48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c

Resubmissions

17-03-2024 09:03

240317-kz93babd61 8

02-02-2023 07:25

230202-h81h5ahc9z 10

01-02-2023 00:33

230201-av97eabb24 10

Analysis

max time kernel
414s
max time network
1220s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneDriveSetup.exe
Size

48.0MB
MD5

1382660b084b8791b400739542442783
SHA1

3ecbe73642812498f3e4fad5dc47f8a9573fd4fb
SHA256

48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c
SHA512

8d49071449384678794a0188bad7b3cdfb2c90e11b36b5923b38362dbf21fb98188f5eafc5d5b41f6dfc8ed5d88335600a17c044af05f1afa8a989d86c7463f2
SSDEEP

786432:2QAM/bg9LA622CSAqL7Xis205pR40RKBVLiRIBqVbCj1/IwInTVk0:26D2NlbF5pHKQXbCJ/IA0

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exeOneDrive.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

FileSyncConfig.exeOneDrive.exeOneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exeOneDriveStandaloneUpdater.exeOneDrive.exeMicrosoftEdgeWebview2Setup.exeMicrosoft.SharePoint.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.70.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
4052	FileSyncConfig.exe
1292	OneDrive.exe
5072	OneDriveSetup.exe
3200	OneDriveSetup.exe
416	FileSyncConfig.exe
1004	OneDriveStandaloneUpdater.exe
3292	OneDrive.exe
1220	MicrosoftEdgeWebview2Setup.exe
1408	Microsoft.SharePoint.exe
4052	MicrosoftEdgeUpdate.exe
4656	MicrosoftEdgeUpdate.exe
4664	MicrosoftEdgeUpdate.exe
1120	MicrosoftEdgeUpdateComRegisterShell64.exe
2152	MicrosoftEdgeUpdateComRegisterShell64.exe
2064	MicrosoftEdgeUpdateComRegisterShell64.exe
2700	MicrosoftEdgeUpdate.exe
1888	MicrosoftEdgeUpdate.exe
1152	MicrosoftEdgeUpdate.exe
3704	MicrosoftEdgeUpdate.exe
4068	MicrosoftEdge_X64_109.0.1518.70.exe
3912	setup.exe
4816	MicrosoftEdgeUpdate.exe
2208	MicrosoftEdgeUpdate.exe
4812	MicrosoftEdgeUpdate.exe
4768	MicrosoftEdgeUpdate.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

OneDrive.exeOneDrive.exeOneDriveSetup.exeOneDriveSetup.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuthLib64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileCoAuthLib.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuthLib64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileCoAuthLib.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32	OneDrive.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDrive.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Loads dropped DLL 64 IoCs

Processes:

FileSyncConfig.exeOneDrive.exeFileSyncConfig.exeOneDrive.exe

pid	process
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
4052	FileSyncConfig.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
416	FileSyncConfig.exe
416	FileSyncConfig.exe
416	FileSyncConfig.exe
416	FileSyncConfig.exe
416	FileSyncConfig.exe
416	FileSyncConfig.exe
416	FileSyncConfig.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

MicrosoftEdgeUpdate.exesetup.exeMicrosoftEdgeWebview2Setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\lv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2839.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2839.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\onramp.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\bs.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\kk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\sv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2839.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\augloop_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\el.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\mspdf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\bn-IN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2839.tmp\psuser_arm64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedgewebview2.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\mspdf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\cookie_exporter.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\ffmpeg.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Notifications\SoftLandingAssetDark.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\edge_feedback\mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\nn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\20230202082722804_3912.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\microsoft_apis.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\nn.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDrive.exeOneDriveSetup.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeMicrosoftEdgeUpdate.exeOneDrive.exeMicrosoftEdgeUpdate.exeOneDrive.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeFileSyncConfig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging.1\CLSID\ = "{917E8742-AA3B-7318-FA12-10485FB322A2}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\CLSID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID\ = "BannerNotificationHandler.BannerNotificationHandler"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID\ = "FileSyncClient.AutoPlayHandler.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ = "IClientPolicySettingsEvents"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\grvopen\DefaultIcon	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ = "IOneDriveAsync"	OneDriveSetup.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

1292 OneDrive.exe
3292 OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeOneDrive.exeOneDriveSetup.exeOneDriveSetup.exe

pid	process
2432	OneDriveSetup.exe
2432	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
4100	OneDriveSetup.exe
1292	OneDrive.exe
1292	OneDrive.exe
5072	OneDriveSetup.exe
5072	OneDriveSetup.exe
5072	OneDriveSetup.exe
5072	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeOneDriveSetup.exeOneDriveSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2432	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4100	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	5072	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	3200	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	3200	OneDriveSetup.exe
Token: SeDebugPrivilege	4052	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4052	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2208	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4812	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid	process
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid	process
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
1292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe
3292	OneDrive.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

1292 OneDrive.exe
3292 OneDrive.exe
3292 OneDrive.exe
3292 OneDrive.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

OneDriveSetup.exeOneDrive.exeOneDriveSetup.exeOneDriveStandaloneUpdater.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.70.exeMicrosoftEdgeUpdate.exe

description	pid	process	target process
PID 4100 wrote to memory of 4052	4100	OneDriveSetup.exe	FileSyncConfig.exe
PID 4100 wrote to memory of 4052	4100	OneDriveSetup.exe	FileSyncConfig.exe
PID 1292 wrote to memory of 5072	1292	OneDrive.exe	OneDriveSetup.exe
PID 1292 wrote to memory of 5072	1292	OneDrive.exe	OneDriveSetup.exe
PID 3200 wrote to memory of 416	3200	OneDriveSetup.exe	FileSyncConfig.exe
PID 3200 wrote to memory of 416	3200	OneDriveSetup.exe	FileSyncConfig.exe
PID 3200 wrote to memory of 1004	3200	OneDriveSetup.exe	OneDriveStandaloneUpdater.exe
PID 3200 wrote to memory of 1004	3200	OneDriveSetup.exe	OneDriveStandaloneUpdater.exe
PID 1004 wrote to memory of 1220	1004	OneDriveStandaloneUpdater.exe	MicrosoftEdgeWebview2Setup.exe
PID 1004 wrote to memory of 1220	1004	OneDriveStandaloneUpdater.exe	MicrosoftEdgeWebview2Setup.exe
PID 1004 wrote to memory of 1220	1004	OneDriveStandaloneUpdater.exe	MicrosoftEdgeWebview2Setup.exe
PID 1220 wrote to memory of 4052	1220	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1220 wrote to memory of 4052	1220	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1220 wrote to memory of 4052	1220	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 4656	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 4656	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 4656	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 4664	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 4664	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 4664	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4664 wrote to memory of 1120	4664	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 4664 wrote to memory of 1120	4664	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 4664 wrote to memory of 2152	4664	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 4664 wrote to memory of 2152	4664	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 4664 wrote to memory of 2064	4664	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 4664 wrote to memory of 2064	4664	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 4052 wrote to memory of 2700	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 2700	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 2700	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 1888	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 1888	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4052 wrote to memory of 1888	4052	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1152 wrote to memory of 3704	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1152 wrote to memory of 3704	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1152 wrote to memory of 3704	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1152 wrote to memory of 4068	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_109.0.1518.70.exe
PID 1152 wrote to memory of 4068	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_109.0.1518.70.exe
PID 4068 wrote to memory of 3912	4068	MicrosoftEdge_X64_109.0.1518.70.exe	setup.exe
PID 4068 wrote to memory of 3912	4068	MicrosoftEdge_X64_109.0.1518.70.exe	setup.exe
PID 1152 wrote to memory of 4816	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1152 wrote to memory of 4816	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1152 wrote to memory of 4816	1152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4812 wrote to memory of 4768	4812	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4812 wrote to memory of 4768	4812	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4812 wrote to memory of 4768	4812	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
2⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4052

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart /updateSource:ODU
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey
5⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\FileSyncConfig.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:416

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Microsoft\Temp\EU2839.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU2839.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
8⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
9⤵
- Executes dropped EXE
- Modifies registry class
PID:4656

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
10⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:1120

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
PID:2152

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
10⤵
- Executes dropped EXE
- Registers COM server for autorun
PID:2064

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjI0REM1QjEtRjZBNC00MTdFLThEMTMtQzlEQzNGNTVEQzA0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2MjI2NkVCMy0zQzk2LTQ3NDYtQkVBNS03OUZCNDI4RDY3Njl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NTc4ODUxNjMzIiBpbnN0YWxsX3RpbWVfbXM9IjM5MjIiLz48L2FwcD48L3JlcXVlc3Q-
9⤵
- Executes dropped EXE
PID:2700

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{F24DC5B1-F6A4-417E-8D13-C9DC3F55DC04}" /silent
9⤵
- Executes dropped EXE
PID:1888

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
6⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\Microsoft.SharePoint.exe
/silentConfig
6⤵
- Executes dropped EXE
PID:1408

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjI0REM1QjEtRjZBNC00MTdFLThEMTMtQzlEQzNGNTVEQzA0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyMzJFNEQ2NS0wRTRFLTQ5MDctQjQ1Qi05RjFDOTZCNzQ1RkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSI4OS4wLjQzODkuMTE0IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDYzMDU3MDQ5MyIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3704

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2EAFB27E-06E6-4BAB-A54B-87F85CA063FB}\MicrosoftEdge_X64_109.0.1518.70.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2EAFB27E-06E6-4BAB-A54B-87F85CA063FB}\MicrosoftEdge_X64_109.0.1518.70.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2EAFB27E-06E6-4BAB-A54B-87F85CA063FB}\EDGEMITMP_CB7C2.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2EAFB27E-06E6-4BAB-A54B-87F85CA063FB}\EDGEMITMP_CB7C2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2EAFB27E-06E6-4BAB-A54B-87F85CA063FB}\MicrosoftEdge_X64_109.0.1518.70.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:3912

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjI0REM1QjEtRjZBNC00MTdFLThEMTMtQzlEQzNGNTVEQzA0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntCRDE4REMzNi1GQkIxLTQyOUYtQUJBNi04QUYwNTE5RjBDNjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguNzAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3MDA3MjkxMTUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NzAwNzI5MTE1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg1MzA3MTA4NSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNDEzMzkwZTAtZmNjMS00ZTBhLTlkNDQtNDExNWZjNjJlMjM5P1AxPTE2NzU5Mjc2MTImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aENLcUQ0Q2slMmZnRnUyN1J3NTFvZzVnZ2h4M2VvUDJvbjM0NUhnMU5leEx0YktvS3c4RXVGNDhPOSUyZkRPZExXTEcwSGlmWVZRZW1hYnZpVlVoJTJmekEyQ0ElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDA2ODMxOTIiIHRvdGFsPSIxNDA2ODMxOTIiIGRvd25sb2FkX3RpbWVfbXM9IjEyOTUzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg1MzUzOTc5MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4Njc5Mjk2MTciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMzUyNTg4NDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMjE5IiBkb3dubG9hZF90aW1lX21zPSIxNTIwMyIgZG93bmxvYWRlZD0iMTQwNjgzMTkyIiB0b3RhbD0iMTQwNjgzMTkyIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIxNjczMyIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4816

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEMzODA0MjctRTVCNy00RDAzLTg5MzgtNTRFMjA4ODFCMzFEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBNzlBNTU0Mi0zQzg1LTQ5RUEtQTJGNS0zNUI2NDZGNjk0MTB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC44NiI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEwOS4wLjE1MTguNzAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjU4NzMiIGNvaG9ydD0icnJmQDAuNDMiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9IntBQUU5MTg4Ny0xRkI5LTRFM0YtQjc1RS0yOEI1NEM2ODU5RUR9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncClient.dll
Filesize
6.5MB

MD5
819876e88f06e76a422d12451369582a

SHA1
3f8457f8c13472923914f18da47bbbdc07dbb348

SHA256
5d205ce921568b88d6087a1eb316c5af1754ec91189218243bfea72771b3058d

SHA512
f505f78460040d784a4157d6355a930339f66e505eef377f8f13ce8d517bb9bbe83b5a8bab406fe1df9e2652829fe68db7ec2fd28d8e2c3968eb2a3a7b523b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe
Filesize
692KB

MD5
e226d0b9aff908effd85213b2f299627

SHA1
8e9365429ef5dcd625d1bdc0124bc7aa8a5ad4a9

SHA256
cf64655d586435917f186aca7ae1b6ddaae337fc9ae7a00f03974f16bb113fd4

SHA512
77ff182434a4e1b724f6056c0a3424a815d4659127aa210218770b4f9ffbb74e6b9eb317007a3181db05d0e674aa7fa06f13d15760d69e9014366320bab12508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSessions.dll
Filesize
4.9MB

MD5
567b15b4c1386dd3d6c964d34418f8f2

SHA1
0443f973494c7147d7374f7991fd0f237d5283aa

SHA256
0e4f32b8424825fc52a345a280d79db135f4dc9a39a9a5e9ffea7ab90238a8e2

SHA512
095f5537ae5f6d120669c9f8e8a29691d039f7d23ce6d2ed1d91e165e81fc734ea0266b21693c26720bd76db5613804b99ef4ff1ed04e22203b02d5af548dde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncTelemetryExtensions.dll
Filesize
73KB

MD5
4b3f451a6afc4d193a747e15aee306fb

SHA1
25581d7943626c8f46c76a7c5afe23e6b16ef544

SHA256
348d43a110af819bd72ab7b22cb5223d9306d162dc5af8e04b666c2cf9674d9a

SHA512
ed540f13f30d741ce15bfc94ec474c9ba8f72d36d7c4aa1125aa1e4bd62204dd4da56ba2d369bf689b0843a363af563b29277584d8bdefcaf53d085cf4fb4749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncViews.dll
Filesize
3.0MB

MD5
8253c76c9c686e672f856a27d6abbf0f

SHA1
55674aff6e0acf7655723e1f9fff7389ed846017

SHA256
9229393db3193e90f957c9e175ad9cd53ece38ae9db46c11e9334fd03ec6f447

SHA512
4a18e813c0344f76e3a8cb2acd688e7001d7e5529f530b5bcfc443c12af07de64b488baec82548d7d5b38da4e2705f92a2e4c10e5ecc72d14b5bd306859ad684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogUploader.dll
Filesize
938KB

MD5
72c0436bc6d01a0abea65e398f21c5f9

SHA1
ee82b9d9a6d77502bae08faa9a983292c3dcddeb

SHA256
fc19cd61c312b0626c11b8fca9c05057863285bcfe13c720290dca935a3fe975

SHA512
b16846c6f841fb501d807387d33111ed44d45099d4e13c86c54f16cc0a2edc3abaadaa4e44bae7f9f3f473d89867145498a4681a17f702e91bdd5cb147f622e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.DLL
Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\MSVCP140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\MSVCP140_1.dll
Filesize
22KB

MD5
dcb785bda4fa6c6bf6088660ed424fa7

SHA1
46c6a9ff1a45d521fdf3366724f243d1f0d8a8f3

SHA256
9a6e265f90f8e69f9403e40b2c316e13d91ceebb93a2aa5531044f7003ed6b61

SHA512
ea18fa56e393d2080731c4e344651fd63529868a54ed10dcf60b9b9e6dc20ab88a34eca110f0d3a1eb3cb63a818dbd5f169d36e699adc3ad53d02f2a2fc6ca85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDriveTelemetryStable.dll
Filesize
2.2MB

MD5
d7251296a8e72e9e6ef4828a4ac5c869

SHA1
91acba7ec540c50c42eff76e47dec543ef41d18a

SHA256
1cb9ed2cc196da79ea70f5de9c2a46f668db36d8c476c75f38f1161316dbbc74

SHA512
f1f58ca0d71217733604e7f120e1f5224f486a0730b76a2694fcfc21896c44bf148f6523803604ed15cbe73f048236d213e223c4d5a2ffc14b3adb061a40165f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Core.dll
Filesize
5.8MB

MD5
7e9131b0037a5d87fb8b3659579914d6

SHA1
03bd6961ed8e6a5215bf69ff51bb1022752a9c87

SHA256
7cc66ef8c001089d71a22e58da0486b4aa92f00d2685deeff95b37f8e3c433a6

SHA512
c60ef029a0c58e181f0da2ccfc02acd47e32efd6a674172ed88e8500fa706c369e3d5981504d068e8facfdd0494f1f9a58f3dad39ad34b1b82daa21372596278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Gui.dll
Filesize
6.5MB

MD5
073a77313c9ae2cff823cbf3a18f99a4

SHA1
b0b8c182bb28fbd4bd2bade39e0faa0803e4f110

SHA256
858e4c8670e016d51fec94aebb38e22bcad57d28a673717a060c4ab734fda49a

SHA512
124814bd964ea775bd9d62c37bb553b6784d8d2f69962552a7a95317b5e66125f6faec82fe084f5a4cbc6260b97aa8a241b05b40feaf624e26acd8f39dd603d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Network.dll
Filesize
1.3MB

MD5
6ecbe8e9ede7a276862f4fc4bb02238d

SHA1
7587a2fcbaa00ce0b473c9b13aad3959097741b4

SHA256
c073eb1585f5ecfe2da1fd34a998978f217a7fd66a053a4b8d714459a45697a4

SHA512
4aae676c8900efff00525cb907bbc75e1e6b6ad184c7dab4772b88ce05ba1a753a2c2e5f1411af4a60f24a020f38bbef270f59c5f890f431a1846d573d57636a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Qml.dll
Filesize
3.4MB

MD5
f1b24e2e9274a6150e209995a1eb13e7

SHA1
a488ac298eb88f84dc9024a285205c9a0296479a

SHA256
665cdc49bb3a7b8e06d682648442a6c4865074b83c29564291322e2f2c13373a

SHA512
4cb004d61e54b4686122f69adcc9c71e18dcde1c25c9a331027b33c9100b13ea2d99db48c1940341944b8a4c4244c03de05f7b2cb71ac1b8b6d212d5c3d02004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5QmlModels.dll
Filesize
435KB

MD5
5d16df0ee2c6ac7428dbeed86567a8bc

SHA1
405ddbfcdeb369ac34bacf436570c6ab8bd9a318

SHA256
1e6d490682022a77624d0d4926c348b3b694f386c18158c6cea58ceadc96aefc

SHA512
eaa2f044873fb403263b76ef86455a3fb79af8e94ef476e70ec350d23d71b0ba0cc87d58fda2857d9a70d9aaff19014e4b4b3eb244761e4e37255ff93a6f4362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Quick.dll
Filesize
4.0MB

MD5
c98b47d6a836d2dd42b56bb1145facd6

SHA1
053cbbd038a8382cc7fb11f59f0076efcfb2aa01

SHA256
f80fad1ac7005c6992ddecfd996073c3c13a29d81d4b3c09860d216b79185f0d

SHA512
74d549674fa53a991ae1cbbc259854da5d26b8e63332343494a7dfe2fc88a7e675217d615419f9dfa9bc9436e4bc3a1b807ed90086becb3d1b5699b855db2b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Widgets.dll
Filesize
5.3MB

MD5
6a7e7ec50d8fae720190d8553359661a

SHA1
feef20be20e66f1043074a5d3790bbe74a6a84b8

SHA256
3e4601ecf2a40cec173765394f8e0291613c01d6779832053179d799bc4b9167

SHA512
ed0a993be31eddb6d29d07e34fff4e5ec83bd0a34db0e5214f6ada602f4310fb49ac597579043909df6f4b0f5fd9a048ea94fefb5796a90d128c37b83fdd3eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5WinExtras.dll
Filesize
233KB

MD5
553a8431e63ecb2ed11e6d366b7d3c5a

SHA1
51c021966e428f51c59edd9b179fe2f5de691ebe

SHA256
50b41c8827ce6a02b89ee137f5523032dd0575d96c52b7c5f104f14a739fb9bb

SHA512
dc7dc6edd2f66f9eea0df855b60482ceeaf4845c01dd82efa0208289aadee8f3a02816cbfec79abd8e6bd5789297e68b1aca468e7e228726a46989669b40de72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\SyncEngine.DLL
Filesize
10.1MB

MD5
4d9af6541b7fd436cdbe962282ec9964

SHA1
96b7e381d7a62823991c316585544703d66061de

SHA256
56992652c045768661c0c7ce310d8625342799bb898ae044164b986ea21c0034

SHA512
54f104bae7c359d91b821ab0d7f8fc042d1eb5cc1bdcc17a867a67797a5636836167f30eda55b5216373b4538bfbad250afe5267cc527ae4bf206f8cdbabe572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll
Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\VCRUNTIME140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\VCRUNTIME140_1.dll
Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WebView2Loader.dll
Filesize
133KB

MD5
7ae83c027d9ae3f88220dbdaa7ddd3a9

SHA1
e01cdf470ba5265ed07268a8b08f71382e12df24

SHA256
1420a8dd17d80839829f668ba8a1334c752501c184e1f76d2a062cbd4a228093

SHA512
b17c7026495965ced7fd3992c501626717dfc66f9c2c821565ade289c4a46afa20c903931968a4814b9c731045e53c759057b1a23ffd04d4c1bba63d91cbc040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\adal.dll
Filesize
1.4MB

MD5
eeb28467b75e17a081b168426149dc15

SHA1
a9d689fac6486322cfaab5b0169c64fc91e5327c

SHA256
6281f269b808f5149227528ad1a9cfcd69883d0ae30e44e0065e2be418c824cc

SHA512
c159ad94702d78414bfc18521bca9b196148ea66f878e462e77e96103022eccad4a446f68755f4372969e2c1ba74185c3484d67392519c6fe71c51fa703d82f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\libcrypto-1_1-x64.dll
Filesize
3.3MB

MD5
8ed54a1944adeab7042da380993ef220

SHA1
ccf7cea6da91ecd58751a751c8b00dd3fd966b16

SHA256
fe118b38c8c52c44f78b73693a6e4bcee94f07a5c1d049597c7238eb890cf26d

SHA512
167439179c3995392db5606a0abd1080c8463bff704ef23207288c8acdd027619d84cb1332509a6e9958dd29eb7a62cf35554669fb598288a1896503dca3f49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\ucrtbase.dll
Filesize
1.1MB

MD5
9509d09c13ad7b657fe1244476369712

SHA1
6e78064aac68dd11b8f9176989dd72c7f9d99eed

SHA256
549f78818055aac3df92d0011edd18d5f2f3027533d34f69c382669872390810

SHA512
883ace895b82ac6349a1625dda2428dda198802c44f67c971acbf1db159a3fabbc37b4e862804778591cb9b6941a5593c81271b3beb5f5276402cb9be6098676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
2.5MB

MD5
aeb6a72b43e784f863ef9190a270e177

SHA1
c5c8fb906d4608f382a73bcc22fb078248e20cc0

SHA256
16bba9107e3ab6b5bebe947ca51d0fbfb8cabfc3fb26f703f2260ea136049f66

SHA512
877bebb7545218d0d4f63d3dadb3c5da60ce8ec4114fe49d2879deea8f673b7c826c1729141591cd64990571ef82c1dcc568d15f42f6c3b2d73abc614be18c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
Filesize
77B

MD5
73e8c0406999575d6eedd9aaf3114dcf

SHA1
3e989068ed9e8587f2bed2fb2e136ebb3515b850

SHA256
383c7a94a3f18e752bd572691daed49e730b979de5ea85a6be21f5c9f3025642

SHA512
6cc3b3abefa1f42fbf4462e0236711c742806aa4fc561e3be8908e4700a25ce74d5d54947b75a3bd4c332198d748e0589ea63df5bda912dec9d535e62d9e153e

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncClient.dll
Filesize
6.5MB

MD5
819876e88f06e76a422d12451369582a

SHA1
3f8457f8c13472923914f18da47bbbdc07dbb348

SHA256
5d205ce921568b88d6087a1eb316c5af1754ec91189218243bfea72771b3058d

SHA512
f505f78460040d784a4157d6355a930339f66e505eef377f8f13ce8d517bb9bbe83b5a8bab406fe1df9e2652829fe68db7ec2fd28d8e2c3968eb2a3a7b523b44

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSessions.dll
Filesize
4.9MB

MD5
567b15b4c1386dd3d6c964d34418f8f2

SHA1
0443f973494c7147d7374f7991fd0f237d5283aa

SHA256
0e4f32b8424825fc52a345a280d79db135f4dc9a39a9a5e9ffea7ab90238a8e2

SHA512
095f5537ae5f6d120669c9f8e8a29691d039f7d23ce6d2ed1d91e165e81fc734ea0266b21693c26720bd76db5613804b99ef4ff1ed04e22203b02d5af548dde0

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSessions.dll
Filesize
4.9MB

MD5
567b15b4c1386dd3d6c964d34418f8f2

SHA1
0443f973494c7147d7374f7991fd0f237d5283aa

SHA256
0e4f32b8424825fc52a345a280d79db135f4dc9a39a9a5e9ffea7ab90238a8e2

SHA512
095f5537ae5f6d120669c9f8e8a29691d039f7d23ce6d2ed1d91e165e81fc734ea0266b21693c26720bd76db5613804b99ef4ff1ed04e22203b02d5af548dde0

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncTelemetryExtensions.dll
Filesize
73KB

MD5
4b3f451a6afc4d193a747e15aee306fb

SHA1
25581d7943626c8f46c76a7c5afe23e6b16ef544

SHA256
348d43a110af819bd72ab7b22cb5223d9306d162dc5af8e04b666c2cf9674d9a

SHA512
ed540f13f30d741ce15bfc94ec474c9ba8f72d36d7c4aa1125aa1e4bd62204dd4da56ba2d369bf689b0843a363af563b29277584d8bdefcaf53d085cf4fb4749

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncViews.dll
Filesize
3.0MB

MD5
8253c76c9c686e672f856a27d6abbf0f

SHA1
55674aff6e0acf7655723e1f9fff7389ed846017

SHA256
9229393db3193e90f957c9e175ad9cd53ece38ae9db46c11e9334fd03ec6f447

SHA512
4a18e813c0344f76e3a8cb2acd688e7001d7e5529f530b5bcfc443c12af07de64b488baec82548d7d5b38da4e2705f92a2e4c10e5ecc72d14b5bd306859ad684

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogUploader.dll
Filesize
938KB

MD5
72c0436bc6d01a0abea65e398f21c5f9

SHA1
ee82b9d9a6d77502bae08faa9a983292c3dcddeb

SHA256
fc19cd61c312b0626c11b8fca9c05057863285bcfe13c720290dca935a3fe975

SHA512
b16846c6f841fb501d807387d33111ed44d45099d4e13c86c54f16cc0a2edc3abaadaa4e44bae7f9f3f473d89867145498a4681a17f702e91bdd5cb147f622e4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.dll
Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.dll
Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDriveTelemetryStable.dll
Filesize
2.2MB

MD5
d7251296a8e72e9e6ef4828a4ac5c869

SHA1
91acba7ec540c50c42eff76e47dec543ef41d18a

SHA256
1cb9ed2cc196da79ea70f5de9c2a46f668db36d8c476c75f38f1161316dbbc74

SHA512
f1f58ca0d71217733604e7f120e1f5224f486a0730b76a2694fcfc21896c44bf148f6523803604ed15cbe73f048236d213e223c4d5a2ffc14b3adb061a40165f

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Core.dll
Filesize
5.8MB

MD5
7e9131b0037a5d87fb8b3659579914d6

SHA1
03bd6961ed8e6a5215bf69ff51bb1022752a9c87

SHA256
7cc66ef8c001089d71a22e58da0486b4aa92f00d2685deeff95b37f8e3c433a6

SHA512
c60ef029a0c58e181f0da2ccfc02acd47e32efd6a674172ed88e8500fa706c369e3d5981504d068e8facfdd0494f1f9a58f3dad39ad34b1b82daa21372596278

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Gui.dll
Filesize
6.5MB

MD5
073a77313c9ae2cff823cbf3a18f99a4

SHA1
b0b8c182bb28fbd4bd2bade39e0faa0803e4f110

SHA256
858e4c8670e016d51fec94aebb38e22bcad57d28a673717a060c4ab734fda49a

SHA512
124814bd964ea775bd9d62c37bb553b6784d8d2f69962552a7a95317b5e66125f6faec82fe084f5a4cbc6260b97aa8a241b05b40feaf624e26acd8f39dd603d5

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Network.dll
Filesize
1.3MB

MD5
6ecbe8e9ede7a276862f4fc4bb02238d

SHA1
7587a2fcbaa00ce0b473c9b13aad3959097741b4

SHA256
c073eb1585f5ecfe2da1fd34a998978f217a7fd66a053a4b8d714459a45697a4

SHA512
4aae676c8900efff00525cb907bbc75e1e6b6ad184c7dab4772b88ce05ba1a753a2c2e5f1411af4a60f24a020f38bbef270f59c5f890f431a1846d573d57636a

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Qml.dll
Filesize
3.4MB

MD5
f1b24e2e9274a6150e209995a1eb13e7

SHA1
a488ac298eb88f84dc9024a285205c9a0296479a

SHA256
665cdc49bb3a7b8e06d682648442a6c4865074b83c29564291322e2f2c13373a

SHA512
4cb004d61e54b4686122f69adcc9c71e18dcde1c25c9a331027b33c9100b13ea2d99db48c1940341944b8a4c4244c03de05f7b2cb71ac1b8b6d212d5c3d02004

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Quick.dll
Filesize
4.0MB

MD5
c98b47d6a836d2dd42b56bb1145facd6

SHA1
053cbbd038a8382cc7fb11f59f0076efcfb2aa01

SHA256
f80fad1ac7005c6992ddecfd996073c3c13a29d81d4b3c09860d216b79185f0d

SHA512
74d549674fa53a991ae1cbbc259854da5d26b8e63332343494a7dfe2fc88a7e675217d615419f9dfa9bc9436e4bc3a1b807ed90086becb3d1b5699b855db2b2c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Widgets.dll
Filesize
5.3MB

MD5
6a7e7ec50d8fae720190d8553359661a

SHA1
feef20be20e66f1043074a5d3790bbe74a6a84b8

SHA256
3e4601ecf2a40cec173765394f8e0291613c01d6779832053179d799bc4b9167

SHA512
ed0a993be31eddb6d29d07e34fff4e5ec83bd0a34db0e5214f6ada602f4310fb49ac597579043909df6f4b0f5fd9a048ea94fefb5796a90d128c37b83fdd3eab

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5WinExtras.dll
Filesize
233KB

MD5
553a8431e63ecb2ed11e6d366b7d3c5a

SHA1
51c021966e428f51c59edd9b179fe2f5de691ebe

SHA256
50b41c8827ce6a02b89ee137f5523032dd0575d96c52b7c5f104f14a739fb9bb

SHA512
dc7dc6edd2f66f9eea0df855b60482ceeaf4845c01dd82efa0208289aadee8f3a02816cbfec79abd8e6bd5789297e68b1aca468e7e228726a46989669b40de72

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll
Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll
Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WebView2Loader.dll
Filesize
133KB

MD5
7ae83c027d9ae3f88220dbdaa7ddd3a9

SHA1
e01cdf470ba5265ed07268a8b08f71382e12df24

SHA256
1420a8dd17d80839829f668ba8a1334c752501c184e1f76d2a062cbd4a228093

SHA512
b17c7026495965ced7fd3992c501626717dfc66f9c2c821565ade289c4a46afa20c903931968a4814b9c731045e53c759057b1a23ffd04d4c1bba63d91cbc040

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\adal.dll
Filesize
1.4MB

MD5
eeb28467b75e17a081b168426149dc15

SHA1
a9d689fac6486322cfaab5b0169c64fc91e5327c

SHA256
6281f269b808f5149227528ad1a9cfcd69883d0ae30e44e0065e2be418c824cc

SHA512
c159ad94702d78414bfc18521bca9b196148ea66f878e462e77e96103022eccad4a446f68755f4372969e2c1ba74185c3484d67392519c6fe71c51fa703d82f6

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\libcrypto-1_1-x64.dll
Filesize
3.3MB

MD5
8ed54a1944adeab7042da380993ef220

SHA1
ccf7cea6da91ecd58751a751c8b00dd3fd966b16

SHA256
fe118b38c8c52c44f78b73693a6e4bcee94f07a5c1d049597c7238eb890cf26d

SHA512
167439179c3995392db5606a0abd1080c8463bff704ef23207288c8acdd027619d84cb1332509a6e9958dd29eb7a62cf35554669fb598288a1896503dca3f49c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140_1.dll
Filesize
22KB

MD5
dcb785bda4fa6c6bf6088660ed424fa7

SHA1
46c6a9ff1a45d521fdf3366724f243d1f0d8a8f3

SHA256
9a6e265f90f8e69f9403e40b2c316e13d91ceebb93a2aa5531044f7003ed6b61

SHA512
ea18fa56e393d2080731c4e344651fd63529868a54ed10dcf60b9b9e6dc20ab88a34eca110f0d3a1eb3cb63a818dbd5f169d36e699adc3ad53d02f2a2fc6ca85

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\ucrtbase.dll
Filesize
1.1MB

MD5
9509d09c13ad7b657fe1244476369712

SHA1
6e78064aac68dd11b8f9176989dd72c7f9d99eed

SHA256
549f78818055aac3df92d0011edd18d5f2f3027533d34f69c382669872390810

SHA512
883ace895b82ac6349a1625dda2428dda198802c44f67c971acbf1db159a3fabbc37b4e862804778591cb9b6941a5593c81271b3beb5f5276402cb9be6098676

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140_1.dll
Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140_1.dll
Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
memory/416-187-0x0000000000000000-mapping.dmp

Download
memory/1004-188-0x0000000000000000-mapping.dmp

Download
memory/1120-449-0x0000000000000000-mapping.dmp

Download
memory/1220-205-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-216-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-228-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-227-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-226-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-225-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-224-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-223-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-222-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-192-0x0000000000000000-mapping.dmp

Download
memory/1220-206-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-194-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-207-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-196-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-198-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-199-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-201-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-202-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-203-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-204-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-193-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-221-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-195-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-208-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-209-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-210-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-211-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-212-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-213-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-214-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-215-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-220-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-217-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-218-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1220-219-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/1292-186-0x0000024F438A0000-0x0000024F438D6000-memory.dmp

Filesize
216KB

Download
memory/1292-183-0x0000024F438A0000-0x0000024F43D84000-memory.dmp

Filesize
4.9MB

Download
memory/1292-181-0x00007FFEF4400000-0x00007FFEF4800000-memory.dmp

Filesize
4.0MB

Download
memory/1292-182-0x00007FFEF3820000-0x00007FFEF3D6A000-memory.dmp

Filesize
5.3MB

Download
memory/1292-185-0x0000024F438A0000-0x0000024F43D84000-memory.dmp

Filesize
4.9MB

Download
memory/1888-558-0x0000000000000000-mapping.dmp

Download
memory/2064-488-0x0000000000000000-mapping.dmp

Download
memory/2152-468-0x0000000000000000-mapping.dmp

Download
memory/2700-508-0x0000000000000000-mapping.dmp

Download
memory/3292-190-0x00007FFEF45A0000-0x00007FFEF49A0000-memory.dmp

Filesize
4.0MB

Download
memory/3292-191-0x00000214CBC40000-0x00000214CBC50000-memory.dmp

Filesize
64KB

Download
memory/3292-189-0x00007FFEF2BF0000-0x00007FFEF313A000-memory.dmp

Filesize
5.3MB

Download
memory/3704-777-0x0000000000000000-mapping.dmp

Download
memory/3912-920-0x0000000000000000-mapping.dmp

Download
memory/4052-250-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-253-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-238-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-239-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-240-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-241-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-242-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-243-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-244-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-245-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-246-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-248-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-247-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-249-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-230-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-251-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-252-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-236-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-254-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-255-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-257-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-256-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-231-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-232-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-229-0x0000000000000000-mapping.dmp

Download
memory/4052-235-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-233-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-117-0x0000000000000000-mapping.dmp

Download
memory/4068-917-0x0000000000000000-mapping.dmp

Download
memory/4656-300-0x0000000000000000-mapping.dmp

Download
memory/4664-381-0x0000000000000000-mapping.dmp

Download
memory/4768-1236-0x0000000000000000-mapping.dmp

Download
memory/4816-923-0x0000000000000000-mapping.dmp

Download
memory/5072-184-0x0000000000000000-mapping.dmp

Download