qakbot | a86818684a994827ad2bdf3e23ec65cc750c7475e88dd0c7ac95d030fc032788

Analysis

max time kernel
132s
max time network
139s
platform
windows10_x64
resource
win10-ja-20211014
submitted
15-10-2021 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44483.5760884259.wac.dll
Size

500KB
MD5

872d4e93263614ac34a7797908b14892
SHA1

2f90402569177161bad5130205dc8d8adf5dcd7d
SHA256

a86818684a994827ad2bdf3e23ec65cc750c7475e88dd0c7ac95d030fc032788
SHA512

b43725484cec17f47886eed8772ee1d3090028c83d4e064adff52fd0a48178aafe7e32598d2f6452f0e217ffd13684669200167e87370bc87338eef7e35fb015

Score

10^/10

qakbot obama115 1634197867 banker discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama115

Campaign

1634197867

91.178.126.51:995

220.255.25.28:2222

208.78.220.143:443

77.31.162.93:443

73.230.205.91:443

216.201.162.158:443

94.200.181.154:443

24.231.209.2:2222

89.137.52.44:443

140.82.49.12:443

65.100.174.110:32103

41.86.42.158:995

27.223.92.142:995

200.232.214.222:995

81.250.153.227:2222

217.17.56.163:465

122.60.71.201:995

120.150.218.241:995

41.228.22.180:443

69.30.186.190:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exe

pid process

4808 OneDriveSetup.exe
1172 OneDriveSetup.exe
2632 FileSyncConfig.exe

pid	process
4808	OneDriveSetup.exe
1172	OneDriveSetup.exe
2632	FileSyncConfig.exe

Loads dropped DLL 8 IoCs

Processes:

FileSyncConfig.exeregsvr32.exe

pid	process
2632	FileSyncConfig.exe
2632	FileSyncConfig.exe
2632	FileSyncConfig.exe
2632	FileSyncConfig.exe
2632	FileSyncConfig.exe
2632	FileSyncConfig.exe
2632	FileSyncConfig.exe
2268	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

AdobeARM.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe

pid	process
820	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\bdb8d232 = 7f9ff39a3e54e35771fbe38b746d4181d11e186c8e4d12bd3da9c8123048d96b09489081ad28d585f8a00e7e278c48f44ffd3790ac49d0f99ff5049e3410e7e7e4a122e50b88aa97128b53f4e4deba598e2234a6a9d17e183c93ee51af9c4b154dd0ab	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\504b557 = ef21cfc4eb7f8cc0b9415ae069c69ad52422e9587f9b1271f1163097cd7daabf560c4ad6ba196b66896d66dcd45766900df813c0296e9b2a23da413033a19393e0a2f0233dba37f13ebb5b6ac2d4bec4edd3b1e3369dfdc4a9e494be752f6f3e7422547a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\f76e6d8a = b5f3b2e8f96888e0546de23baa89c191729434b48d4822219bb4312525ae60f69f32d1eeba2866d2f6b81371817e16ce3fceec8f8bfcab8f532c3e6531f4a01c6aa894589ac1ee65739b65dc12a3dc41766cafdb41	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\745952b = 49b2f8432083649410f12b31400fd55288d7d36da8cfdb97e0dbf181541c740c9ae6e9aedb94c8ef2ae4292f82a79b1ef9de6bcaf7f3a5212f9869ea565f9355e973085e93b157e0444b465f8273c82f8f9c36510fa2616400fc7a12cdc0d166798a851d39a1cefc45ff51063ed4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\7a4ddaa1 = 574ff928932456c414c490325aa3b0a1e64e24f5a376700553c2a8bc9a1483	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\c2f1bdc4 = bc31328f6b162d69e2d2982926eab74518af4ce92c82ec3b85ca8782defbfb7baeb3136d85eacce77044dc951084454263cc4c80925883c1022d78d07ef301d118c35738b44b815dfadb531207ff0fe3fa6da9666301	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\8827027c = 49f0a93cb65e5a7a6bb328eab63234735302bec708fb934a3196e8f87519c8f649cc2d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\8827027c = 49f0be3cb65e6f79edf89213a3c0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pujwwzilhljzzr\bff9f24e = 8462cd65c51bf42f236d95d66c976713a97fea51eed52c79eaff09f2d07bf293e742f566ed5e89c9e9a70538315e48c22c3b277acdde1fa19da77983ef0bc09fbddb88f5857392233c9fdf428d17425492928394b077	explorer.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeFileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID\ = "FileSyncClient.AutoPlayHandler.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\BannerNotificationHandler.BannerNotificationHandler	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\INTERFACE\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\odopen\shell\open	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ = "IOneDriveInfoProvider"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\CURVER	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\ = "NucleusNativeMessaging Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ = "NucleusToastActivator Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\INTERFACE\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\ = "SyncEngineStorageProviderHandlerProxy Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.180.0905.0007\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\INTERFACE\{0F872661-C863-47A4-863F-C065C182858A}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.180.0905.0007\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

rundll32.exeOneDriveStandaloneUpdater.exeOneDriveSetup.exeOneDriveSetup.exeregsvr32.exe

pid	process
3324	rundll32.exe
3324	rundll32.exe
4704	OneDriveStandaloneUpdater.exe
4704	OneDriveStandaloneUpdater.exe
4704	OneDriveStandaloneUpdater.exe
4704	OneDriveStandaloneUpdater.exe
4808	OneDriveSetup.exe
4808	OneDriveSetup.exe
4808	OneDriveSetup.exe
4808	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
1172	OneDriveSetup.exe
2268	regsvr32.exe
2268	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3324 rundll32.exe
2268 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

OneDriveSetup.exe

description pid process

Token: SeIncreaseQuotaPrivilege 4808 OneDriveSetup.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AdobeARM.exe

pid process

3944 AdobeARM.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4808	OneDriveSetup.exe

pid	process
3944	AdobeARM.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeOneDriveStandaloneUpdater.exeAdobeARM.exeOneDriveSetup.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4564 wrote to memory of 3324	4564	rundll32.exe	rundll32.exe
PID 4564 wrote to memory of 3324	4564	rundll32.exe	rundll32.exe
PID 4564 wrote to memory of 3324	4564	rundll32.exe	rundll32.exe
PID 3324 wrote to memory of 648	3324	rundll32.exe	explorer.exe
PID 3324 wrote to memory of 648	3324	rundll32.exe	explorer.exe
PID 3324 wrote to memory of 648	3324	rundll32.exe	explorer.exe
PID 3324 wrote to memory of 648	3324	rundll32.exe	explorer.exe
PID 3324 wrote to memory of 648	3324	rundll32.exe	explorer.exe
PID 648 wrote to memory of 820	648	explorer.exe	schtasks.exe
PID 648 wrote to memory of 820	648	explorer.exe	schtasks.exe
PID 648 wrote to memory of 820	648	explorer.exe	schtasks.exe
PID 4704 wrote to memory of 4808	4704	OneDriveStandaloneUpdater.exe	OneDriveSetup.exe
PID 4704 wrote to memory of 4808	4704	OneDriveStandaloneUpdater.exe	OneDriveSetup.exe
PID 4704 wrote to memory of 4808	4704	OneDriveStandaloneUpdater.exe	OneDriveSetup.exe
PID 3944 wrote to memory of 3392	3944	AdobeARM.exe	Reader_sl.exe
PID 3944 wrote to memory of 3392	3944	AdobeARM.exe	Reader_sl.exe
PID 3944 wrote to memory of 3392	3944	AdobeARM.exe	Reader_sl.exe
PID 1172 wrote to memory of 2632	1172	OneDriveSetup.exe	FileSyncConfig.exe
PID 1172 wrote to memory of 2632	1172	OneDriveSetup.exe	FileSyncConfig.exe
PID 1172 wrote to memory of 2632	1172	OneDriveSetup.exe	FileSyncConfig.exe
PID 2164 wrote to memory of 2268	2164	regsvr32.exe	regsvr32.exe
PID 2164 wrote to memory of 2268	2164	regsvr32.exe	regsvr32.exe
PID 2164 wrote to memory of 2268	2164	regsvr32.exe	regsvr32.exe
PID 2268 wrote to memory of 2808	2268	regsvr32.exe	explorer.exe
PID 2268 wrote to memory of 2808	2268	regsvr32.exe	explorer.exe
PID 2268 wrote to memory of 2808	2268	regsvr32.exe	explorer.exe
PID 2268 wrote to memory of 2808	2268	regsvr32.exe	explorer.exe
PID 2268 wrote to memory of 2808	2268	regsvr32.exe	explorer.exe
PID 2808 wrote to memory of 2088	2808	explorer.exe	reg.exe
PID 2808 wrote to memory of 2088	2808	explorer.exe	reg.exe
PID 2808 wrote to memory of 3316	2808	explorer.exe	reg.exe
PID 2808 wrote to memory of 3316	2808	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn afwybpqavv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll\"" /SC ONCE /Z /ST 13:46 /ET 13:58
4⤵
- Creates scheduled task(s)
PID:820

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
PID:3212

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
1⤵
PID:4696

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
2⤵
PID:3392

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hyainu" /d "0"
4⤵
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Xyvfzbm" /d "0"
4⤵
PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
MD5
83f0d36ff2faa2fa4e78118a030ab63e

SHA1
647169771a52908a49f0662fb43bfe94cab272c3

SHA256
9fee61464aabb430bb2e8545748263d9fccbbe9830cc22b4035728f8437931e0

SHA512
31f156dc1a04f34a7c563eb575c4e867de1fce9dc6554cde20c8bc6678eba75dd8a4bc2382286c11fc0c986861b33c53718eeae70e86cce36221a584dd78f0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\LoggingPlatform.DLL
MD5
c556d77bd1b48cd05f608f8e4a50ab50

SHA1
da2f8d1d064a2c1ea73bfe2b54dc0e1bf3d971ea

SHA256
5eb5e4275907d5cb385f09b8c5d8377c1c80d96da245d4c292bf0339e0b385a7

SHA512
ee7167fe361b045832ee19e2694f7fcf1780681688f7d39a661f8da965c3a6b5ba5302970ad6099f324804f2079b237c250e9ab5f7c98501b2bd59f5ee2175af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\MSVCP140.dll
MD5
20d7849113e030aa08d7c8520914b421

SHA1
1267d0b318e76f7c0378ec5385ab4706ea1910ab

SHA256
f5e51b4242dcbe2fadf3739f82d8b97877090fe0431ce10416b09d68e31c135c

SHA512
9a8841d55b7f3ac683fb460649b262e0da6e53511bfc6b26ae5cff29a6ddb2f2e9118a22b10f20d0f573f8d78cc1b4faa853391fe3f0953e71b710927a1bb83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\Telemetry.dll
MD5
e5ff3315699d88664e432f1b4bed6f3d

SHA1
c976371a8048fa4d7db30d33ab2c11cc398b2cea

SHA256
141033fab97f52c66cb6705fda26d75ef9c215c05e2f70530df58c640a2cf145

SHA512
78f0d1e863bbc575984d0a5e9adf7789eab1247b525988c6a5541e8f04db48f6e42a1e4cbd70dc11e9fddfad5d59f2510a2e79ff0cfaf42a7b04caeff8e98b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\UpdateRingSettings.dll
MD5
69cc32beb8138585a4e9c1cd1cd65bfd

SHA1
97445591e09eb7d830e83d2cf7a532b3ef98d4c9

SHA256
076f15674e101b32a01556b9cd8382e977ea73cceafe411e9213efc145470126

SHA512
5a99068a2bc7598f98b79e84ce0a3d0e4439212c4e66e31fbcefa06ef7af46c6f1ec2831ca667c3bce0e796cf3a2aa35bf08d0e3ff4bd4f0344080cb80ab315f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\VCRUNTIME140.dll
MD5
b0c0482906e0847434d58ca0ea90d98b

SHA1
23b9ca65f4ea872e187677a951d2ef08e8fc87f4

SHA256
a95d38d5ccfc43a5749d8c5c1363005a960e9b09c8d90593e4ca6ac4ee64f8ea

SHA512
56a6f538e9e5148f9816c1cc66e708cf6b937cdf6cb48905d9495db83b9fa88e8161d1e8f6a4d923952454af0c81a780d45e92f1bacbef165ba37f5ca9f9d348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5
b73b0569e075f77f6e76658d7d792939

SHA1
d09a7e685846a83f3f3b83d85e47c379364133b7

SHA256
b04200b315b222b1c160f27598a290d34142d7125937ca4c91744a80ed45ae5a

SHA512
31a315c0d1270a4fc75fac612561b9ae5e671f94bf677105b69fbcbd970c098eac6bc9869de87386771690d39c32a2a5d2a7edc935b9a2a5f2e09760fc132abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5
b73b0569e075f77f6e76658d7d792939

SHA1
d09a7e685846a83f3f3b83d85e47c379364133b7

SHA256
b04200b315b222b1c160f27598a290d34142d7125937ca4c91744a80ed45ae5a

SHA512
31a315c0d1270a4fc75fac612561b9ae5e671f94bf677105b69fbcbd970c098eac6bc9869de87386771690d39c32a2a5d2a7edc935b9a2a5f2e09760fc132abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5
b73b0569e075f77f6e76658d7d792939

SHA1
d09a7e685846a83f3f3b83d85e47c379364133b7

SHA256
b04200b315b222b1c160f27598a290d34142d7125937ca4c91744a80ed45ae5a

SHA512
31a315c0d1270a4fc75fac612561b9ae5e671f94bf677105b69fbcbd970c098eac6bc9869de87386771690d39c32a2a5d2a7edc935b9a2a5f2e09760fc132abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
MD5
9e9c9e129a8c83b33ba23dc55dcc67bc

SHA1
35cf2bc119aa6f0006290d3728eeb37bb44bbcfa

SHA256
f6011c6df5208e2ccdcf09eaf9af17922f6aeda95bd1544d4cc31e9cef88bb99

SHA512
a89d1a4c213e0d6a8a703dbe78e4c0556a732ba1b527cbdfa0a083ba2f0e1f52b20b6f572008e8c80899235b7fddb389bde66956332f54bf7ad2aa2af0fd71d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll
MD5
872d4e93263614ac34a7797908b14892

SHA1
2f90402569177161bad5130205dc8d8adf5dcd7d

SHA256
a86818684a994827ad2bdf3e23ec65cc750c7475e88dd0c7ac95d030fc032788

SHA512
b43725484cec17f47886eed8772ee1d3090028c83d4e064adff52fd0a48178aafe7e32598d2f6452f0e217ffd13684669200167e87370bc87338eef7e35fb015

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4704.log
MD5
3d199488cc30b3721fdc1416b4946be6

SHA1
1112e49b6d2cc8fdf86c02db98c4bc0727d69702

SHA256
f68b3013b65353e6d8a2746db7e99337aaba3ae000642ee8e04704d3e4ede31e

SHA512
4f33e5d77c0c241cf166ede965eae81332723917fe7ab25f0f0192956e8f1606d3620ad67aa861a5bb40b7b431192177dd6e1023a81982acd470d8085eaa210b

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\LoggingPlatform.dll
MD5
c556d77bd1b48cd05f608f8e4a50ab50

SHA1
da2f8d1d064a2c1ea73bfe2b54dc0e1bf3d971ea

SHA256
5eb5e4275907d5cb385f09b8c5d8377c1c80d96da245d4c292bf0339e0b385a7

SHA512
ee7167fe361b045832ee19e2694f7fcf1780681688f7d39a661f8da965c3a6b5ba5302970ad6099f324804f2079b237c250e9ab5f7c98501b2bd59f5ee2175af

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\Telemetry.dll
MD5
e5ff3315699d88664e432f1b4bed6f3d

SHA1
c976371a8048fa4d7db30d33ab2c11cc398b2cea

SHA256
141033fab97f52c66cb6705fda26d75ef9c215c05e2f70530df58c640a2cf145

SHA512
78f0d1e863bbc575984d0a5e9adf7789eab1247b525988c6a5541e8f04db48f6e42a1e4cbd70dc11e9fddfad5d59f2510a2e79ff0cfaf42a7b04caeff8e98b52

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\UpdateRingSettings.dll
MD5
69cc32beb8138585a4e9c1cd1cd65bfd

SHA1
97445591e09eb7d830e83d2cf7a532b3ef98d4c9

SHA256
076f15674e101b32a01556b9cd8382e977ea73cceafe411e9213efc145470126

SHA512
5a99068a2bc7598f98b79e84ce0a3d0e4439212c4e66e31fbcefa06ef7af46c6f1ec2831ca667c3bce0e796cf3a2aa35bf08d0e3ff4bd4f0344080cb80ab315f

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\msvcp140.dll
MD5
20d7849113e030aa08d7c8520914b421

SHA1
1267d0b318e76f7c0378ec5385ab4706ea1910ab

SHA256
f5e51b4242dcbe2fadf3739f82d8b97877090fe0431ce10416b09d68e31c135c

SHA512
9a8841d55b7f3ac683fb460649b262e0da6e53511bfc6b26ae5cff29a6ddb2f2e9118a22b10f20d0f573f8d78cc1b4faa853391fe3f0953e71b710927a1bb83d

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\vcruntime140.dll
MD5
b0c0482906e0847434d58ca0ea90d98b

SHA1
23b9ca65f4ea872e187677a951d2ef08e8fc87f4

SHA256
a95d38d5ccfc43a5749d8c5c1363005a960e9b09c8d90593e4ca6ac4ee64f8ea

SHA512
56a6f538e9e5148f9816c1cc66e708cf6b937cdf6cb48905d9495db83b9fa88e8161d1e8f6a4d923952454af0c81a780d45e92f1bacbef165ba37f5ca9f9d348

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\vcruntime140.dll
MD5
b0c0482906e0847434d58ca0ea90d98b

SHA1
23b9ca65f4ea872e187677a951d2ef08e8fc87f4

SHA256
a95d38d5ccfc43a5749d8c5c1363005a960e9b09c8d90593e4ca6ac4ee64f8ea

SHA512
56a6f538e9e5148f9816c1cc66e708cf6b937cdf6cb48905d9495db83b9fa88e8161d1e8f6a4d923952454af0c81a780d45e92f1bacbef165ba37f5ca9f9d348

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\vcruntime140.dll
MD5
b0c0482906e0847434d58ca0ea90d98b

SHA1
23b9ca65f4ea872e187677a951d2ef08e8fc87f4

SHA256
a95d38d5ccfc43a5749d8c5c1363005a960e9b09c8d90593e4ca6ac4ee64f8ea

SHA512
56a6f538e9e5148f9816c1cc66e708cf6b937cdf6cb48905d9495db83b9fa88e8161d1e8f6a4d923952454af0c81a780d45e92f1bacbef165ba37f5ca9f9d348

Download Submit
\Users\Admin\AppData\Local\Temp\44483.5760884259.wac.dll
MD5
872d4e93263614ac34a7797908b14892

SHA1
2f90402569177161bad5130205dc8d8adf5dcd7d

SHA256
a86818684a994827ad2bdf3e23ec65cc750c7475e88dd0c7ac95d030fc032788

SHA512
b43725484cec17f47886eed8772ee1d3090028c83d4e064adff52fd0a48178aafe7e32598d2f6452f0e217ffd13684669200167e87370bc87338eef7e35fb015

Download Submit
memory/648-121-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/648-119-0x0000000002780000-0x00000000027A1000-memory.dmp

Filesize
132KB

Download
memory/648-118-0x0000000000000000-mapping.dmp

Download
memory/820-120-0x0000000000000000-mapping.dmp

Download
memory/2088-148-0x0000000000000000-mapping.dmp

Download
memory/2268-144-0x0000000000000000-mapping.dmp

Download
memory/2268-146-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/2632-129-0x0000000000000000-mapping.dmp

Download
memory/2808-147-0x0000000000000000-mapping.dmp

Download
memory/2808-150-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2808-151-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2808-152-0x0000000002C80000-0x0000000002CA1000-memory.dmp

Filesize
132KB

Download
memory/3316-149-0x0000000000000000-mapping.dmp

Download
memory/3324-116-0x0000000002750000-0x000000000289A000-memory.dmp

Filesize
1.3MB

Download
memory/3324-117-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/3324-115-0x0000000000000000-mapping.dmp

Download
memory/3392-128-0x0000000000000000-mapping.dmp

Download
memory/4808-122-0x0000000000000000-mapping.dmp

Download