ac8fa5bbc7c699494461478225e87f35f3dfdad62fcc998e08a1f506e1e94631

Analysis

max time kernel
147s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
19-04-2021 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kl.edata.exe
Size

1.1MB
MD5

36fffcd5ceae94df443a16d622dfd786
SHA1

8989ed41babcd0711fade3efc9116395ca2a1571
SHA256

ac8fa5bbc7c699494461478225e87f35f3dfdad62fcc998e08a1f506e1e94631
SHA512

c6825cc9dbbcedf9d0b013d84d214783f5bc7e5984d8dd5266b22e5a2372eefa93fcf300c4c89ded002678d696c34a6f2e95034cb0cfdd316dacef3663accba8

Score

10^/10

discovery persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveUpdate.exeOneDriveSetup.exeOneDrive.exeOneDriveUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4128 created 4456 4128 WerFault.exe OneDrive.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1804 created 1108 1804 svchost.exe OneDriveSetup.exe
PID 1804 created 2100 1804 svchost.exe OneDriveSetup.exe
Executes dropped EXE 5 IoCs

Processes:

OneDrive.exeOneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exeOneDrive.exe

pid process

3256 OneDrive.exe
1108 OneDriveSetup.exe
2100 OneDriveSetup.exe
4028 FileSyncConfig.exe
4456 OneDrive.exe

description	pid	process	target process
PID 4128 created 4456	4128	WerFault.exe	OneDrive.exe

description	pid	process	target process
PID 1804 created 1108	1804	svchost.exe	OneDriveSetup.exe
PID 1804 created 2100	1804	svchost.exe	OneDriveSetup.exe

pid	process
3256	OneDrive.exe
1108	OneDriveSetup.exe
2100	OneDriveSetup.exe
4028	FileSyncConfig.exe
4456	OneDrive.exe

Loads dropped DLL 41 IoCs

Processes:

FileSyncConfig.exeOneDrive.exe

pid	process
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4028	FileSyncConfig.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

FileSyncConfig.exe

description ioc process

File opened for modification C:\Users\Admin\OneDrive\desktop.ini FileSyncConfig.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

kl.edata.exeOneDrive.exe

pid process

4656 kl.edata.exe
3256 OneDrive.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1012 3256 WerFault.exe OneDrive.exe
4100 4456 WerFault.exe OneDrive.exe
4128 4456 WerFault.exe OneDrive.exe

description	ioc	process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe

pid	pid_target	process	target process
1012	3256	WerFault.exe	OneDrive.exe
4100	4456	WerFault.exe	OneDrive.exe
4128	4456	WerFault.exe	OneDrive.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDriveUpdate.exeOneDriveUpdate.exeOneDrive.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDriveUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDriveUpdate.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDriveUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDriveUpdate.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDriveUpdate.exeOneDriveSetup.exeOneDrive.exeOneDriveUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeOneDrive.exeOneDriveUpdate.exeOneDriveUpdate.exeFileSyncConfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\NucleusToastActivator.NucleusToastActivator	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib	OneDriveUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\WOW6432NODE\INTERFACE\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDriveUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1"	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ = "IGetSpaceUsedCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\Version = "1.0"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ = "IGetAllSharedFoldersCallback"	OneDriveUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\ = "FileCoAuthLibrary 1.0 Type Library"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ = "IFileSyncClient6"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDriveUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\BannerNotificationHandler.BannerNotificationHandler	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID	OneDriveUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\CURVER	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDriveSetup.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

OneDriveUpdate.exeOneDrive.exe

pid process

736 OneDriveUpdate.exe
4456 OneDrive.exe

pid	process
736	OneDriveUpdate.exe
4456	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kl.edata.exeOneDriveUpdate.exeOneDrive.exeWerFault.exeOneDriveSetup.exeOneDriveSetup.exeOneDrive.exeWerFault.exe

pid	process
4656	kl.edata.exe
4656	kl.edata.exe
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
3256	OneDrive.exe
3256	OneDrive.exe
3256	OneDrive.exe
3256	OneDrive.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1108	OneDriveSetup.exe
1108	OneDriveSetup.exe
1108	OneDriveSetup.exe
1108	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
2100	OneDriveSetup.exe
4456	OneDrive.exe
4456	OneDrive.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeOneDriveSetup.exesvchost.exeOneDriveSetup.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1012	WerFault.exe
Token: SeBackupPrivilege	1012	WerFault.exe
Token: SeDebugPrivilege	1012	WerFault.exe
Token: SeIncreaseQuotaPrivilege	1108	OneDriveSetup.exe
Token: SeTcbPrivilege	1804	svchost.exe
Token: SeTcbPrivilege	1804	svchost.exe
Token: SeIncreaseQuotaPrivilege	2100	OneDriveSetup.exe
Token: SeDebugPrivilege	4100	WerFault.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

OneDriveUpdate.exeOneDrive.exe

pid process

736 OneDriveUpdate.exe
736 OneDriveUpdate.exe
736 OneDriveUpdate.exe
736 OneDriveUpdate.exe
4456 OneDrive.exe
4456 OneDrive.exe
4456 OneDrive.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

OneDriveUpdate.exeOneDrive.exe

pid process

736 OneDriveUpdate.exe
736 OneDriveUpdate.exe
736 OneDriveUpdate.exe
736 OneDriveUpdate.exe
4456 OneDrive.exe
4456 OneDrive.exe
4456 OneDrive.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OneDriveUpdate.exeOneDrive.exe

pid process

736 OneDriveUpdate.exe
4456 OneDrive.exe
4456 OneDrive.exe
4456 OneDrive.exe

pid	process
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe

pid	process
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
736	OneDriveUpdate.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe

pid	process
736	OneDriveUpdate.exe
4456	OneDrive.exe
4456	OneDrive.exe
4456	OneDrive.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

kl.edata.exeOneDrive.exeOneDriveUpdate.exesvchost.exeOneDriveSetup.exe

description	pid	process	target process
PID 4656 wrote to memory of 736	4656	kl.edata.exe	OneDriveUpdate.exe
PID 4656 wrote to memory of 736	4656	kl.edata.exe	OneDriveUpdate.exe
PID 4656 wrote to memory of 736	4656	kl.edata.exe	OneDriveUpdate.exe
PID 4656 wrote to memory of 3256	4656	kl.edata.exe	OneDrive.exe
PID 4656 wrote to memory of 3256	4656	kl.edata.exe	OneDrive.exe
PID 4656 wrote to memory of 3256	4656	kl.edata.exe	OneDrive.exe
PID 3256 wrote to memory of 3796	3256	OneDrive.exe	OneDriveUpdate.exe
PID 3256 wrote to memory of 3796	3256	OneDrive.exe	OneDriveUpdate.exe
PID 3256 wrote to memory of 3796	3256	OneDrive.exe	OneDriveUpdate.exe
PID 736 wrote to memory of 1108	736	OneDriveUpdate.exe	OneDriveSetup.exe
PID 736 wrote to memory of 1108	736	OneDriveUpdate.exe	OneDriveSetup.exe
PID 736 wrote to memory of 1108	736	OneDriveUpdate.exe	OneDriveSetup.exe
PID 1804 wrote to memory of 2100	1804	svchost.exe	OneDriveSetup.exe
PID 1804 wrote to memory of 2100	1804	svchost.exe	OneDriveSetup.exe
PID 1804 wrote to memory of 2100	1804	svchost.exe	OneDriveSetup.exe
PID 2100 wrote to memory of 4028	2100	OneDriveSetup.exe	FileSyncConfig.exe
PID 2100 wrote to memory of 4028	2100	OneDriveSetup.exe	FileSyncConfig.exe
PID 2100 wrote to memory of 4028	2100	OneDriveSetup.exe	FileSyncConfig.exe
PID 1804 wrote to memory of 4456	1804	svchost.exe	OneDrive.exe
PID 1804 wrote to memory of 4456	1804	svchost.exe	OneDrive.exe
PID 1804 wrote to memory of 4456	1804	svchost.exe	OneDrive.exe

C:\Users\Admin\AppData\Local\Temp\kl.edata.exe
"C:\Users\Admin\AppData\Local\Temp\kl.edata.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveUpdate.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveUpdate.exe
2⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncConfig.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies registry class
PID:4028

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
5⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 3100
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 3184
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4128

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveUpdate.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveUpdate.exe
3⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1348
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncClient.dll
MD5
89adab4edd865b12ad66ebb574cd7ca8

SHA1
a319d5e0c163459f4b317ec76233937c0fd6d64f

SHA256
5e8936cc099cd4bef628a32562131c682cc6fe12664f0b74c95f4dae8741e409

SHA512
4aa3d50ed9496e8b4448a36bab57e2bc9730e415b9c9a1bdd47ea071118fa25bb6328dbd701fd8591414f0ae44238e2f11626730c515ce7fdb5ed8c146d2516b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncConfig.exe
MD5
09a77ec1608dd712ad1361ceca2d7b55

SHA1
b45f1e0c1a02a9fca7e31b7f2c36e72c9b79a835

SHA256
cb5d88df3e8302501d3a22fdd74a1d71a7fcf5e066095d5b615a8fa755b6bc3f

SHA512
553813a17371a2cca55d983c55418bdf2d671809d775083ccb59a6d2f82c372d0bff1489f4c0a708bc0ec2b16b9d46701db532f9fa904e413f5cf3807e2b358a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncSessions.dll
MD5
7b044c9a9338497aebc5dece7d6e8ee7

SHA1
0b54a90c99fa61020749ce7079d4b3dea16f5693

SHA256
216a77fc84c2016e66a92fd1ee9ef7d92693a5e77461cf68e4123a5b8395e009

SHA512
6c7e3524bd16134bbc4eea7584c8859d92140c19fa8e8986f6e9687397287960427d47007727feacf9347bfb805c4f6bce360d6442244a3e24f67dd252a9f896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncTelemetryExtensions.dll
MD5
48969edb56d7026da88e2195d4ad938a

SHA1
725cd1c681667e8110f77917fb5fa768e5c0e8b8

SHA256
a7760d039104a78319c66d894d524c9cf9eaea28fe8cb21b500f7fd5d152dc21

SHA512
34ded2a422611f43a9c808a3c811fb5c9af51ce2167473e162eb105d68d5e88002ba7f345ad26f6f5f65c60095248a7fd0cea755a4b1e9f8f5324b94a865e0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncViews.dll
MD5
e5596ab78fadc50b94375b9206c4d00c

SHA1
25f7588b37c4809f6aa08121e42b8545dbd4879b

SHA256
dcf9a6c2750d31671f37410b478cd3bd967ecd271fc71e386be07baa1102939f

SHA512
978aea4f67bd6c79531d9170d9ece56005c2d04d726e02ce6ce9351e70e58577c3f42f60b0ce08f8150ad3e65e30bfdf25b090029b4759dc5ad96b84fd214cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\LogUploader.dll
MD5
ce5f677c5a7d782a846dc6c60c615203

SHA1
8011fad39b159edfd6358bda7e9f55351a73b525

SHA256
ae159b988afeebefdcff15c3f91eeddcf422a421b5de8efb2a6c1eaf74fd04e0

SHA512
a616309b8459217819454acebc833aae88f315e7cf9768918573771e184efdd526820a6b5fcc8653d8098c6c0ef8fcbdc147042c640d4225366225c31df02a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\LoggingPlatform.DLL
MD5
e467e2945ac76f470ab4a0a179f7283a

SHA1
919c040474507674c0b14119c5efd5e6f5065088

SHA256
76337d74d5a180dd648f2000536251c2394646ff4895af21e8f0095e06ec5a7b

SHA512
fe78e1cf630bf15bb0dd711bd88a96d01d9b21ac9ef943c1e657dfa6dea1d32f5ba1619f96eda57ffe93afb31fde745ecd5bfe20ee5e9747fbf3d72886c5ad2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\MSVCP140.dll
MD5
85dca117b952bf5b0595d8fed580c63a

SHA1
164e51fe25dfeedbaf6cefddf97348f23ef85b99

SHA256
70fde1408ab2cc048543c7ced6a73df73b5f2435ff22c6f699f5943bbf22dfef

SHA512
35a05c11bcc33b77a6870eb21765f0d310648aebc22bfd3c02428d4186441753d9950ff37846ddf5850ca38ac1e54e40df3fd409fa53032138f782f97b1bc4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\OneDriveTelemetryStable.dll
MD5
3bc499a87432314c6e9f72d27cd87e1d

SHA1
3a5b136f0d76d670333d7b72fd6e469ac8c612bb

SHA256
dc6f3e9e3be18af43a18a6226c1762791d9efdd0df07db96e6d2f35230e29eae

SHA512
024e9ae0240ad5be2cdd8615b2002b0e30d8786c6182bfabcedd26a6cf7fba716873376763200ab82e429b45061b50715414f46b2ffcbd5ffcb3488becc1fe2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Core.dll
MD5
032dd28fabbffb089acb85d62cb37ecd

SHA1
fdf651c3715a0b1ba06b6d0332ea89b138145393

SHA256
78d0ff0865422ba2f73700b5636ee58ef1d85fba96c4f3eb9707341c835fa990

SHA512
ed773113b56a210d5f92ba299b39eae8bf0196147b3fc4e39eb91e961d5038ca707ed8375c00059d27f86d759b0182770ed1cdf1ee3b8478aea298134fe8f824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Gui.dll
MD5
e189a8519e8d1e463bb489cc5a942d40

SHA1
44dffa9af870bb394f68d1508dca230b6a0a21f0

SHA256
73d82d8bb7060911b7d1e80fbe574084b5e7d75897810560a8e148ec782d0338

SHA512
5783649feaf4e939cc79f08af6a154772ea6b1d80d124225dc9cea2a214c7e674bb0b22e05e2a84a3601402923fe0bcf59026e66b72d996e2f92cdd25df4ef8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Qml.dll
MD5
2ebc6b21d6380d5a567ffd7544cec4e6

SHA1
846276036ac3aeb180d292e34bbc8c9c1373843c

SHA256
62170c1c605ad67c5c6c0350f13dd38767da92b79f105a7c1c93af44635ba709

SHA512
8ba2626a3d645042ddae00d33f008b1354d61a5b70295e0b502c18b102d52aa3c159398e439c40d0bb1b7fc4f9af20f85e7061e5a6e14b4cbb410ecbc52d38ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Quick.dll
MD5
940617facbaabb873fac0ccb1780532e

SHA1
43ff96e090119f55eafa2ace6672c3c490a65dd3

SHA256
2a39b8ad7cc499cd3f6561a8eea3037ff5002f127cd7ff54186b43c0ac830205

SHA512
06ec3f0c10cced671bed589c6cc6dbbd8a4671cfc74879b049ad3b6fdf940856f6c5b02ea40951dd5c4d4b7262290968ca7c463b132b07e77241b1c57c7b27a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Widgets.dll
MD5
68994d2e487a6e08a1807d2ff3913ae9

SHA1
fab3f89650608f9059a14b358c0f64e2e7491ee3

SHA256
7708e235020cec603d02de836531ea4b0464606ae8057a7cbe1d3781515f521f

SHA512
0add443236f802684441f99b15b022c55b66ce05b490f8623c8948d481d7515348c1a5361b4108dce0589edd959a7549eb2f7eb575056e896120a877e2a37306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5WinExtras.dll
MD5
1d32918a1f77ac3ea186fe1215a74137

SHA1
9f15221e7607c88bf8e85e2e363ae5642d2d661a

SHA256
db1ea5a2053bd375d46319be202fec43aa17d59f3c11126054c10ecb0bc56ecd

SHA512
536fb1fa3c73571d96c21ab4521d7479e3b7ec09d83331f90818bddc485de081ffd7664cd4c2f943bf76ca73a69aea40d42abce8f590812279222bbcdcb26765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\SyncEngine.DLL
MD5
393cda2a0a4ae5b3d64f65c00e94ae9f

SHA1
629a947f0c44fc38d193d2a22fd1febc67936bdf

SHA256
0b305c5252e775f335568e7da28b945589f17e4b5cf8b38e42371db5186e78a2

SHA512
f54ccc116029ed4a9232a3c4caddd9896b4f6e914baab80e47bb12af28367d74925ef6ddca3a429f4d8902ac7fb946fad6e1301e03e9e83551eb68ef4a1dae9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Telemetry.dll
MD5
e86398b1228b59ddb5df12376e5b685c

SHA1
4b4f1cb66230465c97c7458ee0f74fa7bc445d73

SHA256
840f56e331b1bc4bb8024cae64230e2a31589197c57db84b9ff098f6149c101f

SHA512
a64a2a8bced8a663635352d3a015a692733e59ed6b046df92efdd011c781c33e7285aea62375ca060d9ce7c07ffc575b2702163a0b66e80da7bc8e30a65365c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\UpdateRingSettings.dll
MD5
dbe73616723238b1872f777b2a4cfe82

SHA1
0669acfe65788a69d50ba013a446d6750a502f0c

SHA256
308658f776173c91f34b5a22b203dac3b31b97594d00e92e9701e8da86086728

SHA512
e780a19ccac608943cd333da5732f277fc781c18bbb9703091387e8a4c2989af83e57997c3871f8c5612803b8b99c2707b9a6ac5bddd704d7455bf06fe9f9c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\VCRUNTIME140.dll
MD5
ea0b951701417dd9caba984622c7055c

SHA1
88a71bb9946b7f00cd929bf623ae9719061fa4bc

SHA256
b81b3ac42e1441e48765235f8e96a8dca26b375db5daaa1a335efed463f3a509

SHA512
338351e25d6f0fb8d12789918f4bbf7d52cc75c1a9b00d19f7eea26c6147bb78fea61d9a14a0f960522b199a15d85aa555198647937192aa3742360bb72f9d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\WnsClientApi.dll
MD5
3612dff272f8699b2307e91cb6bb5e67

SHA1
051b0144d86d450567aec8b5002c48b9337c5f3a

SHA256
1b92c7f9bb815ad407c855fba9b5793613c90ab371f687632853d8f381677e32

SHA512
afd401200891fe31b1ebfe988c6461ddb85dbc61e9d724121e4f7189e2f91b999f907f84a4249880720bf8b67e620cf0685e94304ebf5dbd6bcc8380488c0698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\adal.dll
MD5
2391c30bcffef0c3f431ec92aca45287

SHA1
99b06c4f12232e3de76f96f6b0e8ea65d879269e

SHA256
de1cb628cc19020886333d0df5e00a5c9a6ca9dff1c918721d2af76eba7b68e6

SHA512
81a973601679ca209cbff2502787677dcf36f1fbcfec275129ef26bf1737a92273eb5fcd4049000962040988689e5a1c18729030246637b95f0727953678630e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\ucrtbase.dll
MD5
3dda5b7f2f1fe6f562d8c46503e29ca0

SHA1
ddc885c28c824b1e3005d33fc69fa5ae9ee2202f

SHA256
93547dc7581e08d8ea4d9e40f1b9e56b630cc0935a4b24169d5acfd5fe7ee732

SHA512
3f48e75ef1bb5a9ee8f0c40f234e1fbe48926791fdf9ffacf909b7c1fefda46a66a09c215895787ce403f0b0ca87bdd449d291da4dbdcf7c7e656a5629b2311c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
MD5
36fffcd5ceae94df443a16d622dfd786

SHA1
8989ed41babcd0711fade3efc9116395ca2a1571

SHA256
ac8fa5bbc7c699494461478225e87f35f3dfdad62fcc998e08a1f506e1e94631

SHA512
c6825cc9dbbcedf9d0b013d84d214783f5bc7e5984d8dd5266b22e5a2372eefa93fcf300c4c89ded002678d696c34a6f2e95034cb0cfdd316dacef3663accba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
MD5
36fffcd5ceae94df443a16d622dfd786

SHA1
8989ed41babcd0711fade3efc9116395ca2a1571

SHA256
ac8fa5bbc7c699494461478225e87f35f3dfdad62fcc998e08a1f506e1e94631

SHA512
c6825cc9dbbcedf9d0b013d84d214783f5bc7e5984d8dd5266b22e5a2372eefa93fcf300c4c89ded002678d696c34a6f2e95034cb0cfdd316dacef3663accba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
MD5
5cd58d2dbfb340e6eb193349e8774636

SHA1
db563a7a1e6842b98897c3e10cfe4d9e529774f9

SHA256
8e35413ce42e8c4876ea03f251ba5ce9ac991ddfe620ab54c1bec40afc28055d

SHA512
781b27198b7748fc10804050a87f1cb2e211a0d9e15abd79a4e399a7735c8d3dd1a2306e9a4495f6e71b55583ce24e0a8b9699352ac3b941e97baf8c957778ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
MD5
63b7580e1f97d5db0c5d5bfc74c88256

SHA1
724d1f1a329549879f40e95dad08d25390b75e1a

SHA256
3d0fd9bc472509a7d32d42f7251c00284081aff944303c1fb4058ec719c7f972

SHA512
49bd6ddf54728c87c7b8d07a60f9b065e40b1ff8a57c4b1d143de7a64552e599d3622821ac2682fd079b07e26cc07c66f1887f5dd548fe987f9ec7a74a0c2bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
MD5
63b7580e1f97d5db0c5d5bfc74c88256

SHA1
724d1f1a329549879f40e95dad08d25390b75e1a

SHA256
3d0fd9bc472509a7d32d42f7251c00284081aff944303c1fb4058ec719c7f972

SHA512
49bd6ddf54728c87c7b8d07a60f9b065e40b1ff8a57c4b1d143de7a64552e599d3622821ac2682fd079b07e26cc07c66f1887f5dd548fe987f9ec7a74a0c2bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
MD5
63b7580e1f97d5db0c5d5bfc74c88256

SHA1
724d1f1a329549879f40e95dad08d25390b75e1a

SHA256
3d0fd9bc472509a7d32d42f7251c00284081aff944303c1fb4058ec719c7f972

SHA512
49bd6ddf54728c87c7b8d07a60f9b065e40b1ff8a57c4b1d143de7a64552e599d3622821ac2682fd079b07e26cc07c66f1887f5dd548fe987f9ec7a74a0c2bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2021-4-19.2219.3796.1.odl
MD5
1a5bf610b0725fb2cb59957faf4a63f1

SHA1
bb68fdea59c032dafb143926a06b2dc92078957f

SHA256
bbaf0a7b6591d86fb36ecd29e86fdcf9cf8873deafc762744dbd1562abbd9d81

SHA512
67cb384eeaecb6d585ed3aeaa3d804b25e59be5e4fd91ab16ce2cb1be060ff8d2c4689aa7e0c8e640801314359f501f36d39ceac4f2697db0f25a6aabbb94980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2021-4-19.2219.736.1.aodl
MD5
04e39240da9c8a322afcf6f6af32d685

SHA1
38c2312fea453c64feb5367821a1f75f7460cbfe

SHA256
4b87274be7e9b9a97587836cf07ab6428c3623ecafa58c7d57490cb034cf2d74

SHA512
abe1f78680fb09804b22d4fade8aa92370f899198d97c56d1ee8730de446f0c91b8a3879b822c44e435b5115a7ba6fa7ecb23ab2117d86404a78294d1dd4c658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2021-4-19.2219.736.1.odl
MD5
cf33518657adedb1662b247e7fb45577

SHA1
98e15f58b84a07499b4610ddafc26cde509b28a4

SHA256
ee4b803eb1f5e886a6f34cab24fe36103c9ca1b515deb680d5822c040bc26eff

SHA512
a0e53e791b1ae0607a82aeca75d0f6f4b0d2aa05979b9980c5e0a276984c50be0b175abd515846089523f0c5552b413ae753fad1e29325014ea6289034c524b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.0729.0013.etl
MD5
d897cf9611c1efba34f3c72524bd6144

SHA1
b4aeb48bee478186217eafda1e9f3ba48ade8aae

SHA256
509c1622739f26b8268bcd74601449feddba6e015931a4d58d25ba0984325d8d

SHA512
6a6bc41b5cc817db6c3c1459278678c9d1a16c44b0f3b040a46b999fdc33d16b0e0c07fefec6ac6a939e3d73368ad156f6a79fff2ed77abade9da90eec8d1eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.session
MD5
d636e21ff4e7de4ab0931bc57f4ace8e

SHA1
476b8cb983841494eff671b12c74a046f400d4da

SHA256
1d5055deb293ecb9b5d51068f14ebdfeee3768d561d18e92fade068459722cce

SHA512
11f698a3fe6f51e14490a016b5db52ad2cbe3d07296bf59f931b9025d7017d547188e1043bc99a97a8f52e0f575ac7ad069c4a4d404ee287fa64ee12d2cfb38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.session
MD5
88931b226ba7ad7b2d56960ad4a34057

SHA1
387e2fc298cd757703e2729507363c693d412d2d

SHA256
b81193419cb72e7a428a35217ed323bd8ffaba0d29f4fa96e8adf9fae65f5375

SHA512
ab058f19044826a825b4fd1f746539319f0038e88635afe4f69961a7bfb4ac7ba72588007162c004c352fbdd735841629a9829c33dac5cf4e241816ebd8a620b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
MD5
aded22e9276971b7ba690b808d151901

SHA1
0c5736a07b72c572e27b299f09e46d77972707fb

SHA256
f45d5db5e08e60c10373406006829d79e2de77c1dc065aa5d7da1941b96cbf4e

SHA512
b04a4a090cbffcdde8ea606476b16a73f77fd331a1032f6228cdbaacec8d9356886ce2cebac9bd5acb846e2d77e1dbe7f7d61287b120769f69895f95b550b8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3796.log
MD5
0cb33b61785697a7908001bb821bd3a0

SHA1
7f47b7b55a1b8422aad0ee5f00c55c7a62fff06a

SHA256
c1f77bc9898d08f2728b2dc8110f0110e3c8b76d5f24d0bc7650b8d69833c0b9

SHA512
9f3a862147fd1fb97d168d403e1bc3b716eba596415e9a43f0e0c3a3a9ad17136c01a868822d3d67f03b31412dad531df73f711368d1c4e654264f1e39be6f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-736.log
MD5
e45782246215f86372fd54211b620211

SHA1
719d96b3f65648db067caf29aeda547f3e1882aa

SHA256
25e13331e2642a696ca089c37abd670a81025d1cd6d101bfbd516dd22cbc45f3

SHA512
d53a3431f4ee4ad1064e079969001fbd866482ddb391c2e011ed27ac85c240269695eb5986bb000f8bef7ca2764a625b870208b2b15896c84696ea7a41f1727e

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncClient.dll
MD5
89adab4edd865b12ad66ebb574cd7ca8

SHA1
a319d5e0c163459f4b317ec76233937c0fd6d64f

SHA256
5e8936cc099cd4bef628a32562131c682cc6fe12664f0b74c95f4dae8741e409

SHA512
4aa3d50ed9496e8b4448a36bab57e2bc9730e415b9c9a1bdd47ea071118fa25bb6328dbd701fd8591414f0ae44238e2f11626730c515ce7fdb5ed8c146d2516b

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncSessions.dll
MD5
7b044c9a9338497aebc5dece7d6e8ee7

SHA1
0b54a90c99fa61020749ce7079d4b3dea16f5693

SHA256
216a77fc84c2016e66a92fd1ee9ef7d92693a5e77461cf68e4123a5b8395e009

SHA512
6c7e3524bd16134bbc4eea7584c8859d92140c19fa8e8986f6e9687397287960427d47007727feacf9347bfb805c4f6bce360d6442244a3e24f67dd252a9f896

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncTelemetryExtensions.dll
MD5
48969edb56d7026da88e2195d4ad938a

SHA1
725cd1c681667e8110f77917fb5fa768e5c0e8b8

SHA256
a7760d039104a78319c66d894d524c9cf9eaea28fe8cb21b500f7fd5d152dc21

SHA512
34ded2a422611f43a9c808a3c811fb5c9af51ce2167473e162eb105d68d5e88002ba7f345ad26f6f5f65c60095248a7fd0cea755a4b1e9f8f5324b94a865e0ff

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\FileSyncViews.dll
MD5
e5596ab78fadc50b94375b9206c4d00c

SHA1
25f7588b37c4809f6aa08121e42b8545dbd4879b

SHA256
dcf9a6c2750d31671f37410b478cd3bd967ecd271fc71e386be07baa1102939f

SHA512
978aea4f67bd6c79531d9170d9ece56005c2d04d726e02ce6ce9351e70e58577c3f42f60b0ce08f8150ad3e65e30bfdf25b090029b4759dc5ad96b84fd214cb7

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\LogUploader.dll
MD5
ce5f677c5a7d782a846dc6c60c615203

SHA1
8011fad39b159edfd6358bda7e9f55351a73b525

SHA256
ae159b988afeebefdcff15c3f91eeddcf422a421b5de8efb2a6c1eaf74fd04e0

SHA512
a616309b8459217819454acebc833aae88f315e7cf9768918573771e184efdd526820a6b5fcc8653d8098c6c0ef8fcbdc147042c640d4225366225c31df02a12

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\LogUploader.dll
MD5
ce5f677c5a7d782a846dc6c60c615203

SHA1
8011fad39b159edfd6358bda7e9f55351a73b525

SHA256
ae159b988afeebefdcff15c3f91eeddcf422a421b5de8efb2a6c1eaf74fd04e0

SHA512
a616309b8459217819454acebc833aae88f315e7cf9768918573771e184efdd526820a6b5fcc8653d8098c6c0ef8fcbdc147042c640d4225366225c31df02a12

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\LoggingPlatform.dll
MD5
e467e2945ac76f470ab4a0a179f7283a

SHA1
919c040474507674c0b14119c5efd5e6f5065088

SHA256
76337d74d5a180dd648f2000536251c2394646ff4895af21e8f0095e06ec5a7b

SHA512
fe78e1cf630bf15bb0dd711bd88a96d01d9b21ac9ef943c1e657dfa6dea1d32f5ba1619f96eda57ffe93afb31fde745ecd5bfe20ee5e9747fbf3d72886c5ad2d

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\LoggingPlatform.dll
MD5
e467e2945ac76f470ab4a0a179f7283a

SHA1
919c040474507674c0b14119c5efd5e6f5065088

SHA256
76337d74d5a180dd648f2000536251c2394646ff4895af21e8f0095e06ec5a7b

SHA512
fe78e1cf630bf15bb0dd711bd88a96d01d9b21ac9ef943c1e657dfa6dea1d32f5ba1619f96eda57ffe93afb31fde745ecd5bfe20ee5e9747fbf3d72886c5ad2d

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\OneDriveTelemetryStable.dll
MD5
3bc499a87432314c6e9f72d27cd87e1d

SHA1
3a5b136f0d76d670333d7b72fd6e469ac8c612bb

SHA256
dc6f3e9e3be18af43a18a6226c1762791d9efdd0df07db96e6d2f35230e29eae

SHA512
024e9ae0240ad5be2cdd8615b2002b0e30d8786c6182bfabcedd26a6cf7fba716873376763200ab82e429b45061b50715414f46b2ffcbd5ffcb3488becc1fe2f

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Core.dll
MD5
032dd28fabbffb089acb85d62cb37ecd

SHA1
fdf651c3715a0b1ba06b6d0332ea89b138145393

SHA256
78d0ff0865422ba2f73700b5636ee58ef1d85fba96c4f3eb9707341c835fa990

SHA512
ed773113b56a210d5f92ba299b39eae8bf0196147b3fc4e39eb91e961d5038ca707ed8375c00059d27f86d759b0182770ed1cdf1ee3b8478aea298134fe8f824

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Gui.dll
MD5
e189a8519e8d1e463bb489cc5a942d40

SHA1
44dffa9af870bb394f68d1508dca230b6a0a21f0

SHA256
73d82d8bb7060911b7d1e80fbe574084b5e7d75897810560a8e148ec782d0338

SHA512
5783649feaf4e939cc79f08af6a154772ea6b1d80d124225dc9cea2a214c7e674bb0b22e05e2a84a3601402923fe0bcf59026e66b72d996e2f92cdd25df4ef8b

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Qt5Quick.dll
MD5
940617facbaabb873fac0ccb1780532e

SHA1
43ff96e090119f55eafa2ace6672c3c490a65dd3

SHA256
2a39b8ad7cc499cd3f6561a8eea3037ff5002f127cd7ff54186b43c0ac830205

SHA512
06ec3f0c10cced671bed589c6cc6dbbd8a4671cfc74879b049ad3b6fdf940856f6c5b02ea40951dd5c4d4b7262290968ca7c463b132b07e77241b1c57c7b27a1

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\SyncEngine.dll
MD5
393cda2a0a4ae5b3d64f65c00e94ae9f

SHA1
629a947f0c44fc38d193d2a22fd1febc67936bdf

SHA256
0b305c5252e775f335568e7da28b945589f17e4b5cf8b38e42371db5186e78a2

SHA512
f54ccc116029ed4a9232a3c4caddd9896b4f6e914baab80e47bb12af28367d74925ef6ddca3a429f4d8902ac7fb946fad6e1301e03e9e83551eb68ef4a1dae9e

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Telemetry.dll
MD5
e86398b1228b59ddb5df12376e5b685c

SHA1
4b4f1cb66230465c97c7458ee0f74fa7bc445d73

SHA256
840f56e331b1bc4bb8024cae64230e2a31589197c57db84b9ff098f6149c101f

SHA512
a64a2a8bced8a663635352d3a015a692733e59ed6b046df92efdd011c781c33e7285aea62375ca060d9ce7c07ffc575b2702163a0b66e80da7bc8e30a65365c2

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\Telemetry.dll
MD5
e86398b1228b59ddb5df12376e5b685c

SHA1
4b4f1cb66230465c97c7458ee0f74fa7bc445d73

SHA256
840f56e331b1bc4bb8024cae64230e2a31589197c57db84b9ff098f6149c101f

SHA512
a64a2a8bced8a663635352d3a015a692733e59ed6b046df92efdd011c781c33e7285aea62375ca060d9ce7c07ffc575b2702163a0b66e80da7bc8e30a65365c2

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\UpdateRingSettings.dll
MD5
dbe73616723238b1872f777b2a4cfe82

SHA1
0669acfe65788a69d50ba013a446d6750a502f0c

SHA256
308658f776173c91f34b5a22b203dac3b31b97594d00e92e9701e8da86086728

SHA512
e780a19ccac608943cd333da5732f277fc781c18bbb9703091387e8a4c2989af83e57997c3871f8c5612803b8b99c2707b9a6ac5bddd704d7455bf06fe9f9c84

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\UpdateRingSettings.dll
MD5
dbe73616723238b1872f777b2a4cfe82

SHA1
0669acfe65788a69d50ba013a446d6750a502f0c

SHA256
308658f776173c91f34b5a22b203dac3b31b97594d00e92e9701e8da86086728

SHA512
e780a19ccac608943cd333da5732f277fc781c18bbb9703091387e8a4c2989af83e57997c3871f8c5612803b8b99c2707b9a6ac5bddd704d7455bf06fe9f9c84

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\adal.dll
MD5
2391c30bcffef0c3f431ec92aca45287

SHA1
99b06c4f12232e3de76f96f6b0e8ea65d879269e

SHA256
de1cb628cc19020886333d0df5e00a5c9a6ca9dff1c918721d2af76eba7b68e6

SHA512
81a973601679ca209cbff2502787677dcf36f1fbcfec275129ef26bf1737a92273eb5fcd4049000962040988689e5a1c18729030246637b95f0727953678630e

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\msvcp140.dll
MD5
85dca117b952bf5b0595d8fed580c63a

SHA1
164e51fe25dfeedbaf6cefddf97348f23ef85b99

SHA256
70fde1408ab2cc048543c7ced6a73df73b5f2435ff22c6f699f5943bbf22dfef

SHA512
35a05c11bcc33b77a6870eb21765f0d310648aebc22bfd3c02428d4186441753d9950ff37846ddf5850ca38ac1e54e40df3fd409fa53032138f782f97b1bc4e4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\msvcp140.dll
MD5
85dca117b952bf5b0595d8fed580c63a

SHA1
164e51fe25dfeedbaf6cefddf97348f23ef85b99

SHA256
70fde1408ab2cc048543c7ced6a73df73b5f2435ff22c6f699f5943bbf22dfef

SHA512
35a05c11bcc33b77a6870eb21765f0d310648aebc22bfd3c02428d4186441753d9950ff37846ddf5850ca38ac1e54e40df3fd409fa53032138f782f97b1bc4e4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\msvcp140.dll
MD5
85dca117b952bf5b0595d8fed580c63a

SHA1
164e51fe25dfeedbaf6cefddf97348f23ef85b99

SHA256
70fde1408ab2cc048543c7ced6a73df73b5f2435ff22c6f699f5943bbf22dfef

SHA512
35a05c11bcc33b77a6870eb21765f0d310648aebc22bfd3c02428d4186441753d9950ff37846ddf5850ca38ac1e54e40df3fd409fa53032138f782f97b1bc4e4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\msvcp140.dll
MD5
85dca117b952bf5b0595d8fed580c63a

SHA1
164e51fe25dfeedbaf6cefddf97348f23ef85b99

SHA256
70fde1408ab2cc048543c7ced6a73df73b5f2435ff22c6f699f5943bbf22dfef

SHA512
35a05c11bcc33b77a6870eb21765f0d310648aebc22bfd3c02428d4186441753d9950ff37846ddf5850ca38ac1e54e40df3fd409fa53032138f782f97b1bc4e4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\msvcp140.dll
MD5
85dca117b952bf5b0595d8fed580c63a

SHA1
164e51fe25dfeedbaf6cefddf97348f23ef85b99

SHA256
70fde1408ab2cc048543c7ced6a73df73b5f2435ff22c6f699f5943bbf22dfef

SHA512
35a05c11bcc33b77a6870eb21765f0d310648aebc22bfd3c02428d4186441753d9950ff37846ddf5850ca38ac1e54e40df3fd409fa53032138f782f97b1bc4e4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\ucrtbase.dll
MD5
3dda5b7f2f1fe6f562d8c46503e29ca0

SHA1
ddc885c28c824b1e3005d33fc69fa5ae9ee2202f

SHA256
93547dc7581e08d8ea4d9e40f1b9e56b630cc0935a4b24169d5acfd5fe7ee732

SHA512
3f48e75ef1bb5a9ee8f0c40f234e1fbe48926791fdf9ffacf909b7c1fefda46a66a09c215895787ce403f0b0ca87bdd449d291da4dbdcf7c7e656a5629b2311c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\vcruntime140.dll
MD5
ea0b951701417dd9caba984622c7055c

SHA1
88a71bb9946b7f00cd929bf623ae9719061fa4bc

SHA256
b81b3ac42e1441e48765235f8e96a8dca26b375db5daaa1a335efed463f3a509

SHA512
338351e25d6f0fb8d12789918f4bbf7d52cc75c1a9b00d19f7eea26c6147bb78fea61d9a14a0f960522b199a15d85aa555198647937192aa3742360bb72f9d03

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\vcruntime140.dll
MD5
ea0b951701417dd9caba984622c7055c

SHA1
88a71bb9946b7f00cd929bf623ae9719061fa4bc

SHA256
b81b3ac42e1441e48765235f8e96a8dca26b375db5daaa1a335efed463f3a509

SHA512
338351e25d6f0fb8d12789918f4bbf7d52cc75c1a9b00d19f7eea26c6147bb78fea61d9a14a0f960522b199a15d85aa555198647937192aa3742360bb72f9d03

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.052.0314.0001\vcruntime140.dll
MD5
ea0b951701417dd9caba984622c7055c

SHA1
88a71bb9946b7f00cd929bf623ae9719061fa4bc

SHA256
b81b3ac42e1441e48765235f8e96a8dca26b375db5daaa1a335efed463f3a509

SHA512
338351e25d6f0fb8d12789918f4bbf7d52cc75c1a9b00d19f7eea26c6147bb78fea61d9a14a0f960522b199a15d85aa555198647937192aa3742360bb72f9d03

Download Submit
memory/736-116-0x0000000000000000-mapping.dmp

Download
memory/1108-127-0x0000000000000000-mapping.dmp

Download
memory/2100-131-0x0000000000000000-mapping.dmp

Download
memory/3256-117-0x0000000000000000-mapping.dmp

Download
memory/3256-121-0x0000000000100000-0x000000000033F000-memory.dmp

Filesize
2.2MB

Download
memory/3256-120-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3796-122-0x0000000000000000-mapping.dmp

Download
memory/4028-134-0x0000000000000000-mapping.dmp

Download
memory/4456-149-0x0000000000000000-mapping.dmp

Download
memory/4456-189-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4656-114-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/4656-115-0x0000000001280000-0x00000000014BF000-memory.dmp

Filesize
2.2MB

Download