Analysis Overview
Threat Level: Known bad
The file https://workupload.com/start/5VDC6ne3R49 was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
DCRat payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Checks system information in the registry
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Modifies Internet Explorer settings
Opens file in notepad (likely ransom note)
Checks processor information in registry
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
NTFS ADS
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 16:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 16:25
Reported
2024-06-19 16:31
Platform
win10v2004-20240226-en
Max time kernel
337s
Max time network
313s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\bridgefontmonitor\blockcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\bridgefontmonitor\blockcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\bridgefontmonitor\blockcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\bridgefontmonitor\blockcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\odt\firefox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\bridgefontmonitor\blockcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\odt\firefox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\odt\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Security\BrowserCore\sihost.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\66fc9ff0ee96c2 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\22eafd247d37c3 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Registration\7a0fd90576e088 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6ccacd8608530f | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\9e8d7a4ca61bd9 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\firefox.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\0fc223bdacedc3 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\firefox.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\0fc223bdacedc3 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\DigitalLocker\en-US\blockcommon.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\Favorites\RuntimeBroker.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\twain_32\5940a34987c991 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\OCR\StartMenuExperienceHost.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\sppsvc.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\InputMethod\SHARED\9e8d7a4ca61bd9 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\twain_32\dllhost.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\0a1fd5f707cd16 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\InputMethod\SHARED\RuntimeBroker.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\de-DE\9e8d7a4ca61bd9 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\ShellComponents\088424020bedd6 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\DigitalLocker\en-US\2b649733e638cb | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\Favorites\9e8d7a4ca61bd9 | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\de-DE\RuntimeBroker.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
| File created | C:\Windows\ShellComponents\conhost.exe | C:\bridgefontmonitor\blockcommon.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ = "ISyncEngineHoldFile" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\ = "SyncEngine Type Library" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ = "IFileSyncClient2" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_CLASSES\MSSHAREPOINTCLIENT\SHELL\OPEN\COMMAND | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\AppID\{EEABD3A3-784D-4334-AAFC-BB13234F17CF}\ = "SyncEngineCOMServer" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ = "IFileUploadCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\NursultanAlphabyJenshinix.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://workupload.com/start/5VDC6ne3R49"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://workupload.com/start/5VDC6ne3R49
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.0.1948939269\561503327" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56e177d7-d72d-4235-a255-72dd2e1c96e3} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 1948 11a91ad9858 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.1.731372972\1201119331" -parentBuildID 20221007134813 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63304795-9bc7-4fee-8de0-2ce2cb44584b} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2372 11a918ef258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.2.2021186214\347130050" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3020 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c95d56f-cd4a-431f-a923-4672b407fa25} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3144 11a91a5e658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.3.1356315254\314806437" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 2508 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da37d6db-512d-4571-8feb-808333750e4e} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3964 11afdd60458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.4.1117493432\1441458386" -childID 3 -isForBrowser -prefsHandle 4692 -prefMapHandle 4688 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8199b71-0d47-4e4a-9f70-30a4d9b79401} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4704 11a96a64a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.5.883364868\1822141551" -childID 4 -isForBrowser -prefsHandle 4836 -prefMapHandle 4852 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75d5b43e-f0cb-46ac-b039-e5cfaecdc42e} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4704 11a951f4e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.6.1688543756\1812261144" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfbae1f9-b3c8-4eb3-bc93-b09592621ed5} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5124 11a9819aa58 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\NursultanAlphabyJenshinix.rar"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe
"C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgefontmonitor\UfmJKZB9Iv1Dw2.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgefontmonitor\ABKnx1IaQbrtUZzojW.bat" "
C:\bridgefontmonitor\blockcommon.exe
"C:\bridgefontmonitor\blockcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\bridgefontmonitor\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\bridgefontmonitor\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\bridgefontmonitor\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockcommonb" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\blockcommon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockcommon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\blockcommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockcommonb" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\blockcommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe
"C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\bridgefontmonitor\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgefontmonitor\csrss.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgefontmonitor\UfmJKZB9Iv1Dw2.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\bridgefontmonitor\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1T442RxaL5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgefontmonitor\ABKnx1IaQbrtUZzojW.bat" "
C:\bridgefontmonitor\blockcommon.exe
"C:\bridgefontmonitor\blockcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\bridgefontmonitor\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\bridgefontmonitor\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\bridgefontmonitor\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\firefox.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\firefox.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\bridgefontmonitor\Idle.exe'" /f
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1T442RxaL5.bat
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgefontmonitor\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\bridgefontmonitor\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
C:\bridgefontmonitor\unsecapp.exe
"C:\bridgefontmonitor\unsecapp.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\bridgefontmonitor\firefox.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\bridgefontmonitor\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\bridgefontmonitor\firefox.exe'" /rl HIGHEST /f
C:\bridgefontmonitor\blockcommon.exe
"C:\bridgefontmonitor\blockcommon.exe"
C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe
"C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgefontmonitor\UfmJKZB9Iv1Dw2.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgefontmonitor\ABKnx1IaQbrtUZzojW.bat" "
C:\bridgefontmonitor\blockcommon.exe
"C:\bridgefontmonitor\blockcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\bridgefontmonitor\firefox.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\bridgefontmonitor\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\bridgefontmonitor\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\bridgefontmonitor\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\bridgefontmonitor\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\bridgefontmonitor\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\bridgefontmonitor\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgefontmonitor\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\bridgefontmonitor\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\odt\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
C:\odt\StartMenuExperienceHost.exe
"C:\odt\StartMenuExperienceHost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\8YXrskW4JY.bat
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3844 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3028 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3916 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3008 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe
"C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgefontmonitor\UfmJKZB9Iv1Dw2.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgefontmonitor\ABKnx1IaQbrtUZzojW.bat" "
C:\bridgefontmonitor\blockcommon.exe
"C:\bridgefontmonitor\blockcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\odt\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEyYLRTH69.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe
"C:\Users\Admin\Desktop\k\NursultanAlphabyJenshinix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgefontmonitor\UfmJKZB9Iv1Dw2.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgefontmonitor\ABKnx1IaQbrtUZzojW.bat" "
C:\bridgefontmonitor\blockcommon.exe
"C:\bridgefontmonitor\blockcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Links\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\odt\firefox.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\odt\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\bridgefontmonitor\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgefontmonitor\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\bridgefontmonitor\sppsvc.exe'" /rl HIGHEST /f
C:\odt\firefox.exe
"C:\odt\firefox.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MUFyTxLHSg.bat
C:\odt\firefox.exe
"C:\odt\firefox.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\firefox.exe
"C:\odt\firefox.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\bridgefontmonitor\UfmJKZB9Iv1Dw2.vbe
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49826 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | workupload.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 119.176.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 52.33.96.36:443 | shavar.prod.mozaws.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 36.96.33.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| DE | 49.13.126.162:443 | t.workupload.com | tcp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| US | 8.8.8.8:53 | 162.126.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| N/A | 127.0.0.1:49835 | tcp | |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | f61.workupload.com | udp |
| DE | 148.251.246.155:443 | f61.workupload.com | tcp |
| US | 8.8.8.8:53 | f61.workupload.com | udp |
| US | 8.8.8.8:53 | 155.246.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f61.workupload.com | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| SE | 23.34.233.128:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.233.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.233.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.233.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.194.113.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 3e400147967ea81f31431da85ab54bce |
| SHA1 | 6a3351d8f61e8fe1362fe181548a96b33b4e6d8b |
| SHA256 | bb09fcad3c7eec4b1886838b6d802a0793cb753be7bc685fb551c25f735e65ee |
| SHA512 | aba3a0cd96feb6c94fb4167f2aa195c20ed4c2a119b10fd20262a6762751d948449ea00dd432f959a8292ef20b386580ee5bbf6a36d1d555a97416bb9f20d4c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\b835eb25-048c-4992-914e-99b85207dbb0
| MD5 | 1ae068bfd4fedd25d6b9209835e6034f |
| SHA1 | 66e5d7d10b5acb414a52682bd6fc674dfa1d5e0a |
| SHA256 | 9829d4f73447ffbb391eb35a22e6c7ad56d05562077a0e6203c3618aeab5293a |
| SHA512 | 4ef944d7b604813ab862344ff1ddc1462279e7ec4f37d3bdb0eb79e0cf4dbe1e387c7b828adc11d7a3d28beb2cf1b18509c31181112846206c22189a1924a728 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\be8c06a6-5db9-4c9c-b99e-8799f2c4c2f9
| MD5 | e7fb59fb4b2e3eb6366f1b43847d5c46 |
| SHA1 | ee19f2726ae978de9ea25fbb9d9eb4c1b8260c04 |
| SHA256 | d869fd18d75c7ae584c0bb509de3cdef45485e15ff2de21a9da3d9d228e5d157 |
| SHA512 | deda253e98c686889a38326b3d36eb23329829dcaf2f82b83b28e5dc79309f12cedf54b9eedc747b322b1db05860977f9c17f7f80bea7d5f53a5bf2c0a6dacb2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | 56fd1ae84a5feb2072c70ba3eea4ff87 |
| SHA1 | 2425062dbaec2f897581c6eb5eea75caaa7b8fea |
| SHA256 | 5c82cda87e8040bb47f8ab7202de0609ee7966e1fe42b204f009a7fcca9b465d |
| SHA512 | 6ac22e06eaf13fc9d232825a1c3ecb2de76b244d4416fe2eb07aeb9bff75141572f6e4c3e31b72839a4ab7facadd21dd58b9f6904a022e44d195a6650c7a45f4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 89fb414d778d11d3a12991de60301815 |
| SHA1 | 1d7a63ca92d9ad28930ce2feaac8c71c3f699ef7 |
| SHA256 | 935ba660008416f0b46a028a709944f11f9c2858243a2f7bc0b57aa1d96314be |
| SHA512 | 49f06dc78f2e08621ba4ed19925d8c7ed040502f13edaeedc7df3d675e77417d8b7b3c0b3feaf7f4fcef989091b363f5af1fa9258de57cee5bd904e1d7a31f9b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | da90aeb898f05c89f46219d7b12f5eb9 |
| SHA1 | 58a1ea23d642876f17b884263a08f6bd846a0864 |
| SHA256 | 0b57aa7213245e898c102b859b5737c5d78c7b0fb17e3eccc4b2af200b228b30 |
| SHA512 | fa700cdd006f1be1fcd78cd5e8266db95954795058487b9a8a63d3c223e6a2dadde0762b2d6b7fcc3d1a7031547871a5ad03870e0dbfaac188c2361a2be911a8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\4174
| MD5 | 1675d7fa7602a2c8861a4557a05d942a |
| SHA1 | 753b0ef872966eee3594e4b62506894383dd4274 |
| SHA256 | 8b850035da2d17a3886461f8f2da91b92498113f1e0b209e51a4ed80e6f31684 |
| SHA512 | 3de03f9558a7a737a05f2b7eb8ac4c363faf1f05d7e45cbe086ad3573d0830201f959ec6ae62f99fbfc2a1caa49af122d23617cc2224c1e7c56f24ea363bb07b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | 38f264efd1fd92f6631f3bba0c5d658d |
| SHA1 | 3504fe8f23daf5ef89dc1afd3ec4b8766eb83435 |
| SHA256 | 4cdcab71b75b021fe9cfece452d548a3653bed49c00c889bb63bf6eb900f33d0 |
| SHA512 | 340ed79207420ee7d42cb8dff9eb276273c36469f5abec36f256639220b087b7d8d713a8b3dc04527d112e749990d985b127afaae17f25b2b0bd9f736b4f6af9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\21585
| MD5 | e245aacb96ddaae4e3200b98f5150552 |
| SHA1 | 923406c949e53a13600eb25c8195555d83d56831 |
| SHA256 | d8bd4fa0c3118d6805037057fe916b592fdbb8ddfc541e9612e0f743d597ec2d |
| SHA512 | f2faf1e3867b7c4513b37a635fde81fb944cc9ef38afa1ac7a89617bdd59f68d66effd5db696aea5c7355b13116b64f078eaa8e8d395ceace731c7ef4a06c761 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\25906
| MD5 | ae037330bcef30331f63fcc0af189ba4 |
| SHA1 | f5dbc69891ce9c2c93697c5f37fd715fbaa368d5 |
| SHA256 | e18e57e73ff00096d827ffa0b821b71e8d61e1caed58049bbf05c12e61c23eee |
| SHA512 | 37374e2d28980703069c91564c9e8f301c6369ad42c74d012ba031f03c511ddd58ae7348bb2bdbe9af5da2926b3b8a9966017ccbeb1e3c757d539081b48618b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 40893388647f873547efcfb49a1c2e22 |
| SHA1 | d4f7fdab26ef5eb75d4865048eb3e1cac87d5ea0 |
| SHA256 | e96f6ffbe232585c221b5592cd0bb72f9e4fafb84ce69ed4ae333f40f29099cd |
| SHA512 | 775789ce205096df0f13add83585d660b6fac8cfc577236410415bb0d40b4ce5d7d38e971bbecb042d7641ad707081883e970216830339c1d11aee4f0ba36a53 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\24122
| MD5 | d3ed158eddcd4c20408037f0be23d162 |
| SHA1 | 9018fa76e80a505e3794fb0d5bafd745c47367ea |
| SHA256 | 4811e58205c81a2baa4d3117a9b8192a899b3148a15580447b8ffc574358c778 |
| SHA512 | 26d804d563d989bd8481cebc5321cdf886930358e3076f2112248d153cfa2c2558f3abdd5d3675bb8bf5693013421fefa00764a311ef18afcd9f7493eab7cb68 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\3F6187BDFA96FF4CBE6752F8878B0379838C32AF
| MD5 | 69e35d1fcb664d7e30c85bc13faab668 |
| SHA1 | d6c493833ca25bd34262e4f7ffe4749de02f0955 |
| SHA256 | 1fa899c9771ce94fd5ddc91346b880fd824bcd3a3228bbdd057a1c2b75f8de9c |
| SHA512 | fb59968dfa91e20cd17ad7eb971b4bf4ed2a654f39e2c026bb083dce60a30dd7b0344300a5e6b3084132d24887b304167661a922f8709d7a1f56b8bc9ed245c3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\29419
| MD5 | 253e1c9aa0853fccdd3b42255a363642 |
| SHA1 | 017ec3a3641043a27201544b465d81ebee1c467a |
| SHA256 | 0b0f1f1c4fd36a935eb1179a27b6ffadbf7554773795ad3fae58457973436928 |
| SHA512 | de464cc3ea1e23a6a56b09c81060a1f712ce91ba040b44da7c0fc7109a4bf5d961310ec0701c80933daf410480ff7c508153275392569fb57e712a298ff4ab3f |
C:\Users\Admin\Downloads\NursultanAlphabyJenshinix.kNL1gyQy.rar.part
| MD5 | aba6381b6d2a65e05bfd8603740473d2 |
| SHA1 | f9a89ce6b37fe06a51d599169b9cfe1ac9dc1eab |
| SHA256 | 9f32a7f26fac71748026db7978d023228bd15569199f581a4b94ec59bde5e3bc |
| SHA512 | 26148431f3c727ba743ea11dc7a30d79b244c7b146a04f64ccab51cc28c44844e83a3cbbb86a8e7ba735dd08c4a5f4069f2402e1155ba4aa3dbde361db5631cb |
C:\Users\Admin\Desktop\CompleteCompress.docm
| MD5 | 51772c283c08241ab9dd1fed1abbbe6d |
| SHA1 | 54fcc47aff46a06637cbaa34784a98a5c76ec985 |
| SHA256 | 059016bacfe6a73e06aa0c0840d49e953d0cc9a1fdd176270cb647a2dff83662 |
| SHA512 | 5b0d6ad49134a8a962531aca2867091ff9dd629f92971875f5ef7217817162cc9f9d9044a9dff75442443928de07d579cea0970492d9302e0c2424f45587ecb7 |
C:\Users\Admin\Desktop\DisconnectEnable.m4v
| MD5 | 7394b27aae295439b3e6c1d71ed76805 |
| SHA1 | 01a9fd0aca22881b6378df2e5d3ab10062ea3811 |
| SHA256 | 579c9d22446e3e05ca0dc53ae34213ec0ff0f0f21cbff28386f35a797a2f763f |
| SHA512 | bdb0576d3265704731e4ec0d08fbae54a5049bf932352499441ce44379b6fe077cc9eb76d79e5a33e902c55cd10bf4c6ec50909d3f4a2136dab57f251a99ffc7 |
C:\Users\Admin\Desktop\InvokeSuspend.iso
| MD5 | 4d5bfd06a67028233eebaee6d46873ff |
| SHA1 | 326950503c005d6742b7b0bd221cb7a98138b39c |
| SHA256 | c02719798fce49a248d4390cb5d34344b41625b81766ccab78e7f4ca38708da0 |
| SHA512 | 92e91db02ff46659feb2d8b7900726c1c1bfae9e9567ccc8ecbde86461380c3ad2423ac62aeb28ffa3e0b618bc58dde27f640158d8ddb551419fddf1b7a37ee3 |
C:\Users\Admin\Desktop\SwitchEdit.fon
| MD5 | 88cfd6da2808e64f34afcf22b817e2e7 |
| SHA1 | 2fd333ebe35ceef472fef1ee5342ad67d43c3f8a |
| SHA256 | e1654f336a01eb72604284e5ee32f8813bed5aa9479c2df80973185ef7ed3e9a |
| SHA512 | db3516ea000645959a69ea368355be93e4a42f7c02d1b5c3342cd2c22a3279ec336c3345eb0fae42c0535fead104c729bd3266da40dbfdd9c6ef0026d9679d29 |
C:\Users\Admin\Desktop\SuspendGrant.m3u
| MD5 | 9fa312128aefddf43de41fb5731162e1 |
| SHA1 | 3951ab31207b164767fd0d7c0946113ba630d450 |
| SHA256 | ee10b443adf7a136cfe870dcc84fd188aefa99302acb3d7bb3b8da9c2c970687 |
| SHA512 | a83f88f86f1bc8f451bb4ee052b65f9c86e688df2f995c7b71619d699ca943931824afec5e0e092081aca537731089f0e40c6af77a17cf7e8de72b04485d1190 |
C:\Users\Admin\Desktop\StopSync.ttc
| MD5 | 5df8477da075274e3c7387e39f5b4aac |
| SHA1 | c680be9942c6a46aa1688ce60fbd6892d92f5536 |
| SHA256 | 7a0f00171a4fb34649539b168e06977ecc8e63cf4c965c911bd70d12f3b0497f |
| SHA512 | 0e3359646fd7b733a8ed616ea49dce5d91e4e2fec56b20b477377bf3ab1564afa8e4ea8320d3cf59f63ac63deabb31c0416948c15c14e03be82000333d932a4a |
C:\Users\Admin\Desktop\StepUninstall.au
| MD5 | b0571e3cc5fe1a7257d768f2877ed984 |
| SHA1 | 76ea39006fd5c49b5ebe05bd66c3081da5eae213 |
| SHA256 | 39b9804a0e8fd8e80b30ddf76ddba5d922e95b74f0f23990e834b643c155732c |
| SHA512 | 4668c7846a7c790a12613edd26590639cee520e9b5014d73e3e9025c5816d97f6280be5d73916c5482236f880776f2419063532fd2c3e40c1ac9a360281a1d30 |
C:\Users\Admin\Desktop\SetComplete.m3u
| MD5 | 322eb62d936a58f042d901f2baf56682 |
| SHA1 | bc59c4391fbe62a2405a24b9e60946868177bc15 |
| SHA256 | 65d319665ef32d659a1f41b140fe8188173a8909b5a06aa496c2b2a315efee72 |
| SHA512 | ad0183a08a45fd91201fa1bc08dbc1195344e86c26ae77d8b3306c1b4e959b7bf8b6e37e93982b32ad6bc17bcc9cb89258687006cd19d8ffd54f535985b4b260 |
C:\Users\Admin\Desktop\RevokeResize.wma
| MD5 | 76f08c24d0bd8fe638f6199e1e11462a |
| SHA1 | 70fb19a63bc1628e5d48c64c0c34a79347f0ffca |
| SHA256 | 6de7fa8d7ab2192753abe79d6bcb2451660e087fe90a724c7300aaf8316e26bc |
| SHA512 | 6e596a14a221fa79b1f07d2ca152e4d00fd4f37907f9a90bfb7feea1c916c75ee7ac6353987a54fb36a17605e7807914d3d8b42b14f2c5a67fab570d85b8607b |
C:\Users\Admin\Desktop\RemoveComplete.dotm
| MD5 | db05e552df2efa29f6d264403593afb3 |
| SHA1 | c090ed3e90bcfbe81aaf5011b433d1520d03dbb4 |
| SHA256 | 917b7ac824b0d24380129e8784472458cfeae9c651cece5168251406f913ebe3 |
| SHA512 | 9f54455a26e2394fc76548cee751c23b37d71abb6b7049069bb15017b1e8667993437bf212c41883512e7a1ca7f1c2cccd18c6b4093508c5c1f967a8e8160483 |
C:\Users\Admin\Desktop\ProtectCheckpoint.M2TS
| MD5 | 0dbd7c6f1f26f7da44e3e9055669e8de |
| SHA1 | cbb6ac1e08c6303db972fca445282bb50f50468c |
| SHA256 | bee9a6815c47ec2dd117dbd05a15a1f9434f5c316ace0ba4aa73eb2b26c3cec9 |
| SHA512 | 85c8e56447f8d44c49c20a380eefb8212e6f350e32c8721e669c27c6c2e53db075a382f87226b36ab05a03c183272ee6d5cab16bd4062217b1ceb766bbb63d3b |
C:\Users\Admin\Desktop\PopStart.reg
| MD5 | 241fd2e136ab81d5cbfe0b80ec9ab711 |
| SHA1 | 67a2569107c748c545e047e35dfff31ca82233ab |
| SHA256 | 8c5f13a0d75fbca747df9f8dd2fe7fbaedae901a76e66ebcd90e730fa5605d16 |
| SHA512 | 124bf2c2a0a5203f365f35c07c42158badde063032f1e17a9edd3d281b6fe3158d28a293dc9bd6ff18a28f39d6756ba5562b4ebd0e904a84918d0449e1003f70 |
C:\Users\Admin\Desktop\ImportResume.lnk
| MD5 | c96f8f86138972208602c595a644c37c |
| SHA1 | 42f646ffd42be0266c4f34782423fb32e13e96ed |
| SHA256 | 1e48485c0c344b3de3adee335439b8bd5d9bc45defcc3b93228b64b71a12ce91 |
| SHA512 | 541ece357c65b66ca2611ca2692a235a06dc01e62539acaaeb8cbd1b380405db2e68e6d71fc838837de18404869e34f6b0ee92651625374ce0190aa29c75283f |
C:\Users\Admin\Desktop\GroupRepair.sql
| MD5 | ea72c66872d94308b2070d7e0af9e6a1 |
| SHA1 | 1baab6991c423f8bf7366e00aec9211335686612 |
| SHA256 | e914525a9d9be915999da8e96c8078a26e912484f881f20aa485e692681ac5d0 |
| SHA512 | dda95f9625c0dead4ca04017d2088c3cbfac84a90e2a0cb04f891d552b04e8f851b9285e2d228a4e41ad93e6bb20118eb694a0814c29211642abe8535d201b02 |
C:\Users\Admin\Desktop\CopyWatch.M2TS
| MD5 | b42bc33fdd0b6a9ccd1aa9408fe3d748 |
| SHA1 | a1f3f490eb39d4f8092516ecbb1433ed87a717c6 |
| SHA256 | 74aedbaba9300e14e7568f936ec026b83e8af765f584b1575e3cc6119ebf9137 |
| SHA512 | b2fa1d434c515f71671c20b495e68c8d54f6a98153d307af14d40a513eaadf8b5e45d4ab386e9e89b888b9677add27611ccea971e52f7b08744b8ee280cbe8c9 |
C:\Users\Admin\Desktop\ClearFind.mid
| MD5 | 0055f0c9bf573ecdb9620b5d339f0b3a |
| SHA1 | 3baccad9cba65d1b846a9942428c78952f839216 |
| SHA256 | 2dc7952030d4195dd8ef13d626acf60b9de899c99fad1bad9e792234630493ab |
| SHA512 | 6146d617dfd9efddb26c79880d9019c033f568055f3f60713c84ba9211b5d6f5d1a1e50eb2cbb53807f314d58053431d2e446d6be326fcd995177e40b2dc95cc |
C:\Users\Admin\Desktop\UnprotectGrant.docm
| MD5 | 6951360d546154582918e69d116b92e4 |
| SHA1 | 055a60e9e12810886bc9009a804e029997390a1d |
| SHA256 | 24eceed93b64081bc7777fef02abdc8df93480658e97d39fb95f7df048769144 |
| SHA512 | 89a667c5032e30fa1cc1c70671be55902158dce3206ffd242c91f6fb0561d49195973c51a45d234db07a94a282adcac83c8e340093acfe6f8de44e39352487ec |
C:\Users\Admin\Desktop\TraceConfirm.temp
| MD5 | 564829f044df1b6c3de1786f58c4efe8 |
| SHA1 | f502af0a36c5abf2ed86a92fa2ab06664b1e89fa |
| SHA256 | 39766e02721d86c58d12c0e3cb03797cc3dc57ddb7d2d4d05c2919850f10918e |
| SHA512 | badb40f3c1c52606a4ea38eaf27836cdb967aef3fb52f2e7ec5460f6fb8a08c52093925356098da42010eec40ab6c7a1d1d2aac9db6f4fb488cd4653db35cbed |
C:\Users\Admin\Desktop\StepExport.sys
| MD5 | 41961ff8abdfaf9ba74eedf1f92bebb7 |
| SHA1 | bd458abc411ac972158416532b6576eea41d4f15 |
| SHA256 | 36c393fd77a240a64983950946a709ff4a6d46dbb2acfe6066f799ebebf67716 |
| SHA512 | 50bb893f8faf0a0d75703c000070c452a391f1362cc0fc90e781d659920a4ad997988620ca7baf9fa7b025bfbf15019307d9f6c10078d11b3b7ff24dc3eff209 |
C:\Users\Admin\Desktop\ReadExpand.mpe
| MD5 | 9a8c031372fa76d1ff0ba487aa9de886 |
| SHA1 | dc951a76da0d4342d1fa14bbfe385fb7911a6221 |
| SHA256 | 7dca9de38b7aa98662855f266186e2ae6458467080f240c45c9a44fddb999ff8 |
| SHA512 | 13719743629107090a6e222ef19735a5a9ae80da19d6c7869dc0b23f2b2c43ec71c0cb72fe152697fc13696cbf11e44a13f609791c67c54c4f4d9828bf101f66 |
C:\Users\Admin\Desktop\PingUse.sys
| MD5 | 7891f1990330b0f4cf4c27f354087a6c |
| SHA1 | dca90a26d7d3a6ca5da814a16228faf0cc6899ce |
| SHA256 | 9c386ff4cd67fa3f1b7873e4427e1e939602045a3d86cf10e6b277c694fec751 |
| SHA512 | b5327a93cd5eb23df48122d7cdbe50d54ae6bdfeb4efccdc83d1f35f8de3fedae9348c80f133ab5dc197708a5dec70642379b1e2c2964917a0ae84ae426838ec |
C:\Users\Admin\Desktop\InvokeConvertTo.ex_
| MD5 | 247d94f845e88548689edfc221cbc719 |
| SHA1 | a70f1af35c6fddbde024b306694f2b4fc1d43328 |
| SHA256 | 3ef493f21b2e1b035431ed0d106589e0ba02f273788e6d3bcd598ca01a148ee8 |
| SHA512 | 73f2f902a5ac5e1a1e621f40058acec98adef203076632dc6f7ab04f737d97b5fc178e2cf3335efee49e3db1583773594e37f609d6f56ba11964137f915aa0dd |
C:\Users\Admin\Desktop\ConvertToCheckpoint.vsdm
| MD5 | beedc7774d408d40badad085d60ed615 |
| SHA1 | 56c453197f9d6c2be6fd5654c8ea7bed825557f7 |
| SHA256 | 25de01013460dfecec73e0664e0c98406d447539a5ba4919fe85ce555d32f798 |
| SHA512 | 9fc020012c5fe29e0babf7a51650bd9645ecf505de44c026218e271619fefeefb968f4e8080758efac9504eacb6034e210669b3e53cb266ecdd84e3e28e00e82 |
C:\Users\Admin\Desktop\ConvertDismount.reg
| MD5 | b9e23c8fdff81361434c05b347f8b188 |
| SHA1 | 7d3e3b6438e17496229601462ac644044f4238b3 |
| SHA256 | caaf3ae98478663da89d70ae52ea750bd8f928420e26dd9531db24014ffac14a |
| SHA512 | 0fbe57a8c850dd5335c59a81b5e22a384d5502bd0ea5e86b0016e8c4e45996b1ca62e66473c0a55685ecb073f5cbbb51e8360e960dc82f2d5c652f349757fa19 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 943ed92b63c97313a015f8ee64cd7da5 |
| SHA1 | 85ca5d583c10ddc1f562f4f07ff937f8d81e0b7d |
| SHA256 | 76f4182ffc414282185da0c3d8f56f28279be677575939bf3f0b13fc8cedc3bd |
| SHA512 | e4f3439da9ecdcd06579c162aff0bbef965c9dbd494ad185a0f37f8629f2c5e9020b04c20d52db82ce7ba5aeedbd04e139f14215f09b90f0af83c5e60231ed8c |
C:\Users\Admin\Desktop\UpdateUnlock.001
| MD5 | 1f07ad2f9198165ffaef00d48951b555 |
| SHA1 | 241c47e55a9603344e189b72a981e3d0b6d273e8 |
| SHA256 | 80cba303f2f33bb761a698016158a2f9a1ee9403b803e189e30deab9a576b9d7 |
| SHA512 | cc9b0ae4632394f82c38e8bad5189acb1423acac9625e7cf12ba8c0b83eb219ecd90299e437b7ca42d5b66a33f91cc6fa1db2efc97fcb83154b3e46c7254df79 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 796ff3a8238bc0efa4a80e382e7589b9 |
| SHA1 | 9c18143b482d0be2b1a582eb575d7162285e15f6 |
| SHA256 | 061c3e9e9132b7cf86a245154104e5f817304719cb54ee32e98c4b0edd0f44c5 |
| SHA512 | 4c2b7380e3b1fce6c03686d4e154c27b4cc8f9375df4895659ceae1687d6c8557a1793e3b31a1213a8b4697cb00bfada35152b43401c477bc2434479b6f91b92 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 473b1924496980b48a3ced1f3b99921e |
| SHA1 | 2c2790c95c7d8ab24fc43edb4985c04439cd323e |
| SHA256 | cef9a516741857324ec00ddcb9e65c0761d16ccacef0180fb348aa0044131c80 |
| SHA512 | 28605e45d0ddc4e23ab5af3b17e1b794596d6bb20db5257ea1b8308b5fb74bfd72a4618dd8389de0b6b02846654f4aa1f108b5abc07d60ddaa2022ef8d80a0a6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | 05b304f30bb49a5d01b8519e458bc373 |
| SHA1 | 968dc8a29bd4b093f09145011b61646b8525362e |
| SHA256 | 91034b33aef904bc4387a210153b8bee0a95cf55bba35245629a25f45f1c243b |
| SHA512 | 2454fbb9ecc7b6b33bea52287d56cc962c1debb62ac3181a92a188f33a5e4914514b9caf94c20a97886382ab374ed1c8bc01335670f19b62ef014977072beccd |
C:\Users\Admin\AppData\Local\Temp\{FB884CC7-63C6-463D-BDC5-A8541495DDAD}
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\5d54980f-b155-4469-b9a9-f441d41a1f68.tmp
| MD5 | 2cc86b681f2cd1d9f095584fd3153a61 |
| SHA1 | 2a0ac7262fb88908a453bc125c5c3fc72b8d490e |
| SHA256 | d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c |
| SHA512 | 14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986 |
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
| MD5 | 2b6d800ccbcb1faf49a05cebbc30bdcd |
| SHA1 | c470de0dc19feec630e3bc6e16b5d56d7ace89bf |
| SHA256 | 6f4ffd42498da799d953211c45ec7f244ff1b1fc4c25425b8fe3aa710f80bd3f |
| SHA512 | 90ba5db6f66802b78769ef9088f11494ac0af47438e3eaa2dfeac04f65801d812d9652aceb5be0a8a04a04ae02d9d8234edcf6d0b0ecdb77fb21a736c5d231cd |
C:\Users\Admin\AppData\Local\Temp\aria-debug-3956.log
| MD5 | a9c562f93462fc22477f3043a40ddef7 |
| SHA1 | 2af9e1a344a9afeda327155771db7c56e6e89357 |
| SHA256 | 8358d820bae46c6b5b7034327614d3e84645d8d2147ae7610e66ca9f8ae32ad1 |
| SHA512 | e2749388644c83499635cb79ffd526f253f272dc60a610cd5a260f1dfcea1789d9b834f01d6ef892327efcfe6ea13092a2eaf0287ccc54305372b45076368953 |
C:\Users\Admin\AppData\Local\Temp\c8f4954d-1f68-4425-af83-03cfc46b8f96.tmp
| MD5 | 541f52e24fe1ef9f8e12377a6ccae0c0 |
| SHA1 | 189898bb2dcae7d5a6057bc2d98b8b450afaebb6 |
| SHA256 | 81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82 |
| SHA512 | d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88 |
C:\Users\Admin\AppData\Local\Temp\cv_debug.log
| MD5 | c662bf8f98aad5d287a5b9df35baf512 |
| SHA1 | 1509b31140487bcf915e7ba30744bee366249018 |
| SHA256 | cf0ecf8b8ce4a337ad496bf809b2ae8e2c696351468d0e1b6cc158266b9d231f |
| SHA512 | 4516f0a79f1b18915a592eb95dc40ebe452f3fead84837b4f57ccedceca21438f3b85a26b79326cf281ed4450f24ce7abbd5b856792dc599419bfbbf7f6d6590 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226142854.log
| MD5 | cd4709c04e0ed9c78cb3c49eb611abc0 |
| SHA1 | 282a1b596abfeae8f995baac8994a27bdeaf1433 |
| SHA256 | fa1468db825dd4e8ffc58de6f1184eb92f02a95de42ab54fe3d9648e8a803490 |
| SHA512 | 4e7e74ec09bc647e0df1faac56febc4bcd4342b736ea07dc2fdc6a12176fae98bacc4d5f2b3df2a6ace7d20b1b6a997684e7689ed04d0d2c58a7163e603a9c13 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226142854_001_dotnet_hostfxr_6.0.25_win_x64.msi.log
| MD5 | 7948ed20f9db1daf33f7491d0574af4e |
| SHA1 | f0639888b185ec46d45d66972b17c51d5d65261e |
| SHA256 | b2e341baeec9acd4749fdf841ccd9828b56c3e6ee89ef2c6a76dca3c6f1744c9 |
| SHA512 | 00e456ef391f0e94be0ac927527b8c49c49a5ca09e35a846b36b62f44191cc5320b882725d6cab8249378f7aebad4f41bd8e3e798a49487a2fd5d8d4d6909309 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226142854_003_windowsdesktop_runtime_6.0.25_win_x64.msi.log
| MD5 | 20edc7d3fca8539693521f1261a579af |
| SHA1 | 5a966900f11ea0b1dc2a40872cf89910b8ecc238 |
| SHA256 | 3ecedfbba21c7e5263ffe53177307d3d28c702da1db61d5b7bbcb3a43adec88c |
| SHA512 | b8c6b5f5a07608bfadc75cb5236dd4b06d500de5bf2cd7789509d441a6a64a0bc917807819f48bbfac7001e04397293b904628b21499a243a7abd8a569a8979f |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226142854_002_dotnet_host_6.0.25_win_x64.msi.log
| MD5 | bf5f34bca98d366f7984625bcfb5ac51 |
| SHA1 | 6e18bd9414c94f13cb17eb494d86482ad61b86b4 |
| SHA256 | b357b026b05cdc34ed7f37045f14756a5a42b2207cd2e50e43e62214da268aa3 |
| SHA512 | a7e81c150ae0f10c4d8f2bed106bead50e18848692edfd3a5cd44f05e1b91bdfa39b54bb9c01df74c2a7aef632f5db82702759b4f839ac9cb84bf44556f53435 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226142949.log
| MD5 | 9bbc66683af54b2dac4e61f5bf1c9830 |
| SHA1 | a801a787d01cd151232a7d824bc8958106054c30 |
| SHA256 | 07c449f78dd6bbf3013a5e11505364cad2623b7d71865b84a2dbe6a6123bb91a |
| SHA512 | 5cdca33a8d67a0b3caadb46aa82f7f35920241144dab343180710ab2caca07df603a947cfdc0e97b05f626e3397c937445008a034b93cecfbcbed8d11b1342d3 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226142949_002_dotnet_host_8.0.0_win_x64.msi.log
| MD5 | 6c4bbdd8340a8488b5b065d2df47b06e |
| SHA1 | a30deea97c4a29392e4abd0c7e73724006ab5ee9 |
| SHA256 | b3c274f0e980ba6186155b5cb9264aedb9b58299ff038be7ad757a09f186cb43 |
| SHA512 | 4d4d0093fef5db9136498d859ef343cdc119f1b8f5003e2ff62ecb2959e86c6b304bba3e87e172747f05a53833e97dff7ccdf82fec8e63257bdef1a7c8123856 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226142949_001_dotnet_hostfxr_8.0.0_win_x64.msi.log
| MD5 | f9234c2ad1eb0e03a5811bbb5eac01ad |
| SHA1 | f578166b5bc54c62319b6d7cba6b35b600cc9b72 |
| SHA256 | b10736ac547509657f7ef3ce23e94974c6f5ba8fce41b1adc65a6231240dc040 |
| SHA512 | e9ff04410dfe7fb5c44d6d016b5c4548b287dee38c62a8a2520f084c9550dd762b696f4cb939ebcc5e25093f19b94b00522c21f7c134a11fc31c37ce646aaa68 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226142949_000_dotnet_runtime_8.0.0_win_x64.msi.log
| MD5 | 3b38ff663c380d9910f485564d4a6a33 |
| SHA1 | 71e17212e7f6dc18d3f67bfd7bcc03a64c880e72 |
| SHA256 | 0b744ace7e58f346a687747f50708e261f35f49f99aee8de009f69df507e685b |
| SHA512 | 75d244fc430a310bea6494a587cf5715a1e4d201b7313f780bd6e69479092a630b6e6204dc1691948b902b101ae9ed18f0728f13da28ce1b64a49c666dee261c |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226142854_000_dotnet_runtime_6.0.25_win_x64.msi.log
| MD5 | 0a4c41a2d73e305baad872e2751076f2 |
| SHA1 | d62fe73a72bc11bcdb6ffdaa0667a60044a2f690 |
| SHA256 | 23cddbe0da065394c8c60c04558fd9cf8f006c093c7cbdf67049990e2a137fbd |
| SHA512 | ecc04efc6cd0b3b43557cc89b98049749cee062d1430fb9254449a5988420b36d172ef257f3c539cac1405ea5306e36aba715db36f0d9d00eb72d838ac727036 |
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240226_142806984.html
| MD5 | 240323d42a6fb9bd90187c1809685561 |
| SHA1 | 2586b57d6e8c2bba52dc1b5fcea02ce6363381c8 |
| SHA256 | 22b0abdb6cc56252f0082fdfa90c1813a30b71f95733657da94d411ce11ff08c |
| SHA512 | 9a0b5cbd61d2c9026e4ca8e86274f81742abc40982026b44ed8b63019ed273dfe09f44ccfd960b17c1d317bdeaf4074cd2fbb10e938e2839d6bbbab2a8ed4118 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 5602eb779c78bfadcb398875fa99c8fd |
| SHA1 | 189301152bb2512adf88599a3272b7a82066401c |
| SHA256 | 1821e5a556c4643630c6098b94c8ffe98eb70f984652195ae9c3ce0fcc01a08b |
| SHA512 | 20e4fe57e1e6531628dbcf114ee8e8d32eb5af30fe5875948ac75a0cad3b2b9f03ba6322b0cc83c8debf2f9d2531479102e58cee20c6008ecc4a2e397d291420 |
C:\Users\Admin\AppData\Local\Temp\jawshtml.html
| MD5 | b2a4bc176e9f29b0c439ef9a53a62a1a |
| SHA1 | 1ae520cbbf7e14af867232784194366b3d1c3f34 |
| SHA256 | 7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73 |
| SHA512 | e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f |
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
| MD5 | b1d64c5a1188f3e44e8c64b32f73ef50 |
| SHA1 | 66a5c357fe32d49b62acfa89f0f017450d54ac9d |
| SHA256 | 93e7ac5e86bdefef6bfe8f0a965bb856a8ad311f3ee00495c7cc67db6dcbf102 |
| SHA512 | ed84644b4b9a358dccf0489a8b723394a6601238774dde71a335dbec7698112c6cd9d47a2220a81e3d7c2eef6d221eaa32bb4b3e6ca7cb14a3743eec513809ee |
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4733.txt
| MD5 | 3cdc6013b4916e75064ddcd96088b59e |
| SHA1 | af04a639c7335afc89b5894bc94af839a2209a68 |
| SHA256 | 5160884f1b427e5b2c813bf61726595fb0bbaefea374ca1838ebd0cb943de45d |
| SHA512 | b72eb3ea9274a59da00c88b39a71bfc3e5ab9ad8fa0a4f5dea847de7f5ae6a0fec49b5a331582351bab4f30d2c39f7a4f51fb7d94e66427fdd3a4fd07cf9ddd2 |
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI476E.txt
| MD5 | c60bb8cc01b693debbeaa1f099f61bd7 |
| SHA1 | 94b0aa2f7dd76d3b374aa7bbc5376df0aa142363 |
| SHA256 | a9beb71ecdad03260b43ce1e40d57cfe1508f259a9de2f10f9c52bb903b8bd78 |
| SHA512 | 926b31f70405cc6497d6aeec97cc041c229c776a5f68f46f7e8a6ba56414f839b4cb9a36faaff037936cf2cbaa869eac95995a5daf623ab27b71d268e505ad1b |
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4733.txt
| MD5 | d385af4379c3b36d9305c1b73e5a3380 |
| SHA1 | 927199a0a25eef41600d4d1ccea3f30900f8e2ea |
| SHA256 | ebdc9024fc88a71c54f5a136da66d06486e67dc453c6edcad9f3e35050ec5d58 |
| SHA512 | c03b8807040b11938c3160a14fbf0fda654b7182fbb8d5441cc1bb863a8cf0f271db0b1a7869b2b294061f484d31f957b4fb8705d98634f742c9e80dc0d92c0f |
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI476E.txt
| MD5 | 018391277a9d8a2229a550ae31852121 |
| SHA1 | 77c4d70a92fcc91ddafd6e68d3832394c411e76e |
| SHA256 | e6d43eab8b9ab91def579c25a6918f741b7498fec7d541f2bdcabef884c86e88 |
| SHA512 | da22945fdcd12c7388fc0b2afbf87295f8d1c9e1a93f15eadc4eab91f7045edee62023d1b152f1926d44bc3a166658545912ba02ea866db9d36f917e83d90154 |
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
| MD5 | d819e3e12905ec97f71221ec0b8399a6 |
| SHA1 | 975957c9f398b328fa4f4f90f105eea4aaf9c862 |
| SHA256 | 7e616b157b749c77914825a80b2cbd53d29ebc3eb1540d530c64fcc132bfa377 |
| SHA512 | ec193687de5502cd6468fa22ac62b367e2881776610dd461a1ebe3c93da386cbc3fd261f933d53e521592a13fc93257da7ab3daf279d0078c2a11a105ff8c8ea |
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | b108c97ae49f00cd363d1e36f4c9e33f |
| SHA1 | 9a50c4d04a16c489eb1558a84ba329e85ea03586 |
| SHA256 | f6b71ef964b77fceb25bae23c455b84335dc3f9307ce93c11de6d6a1a9b90af1 |
| SHA512 | 4ac856e6eee106adbc70969ec81e8f487627bdbda71e6c45fffde6b7fb78532e11ca49bd32dc532e1e8dc419d0ef28cd5fce13bd9a2e96cdeffea44769048687 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | fb4aa59c92c9b3263eb07e07b91568b5 |
| SHA1 | 6071a3e3c4338b90d892a8416b6a92fbfe25bb67 |
| SHA256 | e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9 |
| SHA512 | 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | 5b3ce615f7faf4c90522a46df00d6d85 |
| SHA1 | b5f37d06e159ac367899970e6a9fa93ed21839a0 |
| SHA256 | 764abb771ff6e57f39f7036a8ed7b462f93ec56b00d6fcd936a0ebe461585042 |
| SHA512 | d2e47d831576f855126dfdb4d206120715c3e175df70c8d5a2214f52ce0332fab919fb682e5f7f7d6af7cb548eae0823278858e520613dbab2bcdd12a84a9ad0 |
C:\Users\Admin\AppData\Local\Temp\tmp6920.tmp
| MD5 | 5b16ef80abd2b4ace517c4e98f4ff551 |
| SHA1 | 438806a0256e075239aa8bbec9ba3d3fb634af55 |
| SHA256 | bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009 |
| SHA512 | 69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
| MD5 | c2938eb5ff932c2540a1514cc82c197c |
| SHA1 | 2d7da1c3bfa4755ba0efec5317260d239cbb51c3 |
| SHA256 | 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665 |
| SHA512 | 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
| MD5 | 09773d7bb374aeec469367708fcfe442 |
| SHA1 | 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6 |
| SHA256 | 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2 |
| SHA512 | f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
| MD5 | 8347d6f79f819fcf91e0c9d3791d6861 |
| SHA1 | 5591cf408f0adaa3b86a5a30b0112863ec3d6d28 |
| SHA256 | e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750 |
| SHA512 | 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
| MD5 | 13e6baac125114e87f50c21017b9e010 |
| SHA1 | 561c84f767537d71c901a23a061213cf03b27a58 |
| SHA256 | 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e |
| SHA512 | 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
| MD5 | 552b0304f2e25a1283709ad56c4b1a85 |
| SHA1 | 92a9d0d795852ec45beae1d08f8327d02de8994e |
| SHA256 | 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535 |
| SHA512 | 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
| MD5 | 3c29933ab3beda6803c4b704fba48c53 |
| SHA1 | 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c |
| SHA256 | 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633 |
| SHA512 | 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
| MD5 | ed306d8b1c42995188866a80d6b761de |
| SHA1 | eadc119bec9fad65019909e8229584cd6b7e0a2b |
| SHA256 | 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301 |
| SHA512 | 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
| MD5 | 096d0e769212718b8de5237b3427aacc |
| SHA1 | 4b912a0f2192f44824057832d9bb08c1a2c76e72 |
| SHA256 | 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef |
| SHA512 | 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
| MD5 | 5ae2d05d894d1a55d9a1e4f593c68969 |
| SHA1 | a983584f58d68552e639601538af960a34fa1da7 |
| SHA256 | d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c |
| SHA512 | 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
| MD5 | 7473be9c7899f2a2da99d09c596b2d6d |
| SHA1 | 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac |
| SHA256 | e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3 |
| SHA512 | a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
| MD5 | d9d00ecb4bb933cdbb0cd1b5d511dcf5 |
| SHA1 | 4e41b1eda56c4ebe5534eb49e826289ebff99dd9 |
| SHA256 | 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89 |
| SHA512 | 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
| MD5 | 09f3f8485e79f57f0a34abd5a67898ca |
| SHA1 | e68ae5685d5442c1b7acc567dc0b1939cad5f41a |
| SHA256 | 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3 |
| SHA512 | 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
| MD5 | 1f156044d43913efd88cad6aa6474d73 |
| SHA1 | 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26 |
| SHA256 | 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816 |
| SHA512 | df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
| MD5 | 22e17842b11cd1cb17b24aa743a74e67 |
| SHA1 | f230cb9e5a6cb027e6561fabf11a909aa3ba0207 |
| SHA256 | 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42 |
| SHA512 | 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
| MD5 | 2c7a9e323a69409f4b13b1c3244074c4 |
| SHA1 | 3c77c1b013691fa3bdff5677c3a31b355d3e2205 |
| SHA256 | 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2 |
| SHA512 | 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
| MD5 | f4e9f958ed6436aef6d16ee6868fa657 |
| SHA1 | b14bc7aaca388f29570825010ebc17ca577b292f |
| SHA256 | 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b |
| SHA512 | cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
| MD5 | e593676ee86a6183082112df974a4706 |
| SHA1 | c4e91440312dea1f89777c2856cb11e45d95fe55 |
| SHA256 | deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb |
| SHA512 | 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
| MD5 | a23c55ae34e1b8d81aa34514ea792540 |
| SHA1 | 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf |
| SHA256 | 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd |
| SHA512 | 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
| MD5 | d03b7edafe4cb7889418f28af439c9c1 |
| SHA1 | 16822a2ab6a15dda520f28472f6eeddb27f81178 |
| SHA256 | a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665 |
| SHA512 | 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
| MD5 | 57a6876000151c4303f99e9a05ab4265 |
| SHA1 | 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794 |
| SHA256 | 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4 |
| SHA512 | c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
| MD5 | 9cdabfbf75fd35e615c9f85fedafce8a |
| SHA1 | 57b7fc9bf59cf09a9c19ad0ce0a159746554d682 |
| SHA256 | 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673 |
| SHA512 | 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
| MD5 | adbbeb01272c8d8b14977481108400d6 |
| SHA1 | 1cc6868eec36764b249de193f0ce44787ba9dd45 |
| SHA256 | 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85 |
| SHA512 | c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
| MD5 | f1c75409c9a1b823e846cc746903e12c |
| SHA1 | f0e1f0cf35369544d88d8a2785570f55f6024779 |
| SHA256 | fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6 |
| SHA512 | ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
| MD5 | de5ba8348a73164c66750f70f4b59663 |
| SHA1 | 1d7a04b74bd36ecac2f5dae6921465fc27812fec |
| SHA256 | a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73 |
| SHA512 | 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
| MD5 | 19876b66df75a2c358c37be528f76991 |
| SHA1 | 181cab3db89f416f343bae9699bf868920240c8b |
| SHA256 | a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425 |
| SHA512 | 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
| MD5 | e01cdbbd97eebc41c63a280f65db28e9 |
| SHA1 | 1c2657880dd1ea10caf86bd08312cd832a967be1 |
| SHA256 | 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f |
| SHA512 | ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
| MD5 | 771bc7583fe704745a763cd3f46d75d2 |
| SHA1 | e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752 |
| SHA256 | 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d |
| SHA512 | 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
| MD5 | b83ac69831fd735d5f3811cc214c7c43 |
| SHA1 | 5b549067fdd64dcb425b88fabe1b1ca46a9a8124 |
| SHA256 | cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185 |
| SHA512 | 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
| MD5 | 72747c27b2f2a08700ece584c576af89 |
| SHA1 | 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33 |
| SHA256 | 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b |
| SHA512 | 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
| MD5 | 57bd9bd545af2b0f2ce14a33ca57ece9 |
| SHA1 | 15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1 |
| SHA256 | a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf |
| SHA512 | d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | b6a0d6672673c5f2b5cfff10428fdab3 |
| SHA1 | 2569c9688b90b6b2b9922078faf6ea3b1b4625ea |
| SHA256 | 498145a5c6487bf75d40f5fe8efd8e10f239273de1198adfbfb50f559167a1c0 |
| SHA512 | 73141adbe34c999edcd0a823ddec95d0037237ab953a00a628eed43a7a7ef684b9292efb76bb037ca1e3ad210e339836cc32cf7ffc6785e9650915fb44ba931a |
memory/6300-1218-0x0000000000490000-0x0000000000566000-memory.dmp
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\sppsvc.exe
| MD5 | 5867eb2a889e0cf85210faa7fc1f3d71 |
| SHA1 | 99a3e018152b19da50819a0b22a978c96ef80fa5 |
| SHA256 | 64d17df8ebf9c19b6dde9ddbe9588839a4f765ea3e4aa4b44bc32e874fd21005 |
| SHA512 | bcb61ac82bd2c563f0cced3ffcf5faf426f59e3ad08d22689bbfcdc2f13170e3474a5503e71179e211773234c482e051ea102bc512b745a20e3d8d1df338d657 |
memory/4528-1308-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1307-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1306-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1315-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1314-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1318-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1317-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1316-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1313-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
memory/4528-1312-0x000002BBAF000000-0x000002BBAF001000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 197132b52c9044024728275694eafd0c |
| SHA1 | dadd96a34a86b22a0429f973f17b255c0f94e153 |
| SHA256 | e644548abe22109e3966dbcb72d4eeda47e47909962b5c23ae7da575d1a8e194 |
| SHA512 | 6f6443684772d223b4b9991c64eadea9237586f239ebf8d19e7033586a5bd275c5952f6fb4dcad42dda5168ab0ad5bcc28d47273eb761a6a94467f9fe6ad4048 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | fcfa018c79e6a652034be152d30b0b35 |
| SHA1 | dd1ad4ad7af381c6bd400d48ba5aab340f1b8985 |
| SHA256 | 63a090f2f80bb1972e49cf0a5a2406900a1b22c367b4b2a03382df8eb0dd838f |
| SHA512 | 7ab94dca350632357d5e0d59cbbbb902da734f79f25c89f9b91abd71b96d080de6dd4c79e91025b014e21b58cc09030fefef93f84d1593046714bd2ee7384788 |
memory/6692-1395-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1396-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1397-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1404-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1403-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1402-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1401-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1400-0x00000257F2E90000-0x00000257F2E91000-memory.dmp
memory/6692-1399-0x00000257F2E90000-0x00000257F2E91000-memory.dmp