950ad539dfc8e16c07d24dbb37ae19daa0b2f32164ba0cb3c81fa7e689f274e1

Resubmissions

05-01-2022 17:38

220105-v74klsahdm 10

05-01-2022 14:49

220105-r617baagbm 1

Analysis

max time kernel
91s
max time network
94s
platform
windows10_x64
resource
win10-es-20211208
submitted
05-01-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppResolver.hta.dll
Size

569KB
MD5

5ce59cd58a34bc0530e398330013ee77
SHA1

f3b3cf03801527c24f9059f475a9d87e5392dae9
SHA256

950ad539dfc8e16c07d24dbb37ae19daa0b2f32164ba0cb3c81fa7e689f274e1
SHA512

3becd68796eca598703b02864e176e3ceebee796c51802ec3f09710af760993942ad0c1632a2656034f94e1cab988d8c652c97b5956d311ce07a9195d9363a9b

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 1 IoCs

Processes:

FileSyncConfig.exe

pid process

1852 FileSyncConfig.exe

Loads dropped DLL 7 IoCs

Processes:

FileSyncConfig.exe

pid	process
1852	FileSyncConfig.exe
1852	FileSyncConfig.exe
1852	FileSyncConfig.exe
1852	FileSyncConfig.exe
1852	FileSyncConfig.exe
1852	FileSyncConfig.exe
1852	FileSyncConfig.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeFileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ = "OOBERequestHandler Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\PROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\odopen\shell\open\command	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\AppID\{EEABD3A3-784D-4334-AAFC-BB13234F17CF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID\ = "BannerNotificationHandler.BannerNotificationHandler"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID\ = "OOBERequestHandler.OOBERequestHandler"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ = "IGetLibrariesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\WOW6432NODE\INTERFACE\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ = "ILoginCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\ = "{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\FileSyncClient.AutoPlayHandler.1	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\FLAGS	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

OneDriveSetup.exe

pid	process
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe
1944	OneDriveSetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

OneDriveSetup.exe

description	pid	process	target process
PID 1944 wrote to memory of 1852	1944	OneDriveSetup.exe	FileSyncConfig.exe
PID 1944 wrote to memory of 1852	1944	OneDriveSetup.exe	FileSyncConfig.exe
PID 1944 wrote to memory of 1852	1944	OneDriveSetup.exe	FileSyncConfig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AppResolver.hta.dll,#1
1⤵
PID:4036

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
MD5
57bd9bd545af2b0f2ce14a33ca57ece9

SHA1
15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1

SHA256
a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf

SHA512
d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.DLL
MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\MSVCP140.dll
MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\VCRUNTIME140.dll
MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll
MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll
MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll
MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll
MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll
MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
memory/1852-115-0x0000000000000000-mapping.dmp

Download