

Download
memory/11116-1312-0x00007FFA38D00000-0x00007FFA397C2000-memory.dmp

Filesize
10.8MB

Download
memory/11116-1321-0x0000023481DF0000-0x0000023481E12000-memory.dmp

Filesize
136KB

Download
memory/11168-1212-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/11168-1252-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/11168-1251-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/11168-1244-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/11168-1217-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/11168-1215-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads