48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c

Resubmissions

17-03-2024 09:03

240317-kz93babd61 8

02-02-2023 07:25

230202-h81h5ahc9z 10

01-02-2023 00:33

230201-av97eabb24 10

Analysis

max time kernel
954s
max time network
958s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneDriveSetup.exe
Size

48.0MB
MD5

1382660b084b8791b400739542442783
SHA1

3ecbe73642812498f3e4fad5dc47f8a9573fd4fb
SHA256

48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c
SHA512

8d49071449384678794a0188bad7b3cdfb2c90e11b36b5923b38362dbf21fb98188f5eafc5d5b41f6dfc8ed5d88335600a17c044af05f1afa8a989d86c7463f2
SSDEEP

786432:2QAM/bg9LA622CSAqL7Xis205pR40RKBVLiRIBqVbCj1/IwInTVk0:26D2NlbF5pHKQXbCJ/IA0

Score

10^/10

adware discovery persistence stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exeOneDriveSetup.exeOneDrive.exeOneDrive.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1600 created 448	1600	svchost.exe	OneDriveSetup.exe
PID 1600 created 1264	1600	svchost.exe	OneDriveSetup.exe
PID 1600 created 756	1600	svchost.exe	OneDriveSetup.exe
PID 1600 created 4048	1600	svchost.exe	OneDriveSetup.exe
PID 1600 created 4048	1600	svchost.exe	OneDriveSetup.exe

Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

FileSyncConfig.exeOneDrive.exeOneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exeOneDriveStandaloneUpdater.exeOneDrive.exeMicrosoft.SharePoint.exeMicrosoft.SharePoint.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.70.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.70.exesetup.exesetup.exesetup.exeMicrosoftEdgeUpdate.exe

pid	process
2248	FileSyncConfig.exe
1832	OneDrive.exe
756	OneDriveSetup.exe
4048	OneDriveSetup.exe
1424	FileSyncConfig.exe
448	OneDriveStandaloneUpdater.exe
3512	OneDrive.exe
4860	Microsoft.SharePoint.exe
1128	Microsoft.SharePoint.exe
3484	MicrosoftEdgeWebview2Setup.exe
1940	MicrosoftEdgeUpdate.exe
4668	MicrosoftEdgeUpdate.exe
1116	MicrosoftEdgeUpdate.exe
3036	MicrosoftEdgeUpdateComRegisterShell64.exe
1424	MicrosoftEdgeUpdateComRegisterShell64.exe
3876	MicrosoftEdgeUpdateComRegisterShell64.exe
1416	MicrosoftEdgeUpdate.exe
3884	MicrosoftEdgeUpdate.exe
3608	MicrosoftEdgeUpdate.exe
372	MicrosoftEdgeUpdate.exe
2284	MicrosoftEdge_X64_109.0.1518.70.exe
3688	setup.exe
2496	MicrosoftEdgeUpdate.exe
4948	MicrosoftEdgeUpdate.exe
3560	MicrosoftEdgeUpdate.exe
2136	MicrosoftEdge_X64_109.0.1518.70.exe
4268	setup.exe
4936	setup.exe
2204	setup.exe
1268	MicrosoftEdgeUpdate.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\109.0.1518.70\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

OneDriveSetup.exeOneDriveSetup.exeOneDrive.exeOneDrive.exeMicrosoftEdgeUpdateComRegisterShell64.exesetup.exeFileSyncConfig.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\WOW6432NODE\CLSID\{6BB93B4E-44D8-40E2-BD97-42DBCF18A40F}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\WOW6432NODE\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuthLib64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDriveSetup.exeOneDriveSetup.exeOneDrive.exeOneDriveSetup.exeOneDrive.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

FileSyncConfig.exeOneDrive.exeFileSyncConfig.exeOneDrive.exe

pid	process
2248	FileSyncConfig.exe
2248	FileSyncConfig.exe
2248	FileSyncConfig.exe
2248	FileSyncConfig.exe
2248	FileSyncConfig.exe
2248	FileSyncConfig.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1424	FileSyncConfig.exe
1424	FileSyncConfig.exe
1424	FileSyncConfig.exe
1424	FileSyncConfig.exe
1424	FileSyncConfig.exe
1424	FileSyncConfig.exe
1424	FileSyncConfig.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exesetup.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exesetup.exeMicrosoftEdgeWebview2Setup.exesetup.exeMicrosoftEdge_X64_109.0.1518.70.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\vcruntime140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\kn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\es-419.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\sr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230202083218739_4936.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\msedgeupdateres_zh-CN.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\ca.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\msedgeupdateres_ca.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\sr-Cyrl-BA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\EDGEMITMP_8F624.tmp\SETUP.EX_	MicrosoftEdge_X64_109.0.1518.70.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\PdfPreview\PdfPreviewHandler.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\36eff677-fbf5-4b9c-984c-2df121bcc57e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\msedge.hollow.7z	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Trust Protection Lists\Mu\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\mojo_core.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\nacl_irt_x86_64.nexe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Locales\lv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\eventlog_provider.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\identity_proxy\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\libsmartscreenn.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.70\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.70\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\msedgeupdateres_da.dll	MicrosoftEdgeWebview2Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

setup.exeOneDrive.exeOneDriveSetup.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\109.0.1518.70\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\109.0.1518.70\\BHO"	setup.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesetup.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeOneDriveSetup.exeOneDrive.exeOneDrive.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\mssharepointclient\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\PROGID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\odopen\shell	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ = "IFileSyncClient8"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\FileSyncClient.FileSyncClient\CLSID\ = "{7B37E4E2-C62F-4914-9620-8FB5062718CC}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ = "IGetSpecialFolderInfoCallback"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\PROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\22.012.0117.0003\\i386\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\NucleusToastActivator.NucleusToastActivator\CurVer\ = "NucleusToastActivator.NucleusToastActivator.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{B5E5EE2E-E012-4FC8-BCE0-C956AF66C4F3}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\ = "UpToDateOverlayHandler2 Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging.1	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.007.0109.0004\\i386\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\ProgID\ = "NucleusNativeMessaging.NucleusNativeMessaging.1"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}	OneDriveSetup.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

1832 OneDrive.exe
3512 OneDrive.exe

pid	process
1832	OneDrive.exe
3512	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeOneDrive.exeOneDriveSetup.exeOneDriveSetup.exe

pid	process
448	OneDriveSetup.exe
448	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1264	OneDriveSetup.exe
1832	OneDrive.exe
1832	OneDrive.exe
756	OneDriveSetup.exe
756	OneDriveSetup.exe
756	OneDriveSetup.exe
756	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe
4048	OneDriveSetup.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

OneDriveSetup.exesvchost.exeOneDriveSetup.exeOneDriveSetup.exeOneDriveSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesetup.exeMicrosoftEdgeUpdate.exewwahost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	448	OneDriveSetup.exe
Token: SeTcbPrivilege	1600	svchost.exe
Token: SeTcbPrivilege	1600	svchost.exe
Token: SeIncreaseQuotaPrivilege	1264	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	756	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4048	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4048	OneDriveSetup.exe
Token: SeDebugPrivilege	1940	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1940	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4948	MicrosoftEdgeUpdate.exe
Token: 33	4268	setup.exe
Token: SeIncBasePriorityPrivilege	4268	setup.exe
Token: SeDebugPrivilege	3560	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1492	wwahost.exe
Token: SeDebugPrivilege	1492	wwahost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

1832 OneDrive.exe
1832 OneDrive.exe
1832 OneDrive.exe
1832 OneDrive.exe
1832 OneDrive.exe
3512 OneDrive.exe
3512 OneDrive.exe
3512 OneDrive.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

1832 OneDrive.exe
1832 OneDrive.exe
1832 OneDrive.exe
1832 OneDrive.exe
1832 OneDrive.exe
3512 OneDrive.exe
3512 OneDrive.exe
3512 OneDrive.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OneDrive.exeOneDrive.exewwahost.exe

pid process

1832 OneDrive.exe
3512 OneDrive.exe
3512 OneDrive.exe
3512 OneDrive.exe
1492 wwahost.exe

pid	process
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe

pid	process
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
1832	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe

pid	process
1832	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
3512	OneDrive.exe
1492	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OneDriveSetup.exesvchost.exeOneDriveSetup.exeOneDrive.exeOneDriveSetup.exeOneDrive.exeOneDriveStandaloneUpdater.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.70.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.70.exesetup.exe

description	pid	process	target process
PID 448 wrote to memory of 1940	448	OneDriveSetup.exe	OneDriveSetup.exe
PID 448 wrote to memory of 1940	448	OneDriveSetup.exe	OneDriveSetup.exe
PID 1600 wrote to memory of 1264	1600	svchost.exe	OneDriveSetup.exe
PID 1600 wrote to memory of 1264	1600	svchost.exe	OneDriveSetup.exe
PID 1264 wrote to memory of 2248	1264	OneDriveSetup.exe	FileSyncConfig.exe
PID 1264 wrote to memory of 2248	1264	OneDriveSetup.exe	FileSyncConfig.exe
PID 1600 wrote to memory of 1832	1600	svchost.exe	OneDrive.exe
PID 1600 wrote to memory of 1832	1600	svchost.exe	OneDrive.exe
PID 1832 wrote to memory of 756	1832	OneDrive.exe	OneDriveSetup.exe
PID 1832 wrote to memory of 756	1832	OneDrive.exe	OneDriveSetup.exe
PID 1600 wrote to memory of 4048	1600	svchost.exe	OneDriveSetup.exe
PID 1600 wrote to memory of 4048	1600	svchost.exe	OneDriveSetup.exe
PID 4048 wrote to memory of 1424	4048	OneDriveSetup.exe	FileSyncConfig.exe
PID 4048 wrote to memory of 1424	4048	OneDriveSetup.exe	FileSyncConfig.exe
PID 4048 wrote to memory of 448	4048	OneDriveSetup.exe	OneDriveStandaloneUpdater.exe
PID 4048 wrote to memory of 448	4048	OneDriveSetup.exe	OneDriveStandaloneUpdater.exe
PID 1600 wrote to memory of 3512	1600	svchost.exe	OneDrive.exe
PID 1600 wrote to memory of 3512	1600	svchost.exe	OneDrive.exe
PID 3512 wrote to memory of 4860	3512	OneDrive.exe	Microsoft.SharePoint.exe
PID 3512 wrote to memory of 4860	3512	OneDrive.exe	Microsoft.SharePoint.exe
PID 1600 wrote to memory of 1128	1600	svchost.exe	Microsoft.SharePoint.exe
PID 1600 wrote to memory of 1128	1600	svchost.exe	Microsoft.SharePoint.exe
PID 448 wrote to memory of 3484	448	OneDriveStandaloneUpdater.exe	MicrosoftEdgeWebview2Setup.exe
PID 448 wrote to memory of 3484	448	OneDriveStandaloneUpdater.exe	MicrosoftEdgeWebview2Setup.exe
PID 448 wrote to memory of 3484	448	OneDriveStandaloneUpdater.exe	MicrosoftEdgeWebview2Setup.exe
PID 3484 wrote to memory of 1940	3484	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 3484 wrote to memory of 1940	3484	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 3484 wrote to memory of 1940	3484	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 4668	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 4668	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 4668	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 1116	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 1116	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 1116	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1116 wrote to memory of 3036	1116	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1116 wrote to memory of 3036	1116	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1116 wrote to memory of 1424	1116	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1116 wrote to memory of 1424	1116	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1116 wrote to memory of 3876	1116	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1116 wrote to memory of 3876	1116	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1940 wrote to memory of 1416	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 1416	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 1416	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 3884	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 3884	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1940 wrote to memory of 3884	1940	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3608 wrote to memory of 372	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3608 wrote to memory of 372	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3608 wrote to memory of 372	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3608 wrote to memory of 2284	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_109.0.1518.70.exe
PID 3608 wrote to memory of 2284	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_109.0.1518.70.exe
PID 2284 wrote to memory of 3688	2284	MicrosoftEdge_X64_109.0.1518.70.exe	setup.exe
PID 2284 wrote to memory of 3688	2284	MicrosoftEdge_X64_109.0.1518.70.exe	setup.exe
PID 3608 wrote to memory of 2496	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3608 wrote to memory of 2496	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3608 wrote to memory of 2496	3608	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3560 wrote to memory of 2136	3560	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_109.0.1518.70.exe
PID 3560 wrote to memory of 2136	3560	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_109.0.1518.70.exe
PID 2136 wrote to memory of 4268	2136	MicrosoftEdge_X64_109.0.1518.70.exe	setup.exe
PID 2136 wrote to memory of 4268	2136	MicrosoftEdge_X64_109.0.1518.70.exe	setup.exe
PID 4268 wrote to memory of 4936	4268	setup.exe	setup.exe
PID 4268 wrote to memory of 4936	4268	setup.exe	setup.exe
PID 4268 wrote to memory of 2204	4268	setup.exe	setup.exe
PID 4268 wrote to memory of 2204	4268	setup.exe	setup.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe" C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /cusid:S-1-5-21-2295526160-1155304984-640977766-1000
2⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
2⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe"
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
PID:2248

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart /updateSource:ODU
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey
5⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\FileSyncConfig.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3484

C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU22E9.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
8⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
9⤵
- Executes dropped EXE
- Modifies registry class
PID:4668

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
10⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:3036

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
10⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:1424

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
10⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:3876

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0EwNUE0NzQtREE0RC00NTFFLUJDRTEtQzVERTI3QzEyQTczfSIgdXNlcmlkPSJ7RkExMUNFNUYtNUQwMS00REQ4LUJBQjItNjExQTlEQThDNkE2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3RUJCQTAzQy1BODk5LTQ2QTktOTAwRS01NDVGQjFFNjE1Qzh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O200Nks1SzV6MXZ2a05MSHI0YzF4L2hDamU3WlFMZHFLeVo1TndnelYzQTg9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNjUuMjEiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NDc5MDcyNjYzIiBpbnN0YWxsX3RpbWVfbXM9IjYxMCIvPjwvYXBwPjwvcmVxdWVzdD4
9⤵
- Executes dropped EXE
PID:1416

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{CA05A474-DA4D-451E-BCE1-C5DE27C12A73}" /silent
9⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
6⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\Microsoft.SharePoint.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\Microsoft.SharePoint.exe" /silentConfig
7⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.007.0109.0004\Microsoft.SharePoint.exe
/silentConfig
6⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0EwNUE0NzQtREE0RC00NTFFLUJDRTEtQzVERTI3QzEyQTczfSIgdXNlcmlkPSJ7RkExMUNFNUYtNUQwMS00REQ4LUJBQjItNjExQTlEQThDNkE2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswMjVEM0EwRi0wNzlCLTRDREMtQjY5MS03Q0IzODc1MUI5NkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSI4OS4wLjQzODkuMTE0IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDQ4OTM4NTI4MCIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
PID:372

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B1F3598-D1E0-4026-9B60-EC5AE2F49A67}\MicrosoftEdge_X64_109.0.1518.70.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B1F3598-D1E0-4026-9B60-EC5AE2F49A67}\MicrosoftEdge_X64_109.0.1518.70.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B1F3598-D1E0-4026-9B60-EC5AE2F49A67}\EDGEMITMP_187AD.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B1F3598-D1E0-4026-9B60-EC5AE2F49A67}\EDGEMITMP_187AD.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B1F3598-D1E0-4026-9B60-EC5AE2F49A67}\MicrosoftEdge_X64_109.0.1518.70.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:3688

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0EwNUE0NzQtREE0RC00NTFFLUJDRTEtQzVERTI3QzEyQTczfSIgdXNlcmlkPSJ7RkExMUNFNUYtNUQwMS00REQ4LUJBQjItNjExQTlEQThDNkE2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyODZGOUEwQi00NEZELTRFQTUtQjM0QS05N0VBODNFNERERTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguNzAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ0OTc2NjY2MTIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NDk3ODIyOTY4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDYwNjQxNjk0NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNDEzMzkwZTAtZmNjMS00ZTBhLTlkNDQtNDExNWZjNjJlMjM5P1AxPTE2NzU5Mjc1ODkmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aGtubGFBUkQ2a1dkciUyZiUyYjNmTVl2RjBKTklycEVuUGpCT0lVSEElMmZiaDhWWU90dWRCelhLVUhIJTJiQUk5JTJiU09OY2tLVmhwYklERk5qRXhmeGJnSU80ciUyZnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDA2ODMxOTIiIHRvdGFsPSIxNDA2ODMxOTIiIGRvd25sb2FkX3RpbWVfbXM9IjgyODEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NjA2NzI5NDQ1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDYyMDQ3OTY3OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDc4MDAwOTgzMyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjQ1MyIgZG93bmxvYWRfdGltZV9tcz0iMTA4NzUiIGRvd25sb2FkZWQ9IjE0MDY4MzE5MiIgdG90YWw9IjE0MDY4MzE5MiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMTU5NTMiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
PID:2496

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\MicrosoftEdge_X64_109.0.1518.70.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\MicrosoftEdge_X64_109.0.1518.70.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\EDGEMITMP_8F624.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\EDGEMITMP_8F624.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\MicrosoftEdge_X64_109.0.1518.70.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4268

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\EDGEMITMP_8F624.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA084331-A56B-4B76-909B-F5D454EA806D}\EDGEMITMP_8F624.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\109.0.1518.70\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
4⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjMzMjlEQTktQ0ZDMy00M0FDLUExMEQtNkY1RjBBNDdCQkNEfSIgdXNlcmlkPSJ7RkExMUNFNUYtNUQwMS00REQ4LUJBQjItNjExQTlEQThDNkE2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCNTM1QjE1Qi1EOTY4LTRDNTUtOUVFOS1FNDIwNzk4NDFEODl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RCIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC41NiI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxNzMiIHJkPSI1NzAzIiBwaW5nX2ZyZXNobmVzcz0iezAwRTEzNkNFLUNCM0EtNDJDNC05OTU3LTkxMTNBNDZCQUIzRn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMDkuMC4xNTE4LjcwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc5NjM3NjA2NzciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzk2NDIyOTAzMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3OTkxNTcyOTgxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgwMDU0Nzk2MjkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgwMzIzNTM5NDIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMTcyIiBkb3dubG9hZGVkPSIxNDA2ODMxOTIiIHRvdGFsPSIxNDA2ODMxOTIiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjI2NzIiLz48cGluZyBhY3RpdmU9IjEiIGE9Ii0xIiByPSIxNzMiIGFkPSItMSIgcmQ9IjU3MDMiIHBpbmdfZnJlc2huZXNzPSJ7N0MzOUQ1MEMtOTdEQi00NTI1LUJBMTItM0UxMkE2MzU4NUIxfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMDkuMC4xNTE4LjcwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjU4NzMiIGNvaG9ydD0icnJmQDAuMTEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9IntCM0Q0NTg3MC0yQzMyLTRCNUMtOThBRi0xQUU3QzAyODAyNzd9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Executes dropped EXE
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:3404

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
PID:5044

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncClient.dll
Filesize
6.5MB

MD5
819876e88f06e76a422d12451369582a

SHA1
3f8457f8c13472923914f18da47bbbdc07dbb348

SHA256
5d205ce921568b88d6087a1eb316c5af1754ec91189218243bfea72771b3058d

SHA512
f505f78460040d784a4157d6355a930339f66e505eef377f8f13ce8d517bb9bbe83b5a8bab406fe1df9e2652829fe68db7ec2fd28d8e2c3968eb2a3a7b523b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncClient.dll
Filesize
6.5MB

MD5
819876e88f06e76a422d12451369582a

SHA1
3f8457f8c13472923914f18da47bbbdc07dbb348

SHA256
5d205ce921568b88d6087a1eb316c5af1754ec91189218243bfea72771b3058d

SHA512
f505f78460040d784a4157d6355a930339f66e505eef377f8f13ce8d517bb9bbe83b5a8bab406fe1df9e2652829fe68db7ec2fd28d8e2c3968eb2a3a7b523b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe
Filesize
692KB

MD5
e226d0b9aff908effd85213b2f299627

SHA1
8e9365429ef5dcd625d1bdc0124bc7aa8a5ad4a9

SHA256
cf64655d586435917f186aca7ae1b6ddaae337fc9ae7a00f03974f16bb113fd4

SHA512
77ff182434a4e1b724f6056c0a3424a815d4659127aa210218770b4f9ffbb74e6b9eb317007a3181db05d0e674aa7fa06f13d15760d69e9014366320bab12508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSessions.dll
Filesize
4.9MB

MD5
567b15b4c1386dd3d6c964d34418f8f2

SHA1
0443f973494c7147d7374f7991fd0f237d5283aa

SHA256
0e4f32b8424825fc52a345a280d79db135f4dc9a39a9a5e9ffea7ab90238a8e2

SHA512
095f5537ae5f6d120669c9f8e8a29691d039f7d23ce6d2ed1d91e165e81fc734ea0266b21693c26720bd76db5613804b99ef4ff1ed04e22203b02d5af548dde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSessions.dll
Filesize
4.9MB

MD5
567b15b4c1386dd3d6c964d34418f8f2

SHA1
0443f973494c7147d7374f7991fd0f237d5283aa

SHA256
0e4f32b8424825fc52a345a280d79db135f4dc9a39a9a5e9ffea7ab90238a8e2

SHA512
095f5537ae5f6d120669c9f8e8a29691d039f7d23ce6d2ed1d91e165e81fc734ea0266b21693c26720bd76db5613804b99ef4ff1ed04e22203b02d5af548dde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSqlite3.dll
Filesize
624KB

MD5
50747036456402d22fc213885e467e99

SHA1
14247fe812bcf2d525c2ea2aa4aa316783bde433

SHA256
f8f2f57848b917f1566609cc2620277a4ce858024caaad2807cf0ff5fdfc48f1

SHA512
c6cf29d028374eb76ac646f86237549c01a7c2fb768ef3df7ee385a25ef295401e00236b51542aa4351e56376f6a184b42dc9b2de88ed68c19715443f08e9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSqlite3.dll
Filesize
624KB

MD5
50747036456402d22fc213885e467e99

SHA1
14247fe812bcf2d525c2ea2aa4aa316783bde433

SHA256
f8f2f57848b917f1566609cc2620277a4ce858024caaad2807cf0ff5fdfc48f1

SHA512
c6cf29d028374eb76ac646f86237549c01a7c2fb768ef3df7ee385a25ef295401e00236b51542aa4351e56376f6a184b42dc9b2de88ed68c19715443f08e9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSqlite3.dll
Filesize
624KB

MD5
50747036456402d22fc213885e467e99

SHA1
14247fe812bcf2d525c2ea2aa4aa316783bde433

SHA256
f8f2f57848b917f1566609cc2620277a4ce858024caaad2807cf0ff5fdfc48f1

SHA512
c6cf29d028374eb76ac646f86237549c01a7c2fb768ef3df7ee385a25ef295401e00236b51542aa4351e56376f6a184b42dc9b2de88ed68c19715443f08e9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncTelemetryExtensions.dll
Filesize
73KB

MD5
4b3f451a6afc4d193a747e15aee306fb

SHA1
25581d7943626c8f46c76a7c5afe23e6b16ef544

SHA256
348d43a110af819bd72ab7b22cb5223d9306d162dc5af8e04b666c2cf9674d9a

SHA512
ed540f13f30d741ce15bfc94ec474c9ba8f72d36d7c4aa1125aa1e4bd62204dd4da56ba2d369bf689b0843a363af563b29277584d8bdefcaf53d085cf4fb4749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncTelemetryExtensions.dll
Filesize
73KB

MD5
4b3f451a6afc4d193a747e15aee306fb

SHA1
25581d7943626c8f46c76a7c5afe23e6b16ef544

SHA256
348d43a110af819bd72ab7b22cb5223d9306d162dc5af8e04b666c2cf9674d9a

SHA512
ed540f13f30d741ce15bfc94ec474c9ba8f72d36d7c4aa1125aa1e4bd62204dd4da56ba2d369bf689b0843a363af563b29277584d8bdefcaf53d085cf4fb4749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncViews.dll
Filesize
3.0MB

MD5
8253c76c9c686e672f856a27d6abbf0f

SHA1
55674aff6e0acf7655723e1f9fff7389ed846017

SHA256
9229393db3193e90f957c9e175ad9cd53ece38ae9db46c11e9334fd03ec6f447

SHA512
4a18e813c0344f76e3a8cb2acd688e7001d7e5529f530b5bcfc443c12af07de64b488baec82548d7d5b38da4e2705f92a2e4c10e5ecc72d14b5bd306859ad684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncViews.dll
Filesize
3.0MB

MD5
8253c76c9c686e672f856a27d6abbf0f

SHA1
55674aff6e0acf7655723e1f9fff7389ed846017

SHA256
9229393db3193e90f957c9e175ad9cd53ece38ae9db46c11e9334fd03ec6f447

SHA512
4a18e813c0344f76e3a8cb2acd688e7001d7e5529f530b5bcfc443c12af07de64b488baec82548d7d5b38da4e2705f92a2e4c10e5ecc72d14b5bd306859ad684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncViews.dll
Filesize
3.0MB

MD5
8253c76c9c686e672f856a27d6abbf0f

SHA1
55674aff6e0acf7655723e1f9fff7389ed846017

SHA256
9229393db3193e90f957c9e175ad9cd53ece38ae9db46c11e9334fd03ec6f447

SHA512
4a18e813c0344f76e3a8cb2acd688e7001d7e5529f530b5bcfc443c12af07de64b488baec82548d7d5b38da4e2705f92a2e4c10e5ecc72d14b5bd306859ad684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogUploader.dll
Filesize
938KB

MD5
72c0436bc6d01a0abea65e398f21c5f9

SHA1
ee82b9d9a6d77502bae08faa9a983292c3dcddeb

SHA256
fc19cd61c312b0626c11b8fca9c05057863285bcfe13c720290dca935a3fe975

SHA512
b16846c6f841fb501d807387d33111ed44d45099d4e13c86c54f16cc0a2edc3abaadaa4e44bae7f9f3f473d89867145498a4681a17f702e91bdd5cb147f622e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogUploader.dll
Filesize
938KB

MD5
72c0436bc6d01a0abea65e398f21c5f9

SHA1
ee82b9d9a6d77502bae08faa9a983292c3dcddeb

SHA256
fc19cd61c312b0626c11b8fca9c05057863285bcfe13c720290dca935a3fe975

SHA512
b16846c6f841fb501d807387d33111ed44d45099d4e13c86c54f16cc0a2edc3abaadaa4e44bae7f9f3f473d89867145498a4681a17f702e91bdd5cb147f622e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogUploader.dll
Filesize
938KB

MD5
72c0436bc6d01a0abea65e398f21c5f9

SHA1
ee82b9d9a6d77502bae08faa9a983292c3dcddeb

SHA256
fc19cd61c312b0626c11b8fca9c05057863285bcfe13c720290dca935a3fe975

SHA512
b16846c6f841fb501d807387d33111ed44d45099d4e13c86c54f16cc0a2edc3abaadaa4e44bae7f9f3f473d89867145498a4681a17f702e91bdd5cb147f622e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.DLL
Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.dll
Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.dll
Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\MSVCP140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\MSVCP140_1.dll
Filesize
22KB

MD5
dcb785bda4fa6c6bf6088660ed424fa7

SHA1
46c6a9ff1a45d521fdf3366724f243d1f0d8a8f3

SHA256
9a6e265f90f8e69f9403e40b2c316e13d91ceebb93a2aa5531044f7003ed6b61

SHA512
ea18fa56e393d2080731c4e344651fd63529868a54ed10dcf60b9b9e6dc20ab88a34eca110f0d3a1eb3cb63a818dbd5f169d36e699adc3ad53d02f2a2fc6ca85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDriveTelemetryStable.dll
Filesize
2.2MB

MD5
d7251296a8e72e9e6ef4828a4ac5c869

SHA1
91acba7ec540c50c42eff76e47dec543ef41d18a

SHA256
1cb9ed2cc196da79ea70f5de9c2a46f668db36d8c476c75f38f1161316dbbc74

SHA512
f1f58ca0d71217733604e7f120e1f5224f486a0730b76a2694fcfc21896c44bf148f6523803604ed15cbe73f048236d213e223c4d5a2ffc14b3adb061a40165f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDriveTelemetryStable.dll
Filesize
2.2MB

MD5
d7251296a8e72e9e6ef4828a4ac5c869

SHA1
91acba7ec540c50c42eff76e47dec543ef41d18a

SHA256
1cb9ed2cc196da79ea70f5de9c2a46f668db36d8c476c75f38f1161316dbbc74

SHA512
f1f58ca0d71217733604e7f120e1f5224f486a0730b76a2694fcfc21896c44bf148f6523803604ed15cbe73f048236d213e223c4d5a2ffc14b3adb061a40165f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Core.dll
Filesize
5.8MB

MD5
7e9131b0037a5d87fb8b3659579914d6

SHA1
03bd6961ed8e6a5215bf69ff51bb1022752a9c87

SHA256
7cc66ef8c001089d71a22e58da0486b4aa92f00d2685deeff95b37f8e3c433a6

SHA512
c60ef029a0c58e181f0da2ccfc02acd47e32efd6a674172ed88e8500fa706c369e3d5981504d068e8facfdd0494f1f9a58f3dad39ad34b1b82daa21372596278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Core.dll
Filesize
5.8MB

MD5
7e9131b0037a5d87fb8b3659579914d6

SHA1
03bd6961ed8e6a5215bf69ff51bb1022752a9c87

SHA256
7cc66ef8c001089d71a22e58da0486b4aa92f00d2685deeff95b37f8e3c433a6

SHA512
c60ef029a0c58e181f0da2ccfc02acd47e32efd6a674172ed88e8500fa706c369e3d5981504d068e8facfdd0494f1f9a58f3dad39ad34b1b82daa21372596278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Gui.dll
Filesize
6.5MB

MD5
073a77313c9ae2cff823cbf3a18f99a4

SHA1
b0b8c182bb28fbd4bd2bade39e0faa0803e4f110

SHA256
858e4c8670e016d51fec94aebb38e22bcad57d28a673717a060c4ab734fda49a

SHA512
124814bd964ea775bd9d62c37bb553b6784d8d2f69962552a7a95317b5e66125f6faec82fe084f5a4cbc6260b97aa8a241b05b40feaf624e26acd8f39dd603d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Gui.dll
Filesize
6.5MB

MD5
073a77313c9ae2cff823cbf3a18f99a4

SHA1
b0b8c182bb28fbd4bd2bade39e0faa0803e4f110

SHA256
858e4c8670e016d51fec94aebb38e22bcad57d28a673717a060c4ab734fda49a

SHA512
124814bd964ea775bd9d62c37bb553b6784d8d2f69962552a7a95317b5e66125f6faec82fe084f5a4cbc6260b97aa8a241b05b40feaf624e26acd8f39dd603d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Qml.dll
Filesize
3.4MB

MD5
f1b24e2e9274a6150e209995a1eb13e7

SHA1
a488ac298eb88f84dc9024a285205c9a0296479a

SHA256
665cdc49bb3a7b8e06d682648442a6c4865074b83c29564291322e2f2c13373a

SHA512
4cb004d61e54b4686122f69adcc9c71e18dcde1c25c9a331027b33c9100b13ea2d99db48c1940341944b8a4c4244c03de05f7b2cb71ac1b8b6d212d5c3d02004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Qml.dll
Filesize
3.4MB

MD5
f1b24e2e9274a6150e209995a1eb13e7

SHA1
a488ac298eb88f84dc9024a285205c9a0296479a

SHA256
665cdc49bb3a7b8e06d682648442a6c4865074b83c29564291322e2f2c13373a

SHA512
4cb004d61e54b4686122f69adcc9c71e18dcde1c25c9a331027b33c9100b13ea2d99db48c1940341944b8a4c4244c03de05f7b2cb71ac1b8b6d212d5c3d02004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Quick.dll
Filesize
4.0MB

MD5
c98b47d6a836d2dd42b56bb1145facd6

SHA1
053cbbd038a8382cc7fb11f59f0076efcfb2aa01

SHA256
f80fad1ac7005c6992ddecfd996073c3c13a29d81d4b3c09860d216b79185f0d

SHA512
74d549674fa53a991ae1cbbc259854da5d26b8e63332343494a7dfe2fc88a7e675217d615419f9dfa9bc9436e4bc3a1b807ed90086becb3d1b5699b855db2b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Widgets.dll
Filesize
5.3MB

MD5
6a7e7ec50d8fae720190d8553359661a

SHA1
feef20be20e66f1043074a5d3790bbe74a6a84b8

SHA256
3e4601ecf2a40cec173765394f8e0291613c01d6779832053179d799bc4b9167

SHA512
ed0a993be31eddb6d29d07e34fff4e5ec83bd0a34db0e5214f6ada602f4310fb49ac597579043909df6f4b0f5fd9a048ea94fefb5796a90d128c37b83fdd3eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5WinExtras.dll
Filesize
233KB

MD5
553a8431e63ecb2ed11e6d366b7d3c5a

SHA1
51c021966e428f51c59edd9b179fe2f5de691ebe

SHA256
50b41c8827ce6a02b89ee137f5523032dd0575d96c52b7c5f104f14a739fb9bb

SHA512
dc7dc6edd2f66f9eea0df855b60482ceeaf4845c01dd82efa0208289aadee8f3a02816cbfec79abd8e6bd5789297e68b1aca468e7e228726a46989669b40de72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5WinExtras.dll
Filesize
233KB

MD5
553a8431e63ecb2ed11e6d366b7d3c5a

SHA1
51c021966e428f51c59edd9b179fe2f5de691ebe

SHA256
50b41c8827ce6a02b89ee137f5523032dd0575d96c52b7c5f104f14a739fb9bb

SHA512
dc7dc6edd2f66f9eea0df855b60482ceeaf4845c01dd82efa0208289aadee8f3a02816cbfec79abd8e6bd5789297e68b1aca468e7e228726a46989669b40de72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\SyncEngine.DLL
Filesize
10.1MB

MD5
4d9af6541b7fd436cdbe962282ec9964

SHA1
96b7e381d7a62823991c316585544703d66061de

SHA256
56992652c045768661c0c7ce310d8625342799bb898ae044164b986ea21c0034

SHA512
54f104bae7c359d91b821ab0d7f8fc042d1eb5cc1bdcc17a867a67797a5636836167f30eda55b5216373b4538bfbad250afe5267cc527ae4bf206f8cdbabe572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\SyncEngine.dll
Filesize
10.1MB

MD5
4d9af6541b7fd436cdbe962282ec9964

SHA1
96b7e381d7a62823991c316585544703d66061de

SHA256
56992652c045768661c0c7ce310d8625342799bb898ae044164b986ea21c0034

SHA512
54f104bae7c359d91b821ab0d7f8fc042d1eb5cc1bdcc17a867a67797a5636836167f30eda55b5216373b4538bfbad250afe5267cc527ae4bf206f8cdbabe572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll
Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll
Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll
Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll
Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\VCRUNTIME140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\VCRUNTIME140_1.dll
Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WebView2Loader.dll
Filesize
133KB

MD5
7ae83c027d9ae3f88220dbdaa7ddd3a9

SHA1
e01cdf470ba5265ed07268a8b08f71382e12df24

SHA256
1420a8dd17d80839829f668ba8a1334c752501c184e1f76d2a062cbd4a228093

SHA512
b17c7026495965ced7fd3992c501626717dfc66f9c2c821565ade289c4a46afa20c903931968a4814b9c731045e53c759057b1a23ffd04d4c1bba63d91cbc040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WebView2Loader.dll
Filesize
133KB

MD5
7ae83c027d9ae3f88220dbdaa7ddd3a9

SHA1
e01cdf470ba5265ed07268a8b08f71382e12df24

SHA256
1420a8dd17d80839829f668ba8a1334c752501c184e1f76d2a062cbd4a228093

SHA512
b17c7026495965ced7fd3992c501626717dfc66f9c2c821565ade289c4a46afa20c903931968a4814b9c731045e53c759057b1a23ffd04d4c1bba63d91cbc040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WnsClientApi.dll
Filesize
820KB

MD5
e4e2d0dc0ac1fbc20f8831dbd81f6394

SHA1
4b1b3b8c7a7bd6d3933d7fa47cc142ac8f6db0c6

SHA256
1584d9e53977cb6e409230e127dff2a3464b1c00d086150f9c7ce3eda979fedf

SHA512
cd0d73a7e03eca4a6261b7d1ad6f8b980a575e5c29119d84b458a1111ca62b19ebd020c3839c0db485891efb369c1f6fea229c469aebad2752f81b50877569aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WnsClientApi.dll
Filesize
820KB

MD5
e4e2d0dc0ac1fbc20f8831dbd81f6394

SHA1
4b1b3b8c7a7bd6d3933d7fa47cc142ac8f6db0c6

SHA256
1584d9e53977cb6e409230e127dff2a3464b1c00d086150f9c7ce3eda979fedf

SHA512
cd0d73a7e03eca4a6261b7d1ad6f8b980a575e5c29119d84b458a1111ca62b19ebd020c3839c0db485891efb369c1f6fea229c469aebad2752f81b50877569aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\adal.dll
Filesize
1.4MB

MD5
eeb28467b75e17a081b168426149dc15

SHA1
a9d689fac6486322cfaab5b0169c64fc91e5327c

SHA256
6281f269b808f5149227528ad1a9cfcd69883d0ae30e44e0065e2be418c824cc

SHA512
c159ad94702d78414bfc18521bca9b196148ea66f878e462e77e96103022eccad4a446f68755f4372969e2c1ba74185c3484d67392519c6fe71c51fa703d82f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\adal.dll
Filesize
1.4MB

MD5
eeb28467b75e17a081b168426149dc15

SHA1
a9d689fac6486322cfaab5b0169c64fc91e5327c

SHA256
6281f269b808f5149227528ad1a9cfcd69883d0ae30e44e0065e2be418c824cc

SHA512
c159ad94702d78414bfc18521bca9b196148ea66f878e462e77e96103022eccad4a446f68755f4372969e2c1ba74185c3484d67392519c6fe71c51fa703d82f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\adal.dll
Filesize
1.4MB

MD5
eeb28467b75e17a081b168426149dc15

SHA1
a9d689fac6486322cfaab5b0169c64fc91e5327c

SHA256
6281f269b808f5149227528ad1a9cfcd69883d0ae30e44e0065e2be418c824cc

SHA512
c159ad94702d78414bfc18521bca9b196148ea66f878e462e77e96103022eccad4a446f68755f4372969e2c1ba74185c3484d67392519c6fe71c51fa703d82f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\libcrypto-1_1-x64.dll
Filesize
3.3MB

MD5
8ed54a1944adeab7042da380993ef220

SHA1
ccf7cea6da91ecd58751a751c8b00dd3fd966b16

SHA256
fe118b38c8c52c44f78b73693a6e4bcee94f07a5c1d049597c7238eb890cf26d

SHA512
167439179c3995392db5606a0abd1080c8463bff704ef23207288c8acdd027619d84cb1332509a6e9958dd29eb7a62cf35554669fb598288a1896503dca3f49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140.dll
Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140_1.dll
Filesize
22KB

MD5
dcb785bda4fa6c6bf6088660ed424fa7

SHA1
46c6a9ff1a45d521fdf3366724f243d1f0d8a8f3

SHA256
9a6e265f90f8e69f9403e40b2c316e13d91ceebb93a2aa5531044f7003ed6b61

SHA512
ea18fa56e393d2080731c4e344651fd63529868a54ed10dcf60b9b9e6dc20ab88a34eca110f0d3a1eb3cb63a818dbd5f169d36e699adc3ad53d02f2a2fc6ca85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\ucrtbase.dll
Filesize
1.1MB

MD5
9509d09c13ad7b657fe1244476369712

SHA1
6e78064aac68dd11b8f9176989dd72c7f9d99eed

SHA256
549f78818055aac3df92d0011edd18d5f2f3027533d34f69c382669872390810

SHA512
883ace895b82ac6349a1625dda2428dda198802c44f67c971acbf1db159a3fabbc37b4e862804778591cb9b6941a5593c81271b3beb5f5276402cb9be6098676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\ucrtbase.dll
Filesize
1.1MB

MD5
9509d09c13ad7b657fe1244476369712

SHA1
6e78064aac68dd11b8f9176989dd72c7f9d99eed

SHA256
549f78818055aac3df92d0011edd18d5f2f3027533d34f69c382669872390810

SHA512
883ace895b82ac6349a1625dda2428dda198802c44f67c971acbf1db159a3fabbc37b4e862804778591cb9b6941a5593c81271b3beb5f5276402cb9be6098676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll
Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140_1.dll
Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140_1.dll
Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
2.5MB

MD5
aeb6a72b43e784f863ef9190a270e177

SHA1
c5c8fb906d4608f382a73bcc22fb078248e20cc0

SHA256
16bba9107e3ab6b5bebe947ca51d0fbfb8cabfc3fb26f703f2260ea136049f66

SHA512
877bebb7545218d0d4f63d3dadb3c5da60ce8ec4114fe49d2879deea8f673b7c826c1729141591cd64990571ef82c1dcc568d15f42f6c3b2d73abc614be18c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
Filesize
77B

MD5
c9a51c8d34429d0e978340cc842b80c9

SHA1
509eab49b1e8c4225d86ff3068d74be0ffd16be1

SHA256
1ead16124605540dd5d113d4876b4978bb37e7241fbf57ddb1d799cfd8139d43

SHA512
32cd8ee5a0de978a687ede4080a5b82ac015627a4c5e95c110e49090dad4f16ac6c13848975e27e8d1197db20b6d3c9b2c084a2e407d12ffed5108138a314132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
Filesize
77B

MD5
c9a51c8d34429d0e978340cc842b80c9

SHA1
509eab49b1e8c4225d86ff3068d74be0ffd16be1

SHA256
1ead16124605540dd5d113d4876b4978bb37e7241fbf57ddb1d799cfd8139d43

SHA512
32cd8ee5a0de978a687ede4080a5b82ac015627a4c5e95c110e49090dad4f16ac6c13848975e27e8d1197db20b6d3c9b2c084a2e407d12ffed5108138a314132

Download Submit
memory/372-222-0x0000000000000000-mapping.dmp

Download
memory/448-206-0x0000000000000000-mapping.dmp

Download
memory/756-203-0x0000000000000000-mapping.dmp

Download
memory/1116-216-0x0000000000000000-mapping.dmp

Download
memory/1128-212-0x0000000000000000-mapping.dmp

Download
memory/1264-133-0x0000000000000000-mapping.dmp

Download
memory/1268-230-0x0000000000000000-mapping.dmp

Download
memory/1416-220-0x0000000000000000-mapping.dmp

Download
memory/1424-205-0x0000000000000000-mapping.dmp

Download
memory/1424-218-0x0000000000000000-mapping.dmp

Download
memory/1832-202-0x000001B19CEB0000-0x000001B19CEC0000-memory.dmp

Filesize
64KB

Download
memory/1832-201-0x000001B19C300000-0x000001B19C5FB000-memory.dmp

Filesize
3.0MB

Download
memory/1832-200-0x00007FFE92F70000-0x00007FFE934BA000-memory.dmp

Filesize
5.3MB

Download
memory/1832-150-0x0000000000000000-mapping.dmp

Download
memory/1940-214-0x0000000000000000-mapping.dmp

Download
memory/1940-132-0x0000000000000000-mapping.dmp

Download
memory/2136-226-0x0000000000000000-mapping.dmp

Download
memory/2204-229-0x0000000000000000-mapping.dmp

Download
memory/2248-136-0x0000000000000000-mapping.dmp

Download
memory/2284-223-0x0000000000000000-mapping.dmp

Download
memory/2496-225-0x0000000000000000-mapping.dmp

Download
memory/3036-217-0x0000000000000000-mapping.dmp

Download
memory/3484-213-0x0000000000000000-mapping.dmp

Download
memory/3512-207-0x0000000000000000-mapping.dmp

Download
memory/3512-210-0x0000020858120000-0x0000020858130000-memory.dmp

Filesize
64KB

Download
memory/3512-209-0x00007FFE94BF0000-0x00007FFE94FF0000-memory.dmp

Filesize
4.0MB

Download
memory/3512-208-0x00007FFE936D0000-0x00007FFE93C1A000-memory.dmp

Filesize
5.3MB

Download
memory/3688-224-0x0000000000000000-mapping.dmp

Download
memory/3876-219-0x0000000000000000-mapping.dmp

Download
memory/3884-221-0x0000000000000000-mapping.dmp

Download
memory/4048-204-0x0000000000000000-mapping.dmp

Download
memory/4268-227-0x0000000000000000-mapping.dmp

Download
memory/4668-215-0x0000000000000000-mapping.dmp

Download
memory/4860-211-0x0000000000000000-mapping.dmp

Download
memory/4936-228-0x0000000000000000-mapping.dmp

Download
memory/5044-231-0x00000208E2B30000-0x00000208E2B3E000-memory.dmp

Filesize
56KB

Download
memory/5044-232-0x00000208E2F90000-0x00000208E2F9A000-memory.dmp

Filesize
40KB

Download
memory/5044-233-0x00000208E2FC0000-0x00000208E2FC8000-memory.dmp

Filesize
32KB

Download
memory/5044-234-0x00007FFE8C5A0000-0x00007FFE8D061000-memory.dmp

Filesize
10.8MB

Download
memory/5044-250-0x00007FFE8C5A0000-0x00007FFE8D061000-memory.dmp

Filesize
10.8MB

Download