fc7309880e86d6a173d6fc8f16ee23ab64470d87730b9db762c239a600cb5c8e

Analysis

max time kernel
848s
max time network
850s
platform
windows10-2004_x64
resource
win10v2004-20240426-de
resource tags

arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows
submitted
30-04-2024 14:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

nayuka.html
Size

11KB
MD5

590fc016ccd46b4eecadb75f90960fcd
SHA1

b2904ccb6ab5cad0c7e71f649b931f38ea4797c5
SHA256

fc7309880e86d6a173d6fc8f16ee23ab64470d87730b9db762c239a600cb5c8e
SHA512

ad63af90a0eeee63c03675ed92714842cd087c422fdbe3d3d0e85d6562394599b665e7c413529c34a790d6b6c64a591f56af40e855fd65aa8dc31b52aaaa3a14
SSDEEP

192:FKlKHKpsvzpRr8n/lu39WLyi0yThrHSCw:lVRI/luNiyi0OhrHSt

Score

10^/10

agilenet discovery evasion exploit persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\""	wscript.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1268 takeown.exe
4172 icacls.exe
1304 takeown.exe
2084 icacls.exe

pid	process
1268	takeown.exe
4172	icacls.exe
1304	takeown.exe
2084	icacls.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MrsMajor 2.0.exewscript.exeGetReady.exeOneDriveSetup.exeMrsMajor 3.0.exewscript.exeMrsMajor 3.0.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MrsMajor 2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	GetReady.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 20 IoCs

Processes:

winrar-x64-700.exewinrar-x64-700.exewinrar-x64-700.exeNRVP.exeNRVP.exewinrar-x64-700.exeOneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exeOneDrive.exe7z2301-x64.exeWinXP.Horror.Peacful.exeMrsMajor 3.0.exeeulascr.exeMrsMajor 3.0.exeeulascr.exeMrsMajor 2.0.exeeula32.exeGetReady.exenotmuch.exe

pid	process
2820	winrar-x64-700.exe
2208	winrar-x64-700.exe
1624	winrar-x64-700.exe
2988	NRVP.exe
3448	NRVP.exe
3968	winrar-x64-700.exe
4484	OneDriveSetup.exe
4104	OneDriveSetup.exe
380	FileSyncConfig.exe
1664	OneDrive.exe
572	7z2301-x64.exe
4504	WinXP.Horror.Peacful.exe
3788	MrsMajor 3.0.exe
4464	eulascr.exe
2708	MrsMajor 3.0.exe
3868	eulascr.exe
2988	MrsMajor 2.0.exe
1492	eula32.exe
4536	GetReady.exe
2568	notmuch.exe

Loads dropped DLL 40 IoCs

Processes:

FileSyncConfig.exeOneDrive.exeeulascr.exeeulascr.exe

pid	process
380	FileSyncConfig.exe
380	FileSyncConfig.exe
380	FileSyncConfig.exe
380	FileSyncConfig.exe
380	FileSyncConfig.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
4464	eulascr.exe
3868	eulascr.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4172 icacls.exe
1304 takeown.exe
2084 icacls.exe
1268 takeown.exe

pid	process
4172	icacls.exe
1304	takeown.exe
2084	icacls.exe
1268	takeown.exe

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

OneDrive.exeOneDriveSetup.exeOneDrive.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4464-2625-0x0000000000990000-0x00000000009BA000-memory.dmp	agile_net

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

OneDrive.exeOneDrive.exeOneDriveSetup.exeFileSyncConfig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileCoAuthLib64.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /autoplay"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\NRVP.exe	upx
behavioral1/memory/2988-628-0x00007FF754400000-0x00007FF75440C000-memory.dmp	upx
behavioral1/memory/2988-632-0x00007FF754400000-0x00007FF75440C000-memory.dmp	upx
behavioral1/memory/3448-652-0x00007FF754400000-0x00007FF75440C000-memory.dmp	upx
behavioral1/memory/3448-656-0x00007FF754400000-0x00007FF75440C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OneDriveSetup.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\""	wscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
80	drive.google.com
184	drive.google.com
55	camo.githubusercontent.com
78	drive.google.com
79	drive.google.com
293	drive.google.com
294	drive.google.com
300	drive.google.com
340	drive.google.com
54	camo.githubusercontent.com

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDriveSetup.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\sethc.exe	cmd.exe

Drops file in Program Files directory 37 IoCs

Processes:

wscript.exe

description	ioc	process
File opened for modification	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\checker.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\bsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majordared.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\rsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\Major.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\example.txt	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDrive.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

NRVP.exeOneDrive.exeNRVP.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000"	NRVP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	NRVP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000"	NRVP.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	NRVP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589604712232641"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

OneDrive.exeOneDriveSetup.exeOneDrive.exeFileSyncConfig.exe7z2301-x64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\HELPDIR	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\odopen\ = "URL: OneDrive Client Protocol"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\WOW6432NODE\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ = "FileSyncClient Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\PROGID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe\\1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\odopen\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\WOW6432NODE\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_CLASSES\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib	OneDriveSetup.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

4860 OneDrive.exe
1664 OneDrive.exe

pid	process
4860	OneDrive.exe
1664	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exechrome.exeOneDrive.exeOneDriveSetup.exeOneDriveSetup.exeOneDrive.exe

pid	process
4008	chrome.exe
4008	chrome.exe
4532	chrome.exe
4532	chrome.exe
4860	OneDrive.exe
4860	OneDrive.exe
4484	OneDriveSetup.exe
4484	OneDriveSetup.exe
4484	OneDriveSetup.exe
4484	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
4104	OneDriveSetup.exe
1664	OneDrive.exe
1664	OneDrive.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

Processes:

OpenWith.exechrome.exe7z2301-x64.exeOpenWith.exeOpenWith.exeOpenWith.exe7zFM.exe7zFM.exeOpenWith.exe

pid process

4508 OpenWith.exe
4008 chrome.exe
572 7z2301-x64.exe
396 OpenWith.exe
2648 OpenWith.exe
4848 OpenWith.exe
180 7zFM.exe
3444 7zFM.exe
2900 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

Processes:

chrome.exe

pid	process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeOneDrive.exeOneDrive.exe

pid	process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4860	OneDrive.exe
4860	OneDrive.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4860	OneDrive.exe
4860	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exewinrar-x64-700.exewinrar-x64-700.exewinrar-x64-700.exeNRVP.exeNRVP.exeOneDrive.exewinrar-x64-700.exeOneDrive.exechrome.exe7z2301-x64.exeOpenWith.exe

pid	process
4508	OpenWith.exe
2820	winrar-x64-700.exe
2820	winrar-x64-700.exe
2820	winrar-x64-700.exe
2208	winrar-x64-700.exe
2208	winrar-x64-700.exe
2208	winrar-x64-700.exe
1624	winrar-x64-700.exe
1624	winrar-x64-700.exe
1624	winrar-x64-700.exe
2988	NRVP.exe
2988	NRVP.exe
3448	NRVP.exe
3448	NRVP.exe
4860	OneDrive.exe
3968	winrar-x64-700.exe
3968	winrar-x64-700.exe
3968	winrar-x64-700.exe
1664	OneDrive.exe
1664	OneDrive.exe
1664	OneDrive.exe
4008	chrome.exe
572	7z2301-x64.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe
396	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4008 wrote to memory of 212	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 212	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4600	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4564	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 4564	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe
PID 4008 wrote to memory of 3568	4008	chrome.exe	chrome.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\nayuka.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7559ab58,0x7fff7559ab68,0x7fff7559ab78
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:2
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4420 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4812 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3184 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3452 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3076 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2380 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5620 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1548 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2096 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4176 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4656 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5596 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5188 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3200 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5492 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4156 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:3992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2188

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6136 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Users\Admin\Downloads\NRVP.exe
"C:\Users\Admin\Downloads\NRVP.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=4124 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=4380 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=736 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=4644 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=3120 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3076 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5844 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5856 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4724 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2348 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2352 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5888 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:5020

C:\Users\Admin\Downloads\7z2301-x64.exe
"C:\Users\Admin\Downloads\7z2301-x64.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=4660 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=5992 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=6076 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=1068 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6216 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=4968 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6272 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6408 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=6520 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=2488 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=4828 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=5784 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=5304 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=5848 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=4776 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6608 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6620 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=3192 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=4820 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=6292 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=4828 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:1
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 --field-trial-handle=1764,i,4401780222447063821,13537941241648522260,131072 /prefetch:8
2⤵
PID:112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0b94125fa96d4deaae8133054f005fd4 /t 4216 /p 2820
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5028

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4f7d208c58c1411a92aa925a8a3bc932 /t 956 /p 2208
1⤵
PID:380

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e82b3b9c188544179839b4e5a406eefd /t 3728 /p 1624
1⤵
PID:228

C:\Users\Admin\Downloads\NRVP.exe
"C:\Users\Admin\Downloads\NRVP.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Checks system information in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:380

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks system information in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6ccb58042e0f46efafa4d32ea0dca44a /t 4808 /p 3968
1⤵
PID:3624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2440

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\WinXP Horror Edition.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:180

C:\Users\Admin\Desktop\WinXP.Horror.Peacful.exe
"C:\Users\Admin\Desktop\WinXP.Horror.Peacful.exe"
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4b8
1⤵
PID:3596

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MrsMajor 3.0.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3444

C:\Users\Admin\Desktop\MrsMajor 3.0.exe
"C:\Users\Admin\Desktop\MrsMajor 3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3788

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\559.tmp\55A.tmp\55B.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:2368

C:\Users\Admin\AppData\Local\Temp\559.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\559.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4464

C:\Users\Admin\Desktop\MrsMajor 3.0.exe
"C:\Users\Admin\Desktop\MrsMajor 3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2708

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6DD7.tmp\6DD8.tmp\6DD9.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:4712

C:\Users\Admin\AppData\Local\Temp\6DD7.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\6DD7.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19086:82:7zEvent7798
1⤵
PID:404

C:\Users\Admin\Desktop\MrsMajor 2.0.exe
"C:\Users\Admin\Desktop\MrsMajor 2.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2988

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DAE5.tmp\DAE6.vbs
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- System policy modification
PID:1132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe
3⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\eula32.exe
eula32.exe
4⤵
- Executes dropped EXE
PID:1492

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4536

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\20C7.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""
4⤵
- Drops file in System32 directory
PID:3880

C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1268

C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4172

C:\Windows\System32\takeown.exe
takeown /f sethc.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1304

C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2084

C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"
3⤵
- Executes dropped EXE
PID:2568

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 5
3⤵
PID:3296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ff855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
Filesize
52KB

MD5
57f3795953dafa8b5e2b24ba5bfad87f

SHA1
47719bd600e7527c355dbdb053e3936379d1b405

SHA256
5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725

SHA512
172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98

Download Submit
C:\Program Files\MicrosoftWindowsServicesEtc\NotMuch.exe
Filesize
122KB

MD5
87a43b15969dc083a0d7e2ef73ee4dd1

SHA1
657c7ff7e3f325bcbc88db9499b12c636d564a5f

SHA256
cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb

SHA512
8a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1

Download Submit
C:\Program Files\MicrosoftWindowsServicesEtc\example.txt
Filesize
302B

MD5
8837818893ce61b6730dd8a83d625890

SHA1
a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614

SHA256
cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb

SHA512
6f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
69KB

MD5
86862d3b5609f6ca70783528d7962690

SHA1
886d4b35290775ceadf576b3bb5654f3a481baf3

SHA256
19e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed

SHA512
f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
323KB

MD5
4690862fd8f2b6582616d70007b4e8a8

SHA1
5fbcc15ae16f2a76df370a43cda5327a293e0e12

SHA256
5298e4fc423c2ca3abf86e70c93a79581b47119d51a512ed9b49562d46104425

SHA512
c2633720620c16955d30ff5576484379bef9ca3dd753c7b05a988ed6de2aeb961c50043e5533dd37a471522b4cb76b67b8baf844737f2f79d9aa6247a3830306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
138KB

MD5
5d4abccdf0eeb9e35be7e2b7b8d684d7

SHA1
c21fb4b0dfbde8561828138b00b2b7a8ee1b0f48

SHA256
12268ded921978959612f1449f7468cb6c510d3e607d27710e36d9d9d562114d

SHA512
3e7ab97f545b71c7e7049eb87a774951a8d6caae33d75b421ed0fb05c22178b290813e083da037023128087f73c1481beb049a02cabe749fd7efce4b75f267a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015
Filesize
44KB

MD5
2b312fee4bff7fb9b399aa619ae1811d

SHA1
cf5e3270ef62ea6ce023f9475dbf7ed67e10527c

SHA256
fd5fb41882dfe849ea47547bf38b9abc435683d7473703b4cb37e8c28b1de4cb

SHA512
3a42c3a12da46656d8dca9b54651027873f42d2ec2e6e706a41b4b520d387f0c3c0388e3d117bd49174d7074079f3404c00b6141c8dd22d38ef1a257f52a9791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016
Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
48KB

MD5
0c2234caae44ab13c90c9d322d937077

SHA1
94b497520fcfb38d9fc900cad88cd636e9476f87

SHA256
d8e6f62282e12c18c930a147325de25aef1633a034eaf7a3ce8de1fb8de09912

SHA512
66709f74b19499df1e06700e1c257e14a82ca4287194e4b177b3f333748d927f413c8c459a35e7e5a2f92d28410b0129f106d94e3dd85bc0dd0b986add83b18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
24KB

MD5
8278023fac368f67d8b83512b48cf0f9

SHA1
cfbb90dea9e8a9df721806c7d49eff44166b2197

SHA256
1e62f0399a3c5a499b3c93622608d15d3948c3c335359bc695bf3522b03fd48d

SHA512
e04ba7a9402379c064bf5707a5fbe3e5ea6de978b1ad50d38f9b30bef47dbb761f0f8461de8cfaf7c33779dbb47fcf4df7fe387d12fbbf899f7530f6f63a340d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019
Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
65KB

MD5
c82fbaa7e5113d3ed2902a3500ec8631

SHA1
c9b4889980899c0f2aea9ac8d0bae28b59e6add3

SHA256
4f4e25ef0961b656039ed8628951b5ff6c0a197f8866374b5937e182b12ff278

SHA512
fc3227c51b9bdcf0917b040aeaa925795e153c7a78469b7e1c87717c1664f46208e5fc3e413f93724ef0fa94aea655db55f04c5a61dda0df737c25b75393136d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b
Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c
Filesize
21KB

MD5
ebc633a368f3fac0b50f7a240f5c9b9e

SHA1
8e6931ee9534a5df409e6781500de861d1901051

SHA256
8213ca3eccc92b35c7cebec3680fb15cc6e77a1929dd50fd4de0f94da1ccdc18

SHA512
96df3569e12d2c0ed7e8292d0f65e87503fa0adef302d944fe5c60afc8877938bce64e81506f4c716c0a5df0f490e43f115811a721d59d6258738f45c3151fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d
Filesize
76KB

MD5
b4f8ab9d9555c37e049ba9405cba8275

SHA1
523280d8afb9c582a2f7f8d2229e059f8ceddabb

SHA256
8d8884b7d6702301ae65aab1255a42a377130cacd1c3f23f26e2404be1407f51

SHA512
7a1cac6bfcf617a2e3f18380dfaa415e3a2890fae62377b35bf8b49121414f3d4977ab04af14eaab4bd73838db4800fc39edd9cc0755b81313f3583a21e47900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e
Filesize
151KB

MD5
7739350f11f36ec3a07b82584b42ab38

SHA1
d97e0e76a362e5fce9c47b7b01dab53db50963d8

SHA256
d84e9971e8c344b9ff5a5968e7252270757f211f0d408e26c12693729068ed75

SHA512
2cb436985e382ec17390a1f8a7c112bdf18206c66d845934a14f9c84781200828e05c57cef5d4128a9d9b96778042ecb7ba2c031563c78ee9b8ec41accf8a537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f
Filesize
21KB

MD5
9ccb3e387ecf1d1c32d33a33b61db8f3

SHA1
9d6625afcaa4d6bfe223268ccf82ff32ea9532a3

SHA256
3d34b64d0099f608de0e555d46338252a99d36f2a25af7180702c9966621fa0b

SHA512
05c3d41fd4115bd66c1a938ad644424f8df93f96ae27004c800e43acbc4b23568456574ceba605ea696fb594585811fedd0f9ec547a697344479e4d7516f65f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020
Filesize
108KB

MD5
826fcef324d65bd4a1b93dc7af769869

SHA1
4074d8fc7df0cf0cb5c3e138c5df35f1735e97f6

SHA256
a54dfae13e9513450a112297c99be623f1a28b67054241ca7f8ccf377c01f85b

SHA512
02f36af602df751ba533518478ecb035a1051612414e09745358a4c6d6c269bfd2aee3a8a13367ee81edd306abf36c7c0acb0901cfc7a682a3e48ed031e978c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000037
Filesize
293KB

MD5
fa9fd3e0c2a15857ba2d61b0ec843a39

SHA1
1ee6afef028e17a5476bead89fe04ff2cd7da33f

SHA256
bb45351f8fac1e028f0f2043d690b477b82059d23e7f9f9e7cf45f84272bfcb0

SHA512
5757e0a3754c181ab9b808c18877bdc04d77dabd0ef98d39408902bb7b33036c476505f80f98ee1a3b6f8c73949e7544f3f7f3523c712dc2add96072cc11149f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038
Filesize
75KB

MD5
02b75f12d9ab0ba9129b7da04ff62fa3

SHA1
9e692b3fbb6b0170576d03130f866661ce4cf088

SHA256
3ef9e257265af8abcac966a17ba46d3dd99fd04ced53224323ccb25d0ffc772c

SHA512
14bd1d8c599f267e940d9b39fc867328d3c0697fd80033a2a850c777e4275bd174e0272d341b6a2eba45d877349624ca3de634edbac358249fa43a9b59a84dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000039
Filesize
554KB

MD5
89481e75b67ee048157ee600c1dcdb92

SHA1
3047024a381a3fb8cdf73501e419f0e8a5cf4a89

SHA256
e37291e5d867414851ab9474e26306d66ff83a87fbf2526c93563483ade38744

SHA512
8197b90c46b0fbc2c003ab50bf1bcbac8581b3203faf93fdd5b8ef1a8e6527e437a5cb63330070b96c287dc871887004e0a217fd56b1f5a2a852d453c64bd128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a
Filesize
36KB

MD5
cbbb5585439fb87a279a9bd5e725f089

SHA1
76dd9614fc2a2fee100aae142335f3fa755fc034

SHA256
08255d8744f3aa6f653286ba6071b83b9bcaf0f11c2386bf7a1ece7ee49195cb

SHA512
367c9a05e6bf82ec8045460c55572a81ceace69c075e05818691644331f3adcd114cd194c242ccbcc3ca15a85aaf6fae955162ad016a2c32fe69e3a3c4bdf0e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b
Filesize
40KB

MD5
5ce7bdeeea547dc5e395554f1de0b179

SHA1
3dba53fa4da7c828a468d17abc09b265b664078a

SHA256
675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9

SHA512
0bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003c
Filesize
69KB

MD5
4f3b132bf6bd1b8f0dea4f843db85a86

SHA1
eb9f5bbaba00f54ea18a26a04dbb89e7065f0537

SHA256
b26293d7e764ed4d2825d08098e4f0fd60d920dd2017d88eb7096cf1cc1d012d

SHA512
1c6c96302c2d5c5ed4b4ddfd664187c429eb6c67b02659ee5c8b04a9efb676c91c8ec5e02ec1a67bf77af9dbe378a71d59219b9f7195c3505c0a341305160fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d
Filesize
48KB

MD5
fee6c6f3f2bdc4efbb6762c1cd4d6d18

SHA1
e6d35b4182a999ec8ccd3f766f1d97213ca35fe9

SHA256
91f81ac16ef2da0e02f40d46fd26a05dcbfa46e86a90eb8a366de34732cdfbac

SHA512
05c13641f04a43d53f5ebba9a9d1f71ed082a940b3fe4643dea65ccb09cb90c28757fb060f3dcec62681c79163cab66aef8a48407eb7b0501db3e47679cdce74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003e
Filesize
33KB

MD5
1aca735014a6bb648f468ee476680d5b

SHA1
6d28e3ae6e42784769199948211e3aa0806fa62c

SHA256
e563f60814c73c0f4261067bd14c15f2c7f72ed2906670ed4076ebe0d6e9244a

SHA512
808aa9af5a3164f31466af4bac25c8a8c3f19910579cf176033359500c8e26f0a96cdc68ccf8808b65937dc87c121238c1c1b0be296d4306d5d197a1e4c38e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000040
Filesize
283KB

MD5
dc761cb0b052d96999305d85b6b8c955

SHA1
f35b65ac1e07bf4b8a5d5282dfb03c5f45dd668e

SHA256
0910cef704bc59f2d073a12cd9eb7edddd62caadce85a462595593d6b6659f1c

SHA512
650c03f8d9c46a995ae06991b2fcc0a6e05e9958d5eeb333d92bba310caac552ae3299ddef998585b41be376267b43b902803ac702f404c400a5a56a46ffc795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
2KB

MD5
e7da1b88adb4bbb75b57a590f0aeedb0

SHA1
0ab50a77b15d56f164026b3111a2315613cdb5fd

SHA256
fedef805c726305e90c28fbbc97d705bfb0524e9ebe3261527df5c6b7bd93c0b

SHA512
eaf0ac91d84bc263e26034c67826e205a641d20750d7c9bd4d47d987fbff08f85596296fc55f625f11839302947c3e9c8db3acb38152e3152b32fb9fb2bf1771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
c56af099a5443eb471af6345731b174d

SHA1
f4c0034b04cab5f082e89883a3101c85de68b599

SHA256
aba8b6a419853490b67f5fcea35cf798a9a3cea5aedc08b0e8f4a91e75547f9e

SHA512
4a7edab83c9dc03039a257e1eeb53a2397417f21a70deaaf86b9b08ab1f42dd0059bab3399d0a78d16799ce4411b3edd793dc8841250a1d4db685fe69e97d12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
daaa301241321e59915fcbff82ce1276

SHA1
842cf172569da61f3ae67c8f8edccf9257abc955

SHA256
a3f5c516341fcbde4c9196c0c4c54ad5c85125ac117ed29561c1cf3b6e3bb6f4

SHA512
a37d5dfeb9cfe89789b76a44b159376ada7b05cfb477f57a2369823e9c6a79bf2d714fa6f2f2e521425453ba097c1fea966d663f331b11e4e48532fc9f10c442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
d2665c6f9c7e322920a5d86e15e19d6b

SHA1
4b104fb195e7a0c4766606927360ab8b82900d78

SHA256
d6367ecd36d68d1e97904c5a1cea07fd782237a8a349391c03b87dec82bcd78f

SHA512
9ce7906625c52d758209281e8dbe7a34006b6b4426ada23bcccfcf52e383ddbd90c39943da0d96d2ee7e5c6d52c39678073f0e74643b99bea2e7f1aab2b79685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
0f2eae82e5020f653b039c5b66058dde

SHA1
acb47d02e41cf7a215bf3772fc298c47bb6356f5

SHA256
ebd846cd717b7b6eb96c9f42b629caaf6faabca4706342057538e6626f357e32

SHA512
ed185b2930d9693ee1bd85204342069bb1353c2ddf744f454e5dd50311c85ab2091b4b4120b8bdf4779741e2e828af65f677c6008d05487d8ce4c28a49c972f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
692f09119891a8a2f5340c3377d4f88b

SHA1
64951766358efd97a49f09c3be465b13f4f2e4a1

SHA256
5681196953092769de58f7cf5a4b98a8dc4b44c77d2797c66d6f73c265cb731c

SHA512
7a91550f8fc7ffb482c75646697e6d8853ab6196b7978c6b12aa1bf18593e9f2de58b941172845a69a827e851f4ab9c7bc49b5e04ff66a0d73b4bba203f06fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
fb4c04bf2e4e1eda522e9634a2b0c820

SHA1
14ced0baca252020963286f4132c2e004333fae1

SHA256
16b54525c0c936a61ecf8f2a6cdd22299dc73e353ff22f993ea0f5c5339c4d5a

SHA512
d3d56dd27a7354ad3723c8eb64e36e36259a04707f5fbfe9bf1644eaac881539d183f89e48f0c9297d2fdeda9bb808ea5c645efaa3cfc89a01600ba679843da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
0e65b1f0eeb394612a8904f53d7eee7b

SHA1
97aeaf50124c52cb1f5b803204858f0de9f9976f

SHA256
8f9ea03a7ef803fd1c3d56d5bb704b6e611d2d7f4e47c8fe19d1964426344f0b

SHA512
beb362354a26a7b82c4c283791c4b8ce71edb843fc89aef09c0e38a958631a4895eb3b0b641af56f7993e21c23ed125546ba74df4145fbfe67ef345389b784a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
bbe0634b801261e605f02ef591c903b6

SHA1
08acbecfe8fb7ad7feb3e5da72c7493005d84490

SHA256
a4682179c8c2b37d14e1b6152ded9c9ed325778339e177564eb02036cabe8b1a

SHA512
8ca306df173703627cee7d179e43338487923b042d403c6fe9015cacea34e248c9d1bcae1e9b2abff841768efc3dc741d287d28469c4fa3585d657d8cc8b41cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
1e57561c1ba9ccdfb45b8ed15bb64c38

SHA1
72a99260d7395770688c024459bfd56feda1a2fa

SHA256
1fc58aa1e15f79f7163f73050d581d8e4d99e7b5426d85ec44d5a2654fe4dd69

SHA512
c25cf6bbfab735ac3e643644560eab346d0a57976879e7960a09184bd91ef76b80386a65bf83873f6bebe636c17c9db3b40e56baacd2fa149a2d2be97d71f303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
178d6ac50e58c4a4d30c4656f7c90ef5

SHA1
17a2f8e48f9344324bc5bc6e21bfe8a2750e77b1

SHA256
f1fb7c99b6cff2b31a51c0d651d3a897bd5fde745cd00d9461c5b9b028d78805

SHA512
f3cd642ee001672b5b1997e2aaada2b3a9d2d075e57493e2c25746bf2d01a2db05a98264645abe559fc39ad7ed7200f134b75e9c9fd79434d948aa18ed9cde39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
7ef32df6b3bbd05e87ae4a7e0e1ce54c

SHA1
e3251e4205f6471d4b72bf8328321941697dbf71

SHA256
494d7048d1c31b542b42e8fe90f044cc69dd14126565e32e62c14887c054efa8

SHA512
08ea45c33191260d8e32d15e2ec4f3d9844139498db37463c6b944b1a15e019304284639a7923437a2d69d2abb3eb1a5d4b9ce2f65c83260f037d0445f1a0b46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
518f3359cc4bc8b4be1a30e7e68183a3

SHA1
626121ed8426b54b9a7f0ed217bfd9351afc21db

SHA256
f0b33879f5b64e5de56ccdeea0176ee028d58a6977f417f09a8cc27b052de2f6

SHA512
e2ec98bb6040c46ac4cb20297258018e8e693630e8b25b4a063140d15a3525899300eb3ad6049bc7904725ec195d09d99f6d29acaca71134035aa693779fdf3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
27262d2edbe57be52e553728b9e6e6d1

SHA1
d1aeadd2a7ecda6e07b9dea64aee9b926b87a674

SHA256
6665442bce2b5f47f2b6cbbe027c6bcf0c4c9f7c0f327c2795dd2f1f6a5543e7

SHA512
575a951fd90f334ac66b72056e973c7f78e69411730ce4ec5fc28e962508b4d3e0e9c51fc62aa556366d013002884216fc9f9964d113949409599b32a7c03661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
7ad09ed0a9189dceded47faf8e10c81e

SHA1
3d70baf401749cfd5111153349cab691902e3861

SHA256
13c31b872f5bc354515a0ff572c72c94e12b2e49465b630318b049625119625b

SHA512
5850004c7c448680f6fba538115a25d6d6582022ae42b4534523c176db0ce0907f23036ab1f6d2ae2f20e38822b0bc911698faf09383f12dbff4a35dd6a405de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
90a0935504a1e10596ab4ee3333dc9cf

SHA1
5ba283f5c3f99dbe1cb367c722e991f9d062f34e

SHA256
975b018fe2fb23b7ca8a8409720f95530ff6d61d04364f9b4a5f8563e627c9c3

SHA512
469e78fb140f52b1d677bbec34397ee1b591217633cb71548c7bf7aac47428ad1cbd2cacac40c34e8a16ae9233ba84718ab29fa14c20d8699eb9be1d8de70e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
8734b1a3e89a7f3c03359e7e8faf8155

SHA1
5b9ac8adee23eef42d61d6299cf520c41baf735c

SHA256
c11f0331d23ca5836a61ee0cbf5c018490dcb10640b7b4ffb84f20686bdceab7

SHA512
0de4f6254a36dc1f2029810e302e437de987475478cf91d21dff895a9f5acd64f2072ac426ff9db152915434d68c040cc7c484c2c0847bf3916bab48e81facc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
52d55b926fbfb52f1e856107f163eed6

SHA1
d5d485d1ae1561d814a41df7deeb3be979502dd0

SHA256
cd840c8d5c76a4f361613aadf0c9c158a48b61a4dd2e8a083c9e2b17398b6182

SHA512
b34f604e9736a4e7cb58a3443616f9ccc9e5fa09f4920f55983dc86a57bbda0b38f5330b30785ecdb508b2eaf80626a3b75f4fc6a75483db4642140f4fdc9992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
659a025c9d39cf105d32cd3fc26f4ac4

SHA1
1f61d052e8c4a44ff743bc13c90383d45f53b9dd

SHA256
f0e3041d892cab93ddde7a093de38ab87f65b1ee5b984961a6cbcca3283841b8

SHA512
df51f1bfb7d4d21654c46495b4231a9e00259b00003a9dc106f3d9f5f5531d8c808734cd753e6938131b6dc9141755039f4232bf0c070ca30fe0b4115c39f4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
2a1af02da0d2e2f80eee8103bb0acb52

SHA1
ee5d509bb54ee926d76b8f72001bffe8c674bfbc

SHA256
380f267f603170d08f57433282e9a1f5eb1b758decf5456501fb425a1669956b

SHA512
b2bb93ee151312c5c3c9c211ed90738f7355c7326367cafaf7c5181f9b98eec5b4e256668063555e21d7e35a655780db58386c0fef5afeb1b6b4258f0b8de4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
c835f72ea11418d90ffdf831dab880a5

SHA1
f1d1cd3401dc24899447858f4786eb5d8ca298cb

SHA256
64d8626c7f58bc0640d8fa954b496b1dc3930a053dea6e3a5c1b88ed6c76d041

SHA512
f0577a147b3e84f96745cb9ef5f4b4997c46bb1d3b1dc6d14824a06fd5b42b4a8033fffef54fe685362967b18726460b69dee2f227aa1d9b63c37eabd22dc2d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a4aabc1e3b9e8b276a8751343c68655c

SHA1
01fdda17140d80a0454fae04877e209b04ab22c6

SHA256
99dace06dc0643219091f974622b9ffdd2f9954afed62e1ee17c53df84ac44a3

SHA512
763c883df96de72e487d054145ee27a39716672771c68da89f23948f8ff1992e57bbe966158ddf1f5b9f88c0a7520c9f0c05fb0cd6f1eefd8885f0f114761ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
427f2488853f8ce09157d5cb52eef74f

SHA1
774e8f4bbe1544909630a1021a1e97569ce46143

SHA256
392faef68ff673faf8470bd3b308ff40506948f5775162d6e4ec6de614cefd58

SHA512
0607cd62a8796a1d00e68cdcc2769e8a731c32b0e4aba7e0cf6a940e66f1f696527b3f1d63cffcead6f0e6a84de01c502e10fda74a7de0768616a7e95c27ce76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
de6406810d0fd7daaf3482b3cd79602d

SHA1
72d9cf0b0013dfe3a8b83163b7addb76acd8530c

SHA256
e0298f491bef4b6377b49365306454f670399ea1635a6b5044e591876c615c49

SHA512
4481dbf20188aa407cfb1218edeb7a2dbaf1efbe71339e10c22e2e20bc0d26f75e2f9107c2e8395a4922f1c9e86a311d0f4d8adbf3a137f2969e9278914416fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
41894ced88f091661d1ff203ff5fa84f

SHA1
7f50524f19f003b318c0fd4218d6cda1bcfa4128

SHA256
ef65cdf57ba3322cab054eb59cb6cba0ee47041b19e812c6ad85e095a74f2915

SHA512
9b66512935cfc75cdc186e8fd86e4ec7ca5fbc4d71b00eaf3cdf0c0e7e6950ce48c54fdb5772fbfc076a964f1d36c5716793236b2d059ec88c208ffa24e3af6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3a74291b1e7a08f990dc8591df4adfdf

SHA1
0359304f7a5c9c03d8f7eb567ef2ec6775d5e36d

SHA256
9792313751be35bdace5187f691962763911d514b906bc26522ca3673bc5a56b

SHA512
53a448e14270fc6676833d6334657bb77db34ac9d88193cf4dccf8b6c11557eeb3d3fc80efe997a95afb814eb790407ae8b294af0f6f298e0cd47cc71d485b66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
f68fffd62c2c75fbe1c26e39e3acbf9c

SHA1
dee8dd6a7d851e6e26b848ce0be6d237261cb55f

SHA256
b938725732c8e5144b66cda4fa7637011aa234434a88e96809314ae7330e794f

SHA512
75b7644a14474b2e498ac9632b3b2e4e83679cde911ba240f40a51c829345e688022d1830ff233e3da913821f38061df5ebfcb6d1e427182bb5664cc3013753e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
7ffc86176bc0789e21060f60d9618939

SHA1
192ef6611ee589eae84cdd21d47aceeadf0869c2

SHA256
7ccecc44ef99f4ad81803ee9560312f1050b343bab0731af77130e4a5487548f

SHA512
3b35ca015210a9cca01b96c204a3f17bc8b76eafa417149167a5c55cd0e8b4f076f04c60a31ab14d38e1b000b8400f766b3518b19b033e58f667c6a9684a3d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
79070140eb616fc6b50c64f48c4f8b6f

SHA1
4d0ed47cb482a27b72d8e4e5a050c0c3308f1987

SHA256
83b7e5d701dfbe698705153607e1c243dc2bb9d85d465c988064835a0ac0fad6

SHA512
5cd1deea034bda3eb74ab30e4b4e086968d7e2a1a04ed97393900bac8e0ace39c6e5ed744ce08103958d47193d3ca804be6f7c889317ffcf4dcdf81351e71b0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9d70af5057c3483301bd038c64979021

SHA1
5ac8ea81149d2bcec8dcd73241878fa2453a43e7

SHA256
a27fea9f3704068527437170239c9464a712f5b1dfb28fb00c807002b0e4ceb1

SHA512
f6a7381681e6a86d59e0c4031a2005c60c21e8ebf15f368bf63f2c192d6162a98ae46ed30007b3cb29f6a497351c8c21844aed2d8bf9d3b848981b27aa230c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f6ec40306d6368778ad7ad3102a10941

SHA1
f6b22e0d9a4d9641a9d924408d55e4b51b2f9468

SHA256
1f8cac5cea059a0a1170c20c3f49fe1ca50bf1d5a53ca6fc326488baa4411d64

SHA512
d9bbacc9bd6be413719e1f4a7ad976f3c07e59711e2ba232e597d8429b8cef7ee41dc2ac2032a2d46bec59bae32624d2c08cd4157dbd408c2eedb87460404fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9018ff515ca49ebf53bccc965685ce6e

SHA1
7e828dde8170477842b2ba43912b4e8fb0ff3fa8

SHA256
147f6ee7476caa8e326e50fe5e6cb6c920dcbb8cd7576c358b99159f37f5cdc4

SHA512
7d6ec139e7c5c435377def5b56dce48ee0a62532443da9fffc927cee2fcfb10b99b8d89c753d7db577036e079b76fd569ff9e63d07c36764a94541920bf8a0db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
65297483620b83f36f8a5eb6071b7ed4

SHA1
ce0a7b115612b8c16166471028cfdb0a92a72bfe

SHA256
64d3efec538221264536e1a3a1837266de180b6ea01aca512ad2e6a0c0bf3c2f

SHA512
f640fe11ab657724f085ff7a42f9a6a22618be8acfe9aeb0542463b994c70eb6432cc06dde659b21da84ef858081a96538184935ec4ec6d92a509fc451b9714f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
e210e6fe9e46ffbb0749241b0102980f

SHA1
841ff92909ead3af3e8e101b1fd921a54296be7d

SHA256
37b781b07ca9b9401fa7beedcf1f77b187f0586d027fa81c1b4d4ca6e6d250b1

SHA512
753142ce23e0b394f3963d3d1de570397cb1af432131cf637d57000e03ce78cce19c665944550e6114a25dc91df79b12437df98304132c45bee6efbaef98a583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
685eff40f83a6f7fd517f2ee0bc4b063

SHA1
f2b771757c47287e5224a91952aa5b8fa4a86b8b

SHA256
ab03e516a46f3f75f1c2cb23bb3ecdfe7b55f9cc7fc8e5fe3b0039c4b4c6aceb

SHA512
03c077b11bb7803844f7674bd4f0a974df39f3ec3381dd2ed4977a89d97b3d9259c62798cc0d8a3822089eadc3526da8481b779c3be5cc63faa914ae46db7a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
b3fdf7be33cc0125a6e1c0ecc3a65ab8

SHA1
7279e0c2c8f3d3caf14473237e25a583191dd819

SHA256
7915d271106bf86b35129ef0c00e2ffc247c8bd7b4a166f681c1de00bcec842f

SHA512
429c99060a0ea106e396aca7507343955a5a682b5bdcf81aeeb592dd8c29c775a372012088310e52300393bbd402f5612bed722a9a28794740a418c65656e116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
51980147481a9453d8a78721abdbd370

SHA1
d40ba0b0d46f62bbbd0f124ebda17c1cb6d27c14

SHA256
1eda79debeb4db65c4d536a8f90a330ea036280478575780ddb504a4bc8d2069

SHA512
681507db15dee49e02e4d6266562ac232cff3171a51df2e869af288f479a4c92dae1af63cce227162ec0893ce9991fb77a9283b72915977b03265fa1470290d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
67e4c6a35cf1520108ec04cd57159664

SHA1
a716dfff6604f4ce56a1ea09b368904c3e814713

SHA256
48fcc491a1368621bc638aec03cd0587b7ecf62b06412a216c591937ee6d19c7

SHA512
c03248b2af5d8a841aabc476b68620f1fef47af2667e63daa9a8fe76cbcece448960d03244ae147f1ffd00000f31beadf5d8d4de246c4fcddff053a13ffc6ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
e2519ff03b3d3b3ff19fb40b21ce3fd8

SHA1
e43e3eb73e1f803e3e2212661792d81f93ce9fe7

SHA256
9160d238b39832b219ef224d5e9ef198271e6d76421d2dcff3a8328df2e76ed8

SHA512
ba8416c58498ff30f50c951339552d50b5000afee56d35aed66a4e3bc091efabd8df2e8df3239ed66cf568b4e3782588f5ea3214ab7a1e228f1d5a4902721386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
c00e15c2b11ba8b4071f2bda297e20f5

SHA1
fe4dde869218180321df1073d36fa13422c24c5a

SHA256
d88619cdfe21ad59078b4ea52da52b3787c03975952a554d4d5d7d7fa05f7aa9

SHA512
48e19cae7c86a87973cea59af768bd165a52170fc8156d5796328fd8ac4c122c8a37d627dde152dcd46904bc7739684ea38407d26512f4687ad219a6b23aba59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
4856009ff2188569ec6ab7ff5a6f5e76

SHA1
2eae41deaec0752f43151bcf5ec20fa88c043123

SHA256
bdc117900bb6a30ec1e1458ba18a335262e6a6a23c81be1c0b0ff00aea26a1bd

SHA512
f0451a68a53f99d1d7db4a00c9191f5aed2be84d6e7bc3a9774ab5ac1e6e40189a4c1b1b3c8fcf824e52ec86d9a3f1b3ce2b313e88daa23d49c5face7c3097e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
a263839e0bbeda17205fa6372ca1fa0a

SHA1
2824c7b00807c5c816bf36502f48aff49b02348e

SHA256
e85a9856f6ee2a3170a8858cd00a01d1295505e3f435e1e16c7cbaccbd5a14c2

SHA512
15d2d5755d71e7ba9e1c3cd66803bcc0d7282720b589c3ebfc5dd5a5f45e7ee3db87ba76ddcde559de0d08182671b62200b4be51da1f2c17e6a63c57093972cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
74bbb24ee7f08888503caae8a16413ac

SHA1
4094faf38d3848e3129a65f9bacc99bab6c69a87

SHA256
cae2dd1dba5f09f3221097378f368a1abf31b75de62f75d1fe8de0fa072e86b3

SHA512
eed9bb4639f095827a2ab0d508a34c4aa425194555b995d55605f76c22fe0ee26dc8fec1cf4050f3307293cbcfc433d96ea0285c571440fb10b17ec9d8a34e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
2c55509f1750d7a85a34146e7eb8a445

SHA1
c23ab6f8dad651784316857bf8e591d85e1aaafa

SHA256
c20850cf86f9f23acc73560829f8ba31f924886e81d8031f82c1a48b453a0a3a

SHA512
d113996630ce79f390510e585a5964e4191e74f574d154c443420254a7e5ccaf04764bd72de046cbe9cf1d7cdf56ccbd15ca5d58b6ba86d418a462fb0f161825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
df37f780b58e42add9d0af1d926f306d

SHA1
23e821e72b77c5c14f097929f7ffe75bc0e0ec5f

SHA256
2793eea745c76126af5b28d4efcf617ef7bfb6d601189669774af750bb00d2fa

SHA512
e0b705d913122993fd1f8cd65c3d875507378c9c765f9d9d0319de267ebd1ea852c0f5cb06f77ddf063aed2030146a358acb5bf0a4beb74a57804800c3a6edc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
a2bedc16ec1d32f71f7a0a2601cfd18f

SHA1
ecf44e5539c9d59aebce5bfe6d45ccf1765c7179

SHA256
31b9cc83925a07de9dcabc4a9321c14ac54d76e8dcd37c3555a24ed00d8ee82c

SHA512
06b5d8ba58ff78174b704f03261a55a9d665fc4fc271a2f36327ac71fcf051245e19618fa3a13a59de8b8a63334cb1a053dbb071db844caed34fec143f956da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
8206224b7dee9ff2073d00659c805a05

SHA1
b1851c8139c91cc51a047bef944e239f200570d3

SHA256
7f4fda3c4f1e1682ba26c4fa616576ce9e72ec1bbc33680483b3e9ce1dbf96fd

SHA512
17e1438263f86122b9f26c2eec3f282901e4cc2ac1824fc263534923322a28f1efd9727dc141477ee7c74909703ded2aeb7cf1c73df744cf9ed2deb6a50b6b61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e808a480b95aa0509a97a970561ac48d

SHA1
dbbdb72a795d0910cd2193a615ca63a10a660b66

SHA256
716fc897dbe34fc47a373d18a56192133da7a1d5e3c5c67aad5aa2d0a5b0e175

SHA512
3c63683c5f49b9e443c9758d853fa5417f9a1bcc0f75f99b029e41acb9e4e53cb87d403bf861c06fa2d547c7b5826e8c06b28bb89f24a8f8b298eec388bb243a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
60d4f9b4a9beadf1c82c90e904ff5e7a

SHA1
ae48c60526407e9374229926f98872709ce01b7d

SHA256
d54dbfd3323d18dc33cd64dca60e906882dcd6b217e42be68cd5bf2306b2618f

SHA512
7aadaa1b032ef8243aea03cc44ceece9bb0a3027bb0e712a94eb2388788a5da464d4e51aad1aa60ade3d6cb72c40e540e289a4816970d1521c54b1f35c69fb23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e24c2ecdbec3e9b11be245184fac9082

SHA1
9b268dd806c44f441deadc5710d449a4c0240592

SHA256
3bccecca631fa8643d8093dde998fa49f53c36f4501c96c90295e394ec343650

SHA512
a445ec7bebd94e45d4ab693fb0ed9fad797d3b90e663e3a39a105bca07c5b7911d859a9b6d2a8f47c7249af2bc023575f8b3d54be01c4de7c9e223c4606d2421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
46f4df844422b9f05a49fb0a1c17c378

SHA1
162f91fc8e3d565c21f296685164a278cebcd72a

SHA256
a6386a830efe4b45c3420efed3c6e1b7cf828c8c16bad7b55685224575d66fb5

SHA512
1d66aea0b6d1824afe81ba59d76b8d44a46170f6b38dac2bac26d026a7e5a104a353f550f93fe04bc54b632b04b3d0d3ff93f4ad987690a724f821ab4b5cdac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
d2c20dcf6d024e51ffeb3151a88d7f40

SHA1
ace9553a810d0df73f5bd596ae04a5bd4f66b50e

SHA256
ad8af6845b4b493feae62972efa23767879605c134ef6c873c2811c6bb0525ce

SHA512
6cf2f1091b55b987b08d78179f9fd1951b8d6112af5dc91993828855b66c98f8fb0eeb0838c793bc905f5ec4aef38b26830d0a9de96d92aad368ceb651c7457d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ec3747e421c03be199b896c9e5d8690c

SHA1
5f8ad0c0332a490baf8d438892db29dc92c8d174

SHA256
539f0bce34ae9c3dbf6d275df114b5f2a9db10832f15f68c35da23f4b8487cce

SHA512
622b7023932c5f10820d295dd5a27ae2f69e3b77a9e16b52d59d3da390225b56513a6378eb4743080e08e13a8afb154d5f0ef607c76857fbfdd2e2d6e0558463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
5a6a17997c24cb8daa6de30bb14fa5c4

SHA1
eca3a4c3b30659e30b93d4f4d929dfb0fab7f88d

SHA256
a1ed2110be30eb237b917edcac9342d10f0f8ec70ffa86521e5f678c4d3108fc

SHA512
47bbc41e5aa327350d21a39e69f60f0f2a3db5459e0622f24432cdb898929820e767a858b6be6f34b48ffae107e37dc8339876566bd35a0be513b04a0bb86b8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
fa667d14b2fb806620b5e69926c081f4

SHA1
7b098036be999dec95b81f1a091b2118c95e2cb3

SHA256
30a93cbf410fc16dd0859ce9983ce474e04e9ada0f0dc2cf41bdc351cbf8a9e5

SHA512
817994a8d13a47690335661dfea9c0c657bc1c5c69d5fb72f9e0cd92e742eeb2d1254c8c4a72210fff195e560d7eec3b527cf5eeba732f07e6ec666d6ab5daf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
5a1a40185a2df72a17965f16d8022225

SHA1
0c6aed459a8ee45e599fcd3ae93aef1804d2ff95

SHA256
a2306e536319943ffae261b62d82653357e8ff7a42db3366f6b91b2b076313f0

SHA512
158e4a668821a99e5cf94125775f8e37e9fc381b179a4e31d0648f94ddd5e4dc997ca0302cff7cc7e4a1dc3b43678524314b8964ab78ef03714e390133dd6e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
df0216088181eed42ab524e34659345c

SHA1
66496b61a6cc6fb412f4005f88cf63f54593d1e1

SHA256
08909e1450c7fe879405811d55bc801ed576503a146f007561bff70a633d124c

SHA512
ccf4354eb2570156531ab942e3b48944b2c4c3a0e0eb6c2c0fc01787075de3a264364c85669e925c7945bca5e69c3b3b3cfad022bf153f3688c340074a45f493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe62efc9.TMP
Filesize
120B

MD5
82630ac32f3f8cdf32cbee872676c9fa

SHA1
624afa3410c4315e96740a8307929fcf7c0a6332

SHA256
afa1e2b152dc33b63d0cb16fd359979244009238a3e8f8a94238c8b3507bba40

SHA512
766ea4b6a7617ed7cd2b9e719586a51adafcc48407308defaee2d8cf1a7ff5b08f9c3ac4d4655c8972946a554798e9d1cf9b906466bcb05c5a745562302ac99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
7eda0f917996a10c7706ad1bd31c36db

SHA1
33fed02ddd27bdb705ba2b00b02c49ef1a755944

SHA256
d76bb767b58605979df124471c9276cb6b2b520e2d76ea790ed6a34d90677439

SHA512
3d62ba1f33cb4a700377fe1701aaf94c621fe124cbc44499f9b177ab9c095e7f1184590d01942f5984aa4b9849d273db3f24a140ba85d8bc23a9f9ea29ad4ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
12afae5bbdb4df223dc1f440543b4301

SHA1
7886338f92c76ee43960159e3b215646b843d01d

SHA256
85ff667b801d1042f4243ad03c35d381376f370bd9f74a1f2e0bdab2e01be2fb

SHA512
ab3650ea439d52b3a14da8057e6cf2d5f9cb26620c7a35646e1103b094066a4c9adaf5878bdb94f5d59f5bdfeede88bb35c5c76f8dd1add1f2aa0b6c61e5c84b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
c81173bfd2ed024416cee512eaf48bc5

SHA1
2022abe738ab274d1480b384362560e2db2bd368

SHA256
820ad348ea06d3d981b03539f61bf3e09c5c1998ca32f9eebadf5072c99177c0

SHA512
0309c3cf4376d6e4d788788d299e0708795a3984fe812a3eb38c786dbbfdddde1709bc81f120e1961053e5b6f0570a09613aefee969a0c3bfeda7f3ac059941a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
16a05f3378e51f3559eaa0b72e7c0829

SHA1
66026d80366a8ed97793b2d43a9772c3d57b63b2

SHA256
90a2314cddc216eb7169740ee039d351ad53853bd2fa4efd442f9af47ad73a85

SHA512
22da494054034df1981df58014858b1839acf13de9b6369124b316eb651d51b2d72dbbaf2b8787a26ddf7a14ec3ba77d8524a908921217231b537d943919e2d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
7a88bec8b346f0fb69cf6a0ef31c1b23

SHA1
9ae3bdc7babb200cdf124ab6251566ebcd2b95fa

SHA256
5ee14185613260b9ceac213c6434c8fa68dd07a24eee94e0cdb01cb3206e3416

SHA512
1e919ad352d416a144a23ac99f8b574a0bd7447c856dbe8c00d54fa02e85e4d00002fbd3e5983601db43431938639d75dc99850adf362a480ce85569fc25430d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
f102d9700d26c09bf04306237319c2de

SHA1
ea081e01306c9c4b6e130978a3f95b2e95428016

SHA256
f6fda939ef28b163b36a099ce4ac3af2f9b00a97c846298e5d2c6a91fb345383

SHA512
ca5cf0536cf2cd82fb04f4ac52612e234fef4190822cbee6da0f59b9603b79fcf7596e5027ee555ad4af250716c954b3367764277491233fa64d810ae339678b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
108KB

MD5
8495bbe4fd45a575e5a82e5556500a9c

SHA1
767e30945526f1af9df72e38078bb0ec24693bdc

SHA256
1972971d7e4b1459a448c946d939b648627b882cf64f8e024901a00c15a3ee5c

SHA512
7e78cc0af6a35c3d3b91e53ee14f8934a4918365e8e6338df1014a7215b302c8bff8b5bff57af1c69557fd493c3b479aa41d6fee737b022cd1b42f45a2e04837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
1cdbfaee60c306d53d9f3cab9fdf6701

SHA1
0d21d6f737544aec2acbef52370fc773da0ebdc9

SHA256
df73d5b19bbe939d2c5c3e1e1ae86f9f489ed67e0635897f31c1c10e66d694f4

SHA512
1b021c87156fe08a67701c88f37f60fae114f9c9e9f5d90280e3ec648058872ac36c79a596cbb945e9fde99932812b35ef68fba7331bd1ed7ae8324666f2d25e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
694723a3fe441bcd1a91bc432845b5b2

SHA1
8ad9ad1fe03c3cb90f53a1c41fa3559c7a6a12fa

SHA256
cd140e44ee37f697ba5f86053c5b0f2e28dac5d7cda0ca7fc7fbfa1c72039e28

SHA512
ddd29de3297df15da89c3bd10ba96d3838694e35b7ec01ca6c2010fd0c246e669f003311b50358167738d478e54cfd04e5bdac345667d10384267100263b1257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586feb.TMP
Filesize
88KB

MD5
8c6742e2e38c68dc83e3a4611bb78ca2

SHA1
bd84b2f871d4758a1430783f75afd7aabd0a060f

SHA256
cd95c43849d104cf6083631b5b1b1e9de138c3c079c0034b519f2af5f620eee0

SHA512
ccec29625079a42c79aca5c8131f2d04d1fd35f00bd2cecc8208df5dbcd739c4e5548f46bd554ac2a9d37772e7685dabfd93cea78f0d8107d8d7e8d097b3db38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
Filesize
553KB

MD5
57bd9bd545af2b0f2ce14a33ca57ece9

SHA1
15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1

SHA256
a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf

SHA512
d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll
Filesize
504KB

MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
Filesize
2.3MB

MD5
c2938eb5ff932c2540a1514cc82c197c

SHA1
2d7da1c3bfa4755ba0efec5317260d239cbb51c3

SHA256
5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665

SHA512
5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
Filesize
2.9MB

MD5
9cdabfbf75fd35e615c9f85fedafce8a

SHA1
57b7fc9bf59cf09a9c19ad0ce0a159746554d682

SHA256
969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673

SHA512
348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
Filesize
451KB

MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
Filesize
432KB

MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll
Filesize
425KB

MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll
Filesize
73KB

MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
Filesize
108B

MD5
aca96a56fa9a1d57c7e3cbdce6c3185d

SHA1
730ed0b998f36f6fb5f99cf2fbf85c1d21631a45

SHA256
33acec729caa9b0123c411a0a1b9f97f2316bbaa3c957c666e611be58ac6eabe

SHA512
657698b665e0d3fb3d12c21130698b4c16ecc210b43f5ec00fa3a32532a8e7894451beb5498b56f71d420d4a48f82362ca64d8b52225ce0098096cac4e472b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
Filesize
77B

MD5
89e43870fffe07255b0dcf82107c6bc2

SHA1
5e2465cd5eff8199140cfbc96622e3b4edbb2bd9

SHA256
ad1ab6bed845d0acdf384c3d461c26f4c96231854fd08396d96b444161d25b54

SHA512
005b8bfc59e2ca02a4852a412294b6835ece15e9d024371845fb3eb7d91e70042d53bbc19d5168a5a3a2bf86fc0fbb5aefea81797df4a6cf8cdd2f1132e8d9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DD719OCW\update100[1].xml
Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\eula32.exe
Filesize
1.2MB

MD5
cbc127fb8db087485068044b966c76e8

SHA1
d02451bd20b77664ce27d39313e218ab9a9fdbf9

SHA256
c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9

SHA512
200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\runner32s.exe
Filesize
58KB

MD5
87815289b110cf33af8af1decf9ff2e9

SHA1
09024f9ec9464f56b7e6c61bdd31d7044bdf4795

SHA256
a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4

SHA512
8d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\thetruth.jpg
Filesize
483KB

MD5
7907845316bdbd32200b82944d752d9c

SHA1
1e5c37db25964c5dd05f4dce392533a838a722a9

SHA256
4e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476

SHA512
72a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1FE.tmp
Filesize
35.9MB

MD5
5b16ef80abd2b4ace517c4e98f4ff551

SHA1
438806a0256e075239aa8bbec9ba3d3fb634af55

SHA256
bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009

SHA512
69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRun.vbs
Filesize
93B

MD5
26ec8d73e3f6c1e196cc6e3713b9a89f

SHA1
cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa

SHA256
ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0

SHA512
2b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195

Download Submit
C:\Users\Admin\Downloads\MrsMajor 2.0.rar.crdownload
Filesize
19.3MB

MD5
a61889efca36007831250fffb358bd17

SHA1
c835f75a8de83cbff5787f8143476b424458e7c4

SHA256
50e0b0a6e806a837e3a7346ec2a7c0f4c36e7618553c799a88ae1658d97e505a

SHA512
8fe704c55094cba451cf12197557bd44c696b58eae2a0a9827a7feb96d67bda89e15bcf763212fdd072e8272ec6537efb738b3e18cb24c26ac7920f70837cb2f

Download Submit
C:\Users\Admin\Downloads\MrsMajor 3.0.7z.crdownload
Filesize
234KB

MD5
fedb45ddbd72fc70a81c789763038d81

SHA1
f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a

SHA256
eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2

SHA512
813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298

Download Submit
C:\Users\Admin\Downloads\NRVP.exe
Filesize
9KB

MD5
f7349874043c175bee2d0ff66438cbf0

SHA1
da371495289e25e92ad5d73dff6f29beea422427

SHA256
f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b

SHA512
878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 280089.crdownload
Filesize
1.5MB

MD5
e5788b13546156281bf0a4b38bdd0901

SHA1
7df28d340d7084647921cc25a8c2068bb192bdbb

SHA256
26cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd

SHA512
1f4da167ff2f1d34eeaf76c3003ba5fcabfc7a7da40e73e317aa99c6e1321cdf97e00f4feb9e79e1a72240e0376af0c3becb3d309e5bb0385e5192da17ea77ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 808137.crdownload
Filesize
1.5MB

MD5
3c5917f4da614ef892f055c697744b77

SHA1
be65c2ea6119c04945c66b13413892f2bb03d9a7

SHA256
6fa4cb35cbebb0a46b8bbc22d1686a340e183c1f875d8b714efdc39af93debda

SHA512
f5278a40fcbd0f803c8671c87b0a68c0ccc60a0770c1247eab60fe5a1c9d96bd182d5f4980f7f77791c570db092cf444e2077be59ace214a407ebc8541f69532

Download Submit
C:\Users\Admin\Downloads\WinXP Horror Edition.7z
Filesize
44.0MB

MD5
aa45d1d70efa630ee7b64bf5fd0a493a

SHA1
454090d52076c121ccf858291461805f0272d559

SHA256
0c0267932bb202aee030f44277881680dbe0f9a9387a2b1c601dad2048243454

SHA512
a1fbe8ea113fb3e4cc266f3aa50c46e87acfa129e08adf98279da2ab7dfc52da963bf7ab179fdc68e23e5bf8ff5fa3ee7e277e885f719c23e831fce714540248

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700.exe
Filesize
3.8MB

MD5
48deabfacb5c8e88b81c7165ed4e3b0b

SHA1
de3dab0e9258f9ff3c93ab6738818c6ec399e6a4

SHA256
ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24

SHA512
d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

Download Submit
C:\Windows\System32\Taskmgr.exe
Filesize
58KB

MD5
bcb0ac4822de8aeb86ea8a83cd74d7ca

SHA1
8e2b702450f91dde3c085d902c09dd265368112e

SHA256
5eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4

SHA512
b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1

Download Submit
\??\pipe\crashpad_4008_CYZNIRHXMMUSGQTX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1492-3171-0x0000000008C70000-0x0000000008D74000-memory.dmp

Filesize
1.0MB

Download
memory/1492-3170-0x00000000052A0000-0x00000000052AA000-memory.dmp

Filesize
40KB

Download
memory/1492-3169-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/1492-3168-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/1492-3167-0x0000000000810000-0x000000000094C000-memory.dmp

Filesize
1.2MB

Download
memory/2568-3191-0x0000000000390000-0x00000000003B4000-memory.dmp

Filesize
144KB

Download
memory/2988-632-0x00007FF754400000-0x00007FF75440C000-memory.dmp

Filesize
48KB

Download
memory/2988-628-0x00007FF754400000-0x00007FF75440C000-memory.dmp

Filesize
48KB

Download
memory/3448-656-0x00007FF754400000-0x00007FF75440C000-memory.dmp

Filesize
48KB

Download
memory/3448-652-0x00007FF754400000-0x00007FF75440C000-memory.dmp

Filesize
48KB

Download
memory/3868-2642-0x00007FFF6F680000-0x00007FFF6F7CE000-memory.dmp

Filesize
1.3MB

Download
memory/4464-2634-0x000000001DBB0000-0x000000001DCB4000-memory.dmp

Filesize
1.0MB

Download
memory/4464-2625-0x0000000000990000-0x00000000009BA000-memory.dmp

Filesize
168KB

Download
memory/4464-2632-0x000000001D9E0000-0x000000001DBA2000-memory.dmp

Filesize
1.8MB

Download
memory/4464-2631-0x00007FFF6F680000-0x00007FFF6F7CE000-memory.dmp

Filesize
1.3MB

Download
memory/4464-2633-0x000000001E0E0000-0x000000001E608000-memory.dmp

Filesize
5.2MB

Download
memory/4464-2635-0x000000001DE50000-0x000000001DFDC000-memory.dmp

Filesize
1.5MB

Download
memory/4504-2233-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2222-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2206-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2223-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2207-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2208-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2218-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2219-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2220-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download
memory/4504-2221-0x0000000000400000-0x0000000003AEC000-memory.dmp

Filesize
54.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads