9f1eb0a100615cdda44a13f434627f8978d133ca4ef4a002809f95dcc8d24ff6

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

onedrive-photos.lnk
Size

2KB
MD5

63b00ce296162a6627510741598d0255
SHA1

f795d55bcb1dae240e6d26644f80d1691618bf1a
SHA256

3115d69184d66d8e588a60b94a250dd51209e894660641ca316560ae918779eb
SHA512

75ffecb5c80db028cbcb78f7fc3c6a015930cc1e162cbf55040f208758e875cc212b9411c6e9d6a5928fb79e4dbf4a13057b066f08c6c89bac0a1201334c1a2b

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe

Executes dropped EXE 19 IoCs

pid	Process
2664	OneDriveSetup.exe
2668	OneDriveSetup.exe
3648	FileSyncConfig.exe
3812	OneDriveStandaloneUpdater.exe
2188	Microsoft.SharePoint.exe
4624	MicrosoftEdgeWebview2Setup.exe
4876	MicrosoftEdgeUpdate.exe
1236	MicrosoftEdgeUpdate.exe
1064	MicrosoftEdgeUpdate.exe
2584	MicrosoftEdgeUpdateComRegisterShell64.exe
2920	MicrosoftEdgeUpdateComRegisterShell64.exe
484	MicrosoftEdgeUpdateComRegisterShell64.exe
2824	MicrosoftEdgeUpdate.exe
4692	MicrosoftEdgeUpdate.exe
3768	MicrosoftEdgeUpdate.exe
1972	MicrosoftEdgeUpdate.exe
1732	MicrosoftEdge_X64_114.0.1823.51.exe
1140	setup.exe
2300	MicrosoftEdgeUpdate.exe

Loads dropped DLL 50 IoCs

pid	Process
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
3648	FileSyncConfig.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
2188	Microsoft.SharePoint.exe
4876	MicrosoftEdgeUpdate.exe
1236	MicrosoftEdgeUpdate.exe
1064	MicrosoftEdgeUpdate.exe
2584	MicrosoftEdgeUpdateComRegisterShell64.exe
1064	MicrosoftEdgeUpdate.exe
2920	MicrosoftEdgeUpdateComRegisterShell64.exe
1064	MicrosoftEdgeUpdate.exe
484	MicrosoftEdgeUpdateComRegisterShell64.exe
1064	MicrosoftEdgeUpdate.exe
2824	MicrosoftEdgeUpdate.exe
4692	MicrosoftEdgeUpdate.exe
3768	MicrosoftEdgeUpdate.exe
3768	MicrosoftEdgeUpdate.exe
4692	MicrosoftEdgeUpdate.exe
1972	MicrosoftEdgeUpdate.exe
2300	MicrosoftEdgeUpdate.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.107.0521.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 18 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\fr-CA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\cookie_exporter.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\microsoft_shell_integration.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\az.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_cs.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_ru.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_ta.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\msedgewebview2.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_nn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\telclient.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\vulkan-1.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\wns_push_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\oneauth.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\or.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_mr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Notifications\SoftLandingAssetLight.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\cy.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\gd.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\ro.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_it.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_sv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\mspdf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Trust Protection Lists\Mu\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\sq.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.51\Locales\sr-Cyrl-BA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_kn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\BHO\ie_to_edge_bho_64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\5602886d-1128-47d4-a29b-d7a25008666d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_ro.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\msedgeupdateres_th.dll	MicrosoftEdgeWebview2Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ServiceParameters = "/comsvc"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ = "ILaunchUXInterface"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\INTERFACE\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\ = "IFileSyncClient12"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\NucleusToastActivator.NucleusToastActivator.1\CLSID\ = "{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\INTERFACE\{A87958FF-B414-7748-9183-DBF183A25905}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BA3C8F8-C960-456B-90E5-9D6468CD1B6C}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\Interface\{D32F7B3A-DEC8-4F44-AF28-E9B7FEB62118}\TypeLib	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
652	onedriveupdater.exe
652	onedriveupdater.exe
652	onedriveupdater.exe
652	onedriveupdater.exe
2664	OneDriveSetup.exe
2664	OneDriveSetup.exe
2664	OneDriveSetup.exe
2664	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
2668	OneDriveSetup.exe
4876	MicrosoftEdgeUpdate.exe
4876	MicrosoftEdgeUpdate.exe
4876	MicrosoftEdgeUpdate.exe
4876	MicrosoftEdgeUpdate.exe
4876	MicrosoftEdgeUpdate.exe
4876	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2664	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	2668	OneDriveSetup.exe
Token: SeDebugPrivilege	4876	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4876	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 780	4932	cmd.exe	85
PID 4932 wrote to memory of 780	4932	cmd.exe	85
PID 780 wrote to memory of 652	780	cmd.exe	86
PID 780 wrote to memory of 652	780	cmd.exe	86
PID 652 wrote to memory of 2664	652	onedriveupdater.exe	96
PID 652 wrote to memory of 2664	652	onedriveupdater.exe	96
PID 2668 wrote to memory of 3648	2668	OneDriveSetup.exe	100
PID 2668 wrote to memory of 3648	2668	OneDriveSetup.exe	100
PID 2668 wrote to memory of 3812	2668	OneDriveSetup.exe	102
PID 2668 wrote to memory of 3812	2668	OneDriveSetup.exe	102
PID 3812 wrote to memory of 4624	3812	OneDriveStandaloneUpdater.exe	105
PID 3812 wrote to memory of 4624	3812	OneDriveStandaloneUpdater.exe	105
PID 3812 wrote to memory of 4624	3812	OneDriveStandaloneUpdater.exe	105
PID 4624 wrote to memory of 4876	4624	MicrosoftEdgeWebview2Setup.exe	106
PID 4624 wrote to memory of 4876	4624	MicrosoftEdgeWebview2Setup.exe	106
PID 4624 wrote to memory of 4876	4624	MicrosoftEdgeWebview2Setup.exe	106
PID 4876 wrote to memory of 1236	4876	MicrosoftEdgeUpdate.exe	107
PID 4876 wrote to memory of 1236	4876	MicrosoftEdgeUpdate.exe	107
PID 4876 wrote to memory of 1236	4876	MicrosoftEdgeUpdate.exe	107
PID 4876 wrote to memory of 1064	4876	MicrosoftEdgeUpdate.exe	108
PID 4876 wrote to memory of 1064	4876	MicrosoftEdgeUpdate.exe	108
PID 4876 wrote to memory of 1064	4876	MicrosoftEdgeUpdate.exe	108
PID 1064 wrote to memory of 2584	1064	MicrosoftEdgeUpdate.exe	109
PID 1064 wrote to memory of 2584	1064	MicrosoftEdgeUpdate.exe	109
PID 1064 wrote to memory of 2920	1064	MicrosoftEdgeUpdate.exe	110
PID 1064 wrote to memory of 2920	1064	MicrosoftEdgeUpdate.exe	110
PID 1064 wrote to memory of 484	1064	MicrosoftEdgeUpdate.exe	111
PID 1064 wrote to memory of 484	1064	MicrosoftEdgeUpdate.exe	111
PID 4876 wrote to memory of 2824	4876	MicrosoftEdgeUpdate.exe	112
PID 4876 wrote to memory of 2824	4876	MicrosoftEdgeUpdate.exe	112
PID 4876 wrote to memory of 2824	4876	MicrosoftEdgeUpdate.exe	112
PID 4876 wrote to memory of 4692	4876	MicrosoftEdgeUpdate.exe	113
PID 4876 wrote to memory of 4692	4876	MicrosoftEdgeUpdate.exe	113
PID 4876 wrote to memory of 4692	4876	MicrosoftEdgeUpdate.exe	113
PID 3768 wrote to memory of 1972	3768	MicrosoftEdgeUpdate.exe	115
PID 3768 wrote to memory of 1972	3768	MicrosoftEdgeUpdate.exe	115
PID 3768 wrote to memory of 1972	3768	MicrosoftEdgeUpdate.exe	115
PID 3768 wrote to memory of 1732	3768	MicrosoftEdgeUpdate.exe	116
PID 3768 wrote to memory of 1732	3768	MicrosoftEdgeUpdate.exe	116
PID 1732 wrote to memory of 1140	1732	MicrosoftEdge_X64_114.0.1823.51.exe	117
PID 1732 wrote to memory of 1140	1732	MicrosoftEdge_X64_114.0.1823.51.exe	117
PID 3768 wrote to memory of 2300	3768	MicrosoftEdgeUpdate.exe	118
PID 3768 wrote to memory of 2300	3768	MicrosoftEdgeUpdate.exe	118
PID 3768 wrote to memory of 2300	3768	MicrosoftEdgeUpdate.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\onedrive-photos.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start onedriveupdater.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\onedriveupdater.exe
    onedriveupdater.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /updateSource:ODSU
      4⤵
      Executes dropped EXE
      Checks system information in the registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2664
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /updateSource:ODSU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies system executable filetype association
        Registers COM server for autorun
        Adds Run key to start application
        Checks system information in the registry
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncConfig.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
        6⤵
        Executes dropped EXE
        Checks system information in the registry
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUE520.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        8⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1236
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2584
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2920
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:484
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODA1MzU2OTctQTdFQy00NUI5LUEzMzAtN0FFMzMxRENFOTQxfSIgdXNlcmlkPSJ7MkU4RUJBNzUtRjM5Qy00MkM0LUE4MTItRThFM0I4RDVBQUQ2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBMTY5MThCMy04QzE5LTQ1MEUtQkQyOS03NkZDOUUwNTdCOUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTczLjQ1IiBuZXh0dmVyc2lvbj0iMS4zLjE3NS4yOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk5Mzc1NTk1NSIgaW5zdGFsbF90aW1lX21zPSIxMDk0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        
        PID:2824
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{80535697-A7EC-45B9-A330-7AE331DCE941}" /silent
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.exe
        
        /silentConfig
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        
        PID:2188

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODA1MzU2OTctQTdFQy00NUI5LUEzMzAtN0FFMzMxRENFOTQxfSIgdXNlcmlkPSJ7MkU4RUJBNzUtRjM5Qy00MkM0LUE4MTItRThFM0I4RDVBQUQ2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswMkJDMEE1NC00NEU5LTQyQTYtODQzQy1GMERENzcyMjMzMzh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAwMzU5OTMyNSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:1972
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{24DA88B7-D566-4594-A233-3644F95C7359}\MicrosoftEdge_X64_114.0.1823.51.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{24DA88B7-D566-4594-A233-3644F95C7359}\MicrosoftEdge_X64_114.0.1823.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{24DA88B7-D566-4594-A233-3644F95C7359}\EDGEMITMP_034D8.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{24DA88B7-D566-4594-A233-3644F95C7359}\EDGEMITMP_034D8.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{24DA88B7-D566-4594-A233-3644F95C7359}\MicrosoftEdge_X64_114.0.1823.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:1140
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODA1MzU2OTctQTdFQy00NUI5LUEzMzAtN0FFMzMxRENFOTQxfSIgdXNlcmlkPSJ7MkU4RUJBNzUtRjM5Qy00MkM0LUE4MTItRThFM0I4RDVBQUQ2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDNEQ4NzExQi04REI4LTQ5REQtODM5RC00MkZBQ0MyM0MxQkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMTQuMC4xODIzLjUxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDIxNzI0MzM1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAyMjAzNjk4OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNjkwNjc5NzUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzRkMDdhNmZlLThiZTYtNDE3Yy1iMjM2LWRkOTEzMGUwNGIxNj9QMT0xNjg3NTUxMDI1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWNRdTZ0V2xSMkJzMjhoU3pNcjBKUUclMmZueWd1RFZNdnpWYUU5Q0lONU04VnNBcmk4SGxWWXdPTFZUdCUyYjFGV00lMmIlMmJsOEM2RERxc01YcUgzV3pUeXh1cEElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDc1OTIxMTIiIHRvdGFsPSIxNDc1OTIxMTIiIGRvd25sb2FkX3RpbWVfbXM9IjEwODkxIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE2OTA2Nzk3NSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxODUzMTg1NjYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDkiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NDI4MTg0MTAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMDE1IiBkb3dubG9hZF90aW1lX21zPSIxNDYyNCIgZG93bmxvYWRlZD0iMTQ3NTkyMTEyIiB0b3RhbD0iMTQ3NTkyMTEyIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIyNTcxOSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.51\Installer\setup.exe

Filesize
3.9MB

MD5
f310b5e0ea41acf8c54c2decf9e3bd55

SHA1
1e51e54b0949172c8efbe70abfb4808ac1c62571

SHA256
45d5b4b0f3c8902497ab6f72f533d9ad5557875cafb424b814a154f5d9907662

SHA512
2c72cc3a487b3ac1207d2181047a7c3e8fc0f38d3e861da8e47efde777091ea74df2e9a75c3bc6a47bf76975f31a8c7e91320a8d073ed2dc1bdb13145df96394

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\114.0.1823.51\MicrosoftEdge_X64_114.0.1823.51.exe

Filesize
140.8MB

MD5
58505bf8d31f7417a22cbeec9724dfe8

SHA1
f6a6ba745d815ac42096b16160cb954c536fc611

SHA256
cb10779cadbd635fe96693816ada5da02374495b203beaca471cd4eb83f86fb3

SHA512
3105732704f7956f21ec14e869a25f36d7a7bd10f2d6ecf2fc2ee217e848d0fe816bfb95bae2869dc080d34a4778051f0a602a15b49b51fe093c7be63e531101

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
cfad69d55cbb9ceeffaccdd176e19f7a

SHA1
076f72b145f761d23d533ed981ae059fa61339d2

SHA256
a238fc18a787d5f21a4942690029e0240597c7fc0d7dbb401063486387b7bf7c

SHA512
6a125ee8d46c444bfbd92967d46c7c127da7904fa9f9505528cd479ea169ce4c9026400e5b59e136fc0a2c8e2de64a53eb4e7cc8ddbdb5f541df47ed401f04a5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
116KB

MD5
0a00f4c32356126add8ec81e395b0b3d

SHA1
06b97c7a4b4d3ac74b27bb306e42948e68de7f48

SHA256
2af4e044aca918f38c0085abfb4cfd2a607d53b5df039d9943acff5bb8ca016a

SHA512
52cf4c09f9748d1465f5c5dbbd26edd3a421863b36785ae1a17d48840329d04f4c10cf60e7be57fc6458404fd098fa3fa04d478f8a1126b16e48bfad45d1de10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSync.LocalizedResources.dll

Filesize
264KB

MD5
5f73e4d07df623efbc032bdd1555e2f4

SHA1
0703c4482bba75fe20ce093b0cda5cfb4dc5552c

SHA256
138dec103c42d1b173cd067a93e6b51b1e54a10ab68d953b003e04bb8c496855

SHA512
c1b4ee3a76535f6f9c21c9ce69cf717e4662077492d44634c2690f12d9bc98a4a75e5730fc33e097b0486a05656cf4781c8b02054c1e93d92e19164962b7133d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSync.LocalizedResources.dll

Filesize
264KB

MD5
5f73e4d07df623efbc032bdd1555e2f4

SHA1
0703c4482bba75fe20ce093b0cda5cfb4dc5552c

SHA256
138dec103c42d1b173cd067a93e6b51b1e54a10ab68d953b003e04bb8c496855

SHA512
c1b4ee3a76535f6f9c21c9ce69cf717e4662077492d44634c2690f12d9bc98a4a75e5730fc33e097b0486a05656cf4781c8b02054c1e93d92e19164962b7133d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSync.LocalizedResources.dll

Filesize
264KB

MD5
5f73e4d07df623efbc032bdd1555e2f4

SHA1
0703c4482bba75fe20ce093b0cda5cfb4dc5552c

SHA256
138dec103c42d1b173cd067a93e6b51b1e54a10ab68d953b003e04bb8c496855

SHA512
c1b4ee3a76535f6f9c21c9ce69cf717e4662077492d44634c2690f12d9bc98a4a75e5730fc33e097b0486a05656cf4781c8b02054c1e93d92e19164962b7133d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSync.Resources.dll

Filesize
4.0MB

MD5
6377b76a1add7d6f8d0a44423c5113d9

SHA1
4aed48fcf5ea5a40ac6076104e53a034000b4df3

SHA256
df6379940acff77bf63560fc07a14661ce96c4c6dc67fd11852afade7000e05a

SHA512
a9e40f813d3e5aa865a8afac54bbec4101de3e1d5dc5d39a4438c7def2ec81648337d4ad75cc622d3dac12f98a835de2b4e1f6aca1803edb5d876be05162defa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSync.Resources.dll

Filesize
4.0MB

MD5
6377b76a1add7d6f8d0a44423c5113d9

SHA1
4aed48fcf5ea5a40ac6076104e53a034000b4df3

SHA256
df6379940acff77bf63560fc07a14661ce96c4c6dc67fd11852afade7000e05a

SHA512
a9e40f813d3e5aa865a8afac54bbec4101de3e1d5dc5d39a4438c7def2ec81648337d4ad75cc622d3dac12f98a835de2b4e1f6aca1803edb5d876be05162defa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSync.Resources.dll

Filesize
4.0MB

MD5
6377b76a1add7d6f8d0a44423c5113d9

SHA1
4aed48fcf5ea5a40ac6076104e53a034000b4df3

SHA256
df6379940acff77bf63560fc07a14661ce96c4c6dc67fd11852afade7000e05a

SHA512
a9e40f813d3e5aa865a8afac54bbec4101de3e1d5dc5d39a4438c7def2ec81648337d4ad75cc622d3dac12f98a835de2b4e1f6aca1803edb5d876be05162defa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncConfig.exe

Filesize
722KB

MD5
9bd9dfd7443741c509416b0e1d275669

SHA1
2e8d5e78a131eec581603179e171ee4d58d7ce6b

SHA256
034a50140df4bd330e33101b895111f7650c03a8682b9a17afb613d2c56abb50

SHA512
5b542199f68891f00156489087cd55ebba84026108d04a8b2d6545d3a203a4b58083ab0115bda9a7702ec6171ca1f481d00a06f6375e749eff7b6f16af7bab6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncConfig.exe

Filesize
722KB

MD5
9bd9dfd7443741c509416b0e1d275669

SHA1
2e8d5e78a131eec581603179e171ee4d58d7ce6b

SHA256
034a50140df4bd330e33101b895111f7650c03a8682b9a17afb613d2c56abb50

SHA512
5b542199f68891f00156489087cd55ebba84026108d04a8b2d6545d3a203a4b58083ab0115bda9a7702ec6171ca1f481d00a06f6375e749eff7b6f16af7bab6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncFS.DLL

Filesize
579KB

MD5
af55f9a29956dadb409304024af2d20e

SHA1
09313e2c28d4014fbc149a8cc8b6050e01cde069

SHA256
eac857a45508174160c302f947797fde35e3cc3ff48d30538303372007653f8f

SHA512
6fd1cbb8678c8c52f294af2305613c1be36fe37b0ec7302a02d0dce534f1d1eacc7c16542c33fd507ddd9d6b8850ef1ec6e76ae25d6a7f90e574dbfece81c58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncFS.dll

Filesize
579KB

MD5
af55f9a29956dadb409304024af2d20e

SHA1
09313e2c28d4014fbc149a8cc8b6050e01cde069

SHA256
eac857a45508174160c302f947797fde35e3cc3ff48d30538303372007653f8f

SHA512
6fd1cbb8678c8c52f294af2305613c1be36fe37b0ec7302a02d0dce534f1d1eacc7c16542c33fd507ddd9d6b8850ef1ec6e76ae25d6a7f90e574dbfece81c58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncHost.DLL

Filesize
412KB

MD5
d426c62d15ffd501eef12b8daf8f86fe

SHA1
f4fd475b6726ccd4f7b706f5035b9ede60af32d3

SHA256
91a48c401dc29d45d8842ad9264eddd1c345145d63adeda54b8f3bc9e5fd4453

SHA512
97971d8f97b9da1e9c0705e0e79ae90897f5c96a9d22f5e7ad7c5c3e06ff8209bdcba02fbef7b6c8fa35f16cc455a2b4b391123a4d9fc892986a6c0c5897a191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncHost.dll

Filesize
412KB

MD5
d426c62d15ffd501eef12b8daf8f86fe

SHA1
f4fd475b6726ccd4f7b706f5035b9ede60af32d3

SHA256
91a48c401dc29d45d8842ad9264eddd1c345145d63adeda54b8f3bc9e5fd4453

SHA512
97971d8f97b9da1e9c0705e0e79ae90897f5c96a9d22f5e7ad7c5c3e06ff8209bdcba02fbef7b6c8fa35f16cc455a2b4b391123a4d9fc892986a6c0c5897a191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncSessions.dll

Filesize
5.4MB

MD5
4fc76a9c6d2d2dc30d6ddc412bedd6cc

SHA1
87af2192dd9f7f2176a8a594229931907af15fe3

SHA256
ebe15e9b8abe99f60b2e9e77d1b61ac4e1c63dbaf1ee11ec7d66e09d9c44f7d8

SHA512
3f389bd51c9cba51d5ea213afb1a6384e88b79da10216903492a814b4fbd2d3002e6862c41cea5d3b47ec8ce186110348a735da7d6a74bc4ea00f838e24a9d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncSessions.dll

Filesize
5.4MB

MD5
4fc76a9c6d2d2dc30d6ddc412bedd6cc

SHA1
87af2192dd9f7f2176a8a594229931907af15fe3

SHA256
ebe15e9b8abe99f60b2e9e77d1b61ac4e1c63dbaf1ee11ec7d66e09d9c44f7d8

SHA512
3f389bd51c9cba51d5ea213afb1a6384e88b79da10216903492a814b4fbd2d3002e6862c41cea5d3b47ec8ce186110348a735da7d6a74bc4ea00f838e24a9d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncSessions.dll

Filesize
5.4MB

MD5
4fc76a9c6d2d2dc30d6ddc412bedd6cc

SHA1
87af2192dd9f7f2176a8a594229931907af15fe3

SHA256
ebe15e9b8abe99f60b2e9e77d1b61ac4e1c63dbaf1ee11ec7d66e09d9c44f7d8

SHA512
3f389bd51c9cba51d5ea213afb1a6384e88b79da10216903492a814b4fbd2d3002e6862c41cea5d3b47ec8ce186110348a735da7d6a74bc4ea00f838e24a9d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncSqlite3.dll

Filesize
633KB

MD5
e95573328b9f19c930dd37498e0dd433

SHA1
a872f129854b5c525f3069a923e05d037ff10ab2

SHA256
e5e3ea63cb5bf944207e558337b66a51946cbb15dd28b4f8e356e3d7d3d0f3de

SHA512
38af2183fcfd7a1ffcf4835a83c1df712df049f6d3584d6ba66bde1ffe03764634ccd55104bae54cb96cacdf673319aa2a086844bf8622229f606847bee70787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncSqlite3.dll

Filesize
633KB

MD5
e95573328b9f19c930dd37498e0dd433

SHA1
a872f129854b5c525f3069a923e05d037ff10ab2

SHA256
e5e3ea63cb5bf944207e558337b66a51946cbb15dd28b4f8e356e3d7d3d0f3de

SHA512
38af2183fcfd7a1ffcf4835a83c1df712df049f6d3584d6ba66bde1ffe03764634ccd55104bae54cb96cacdf673319aa2a086844bf8622229f606847bee70787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncTelemetryExtensions.dll

Filesize
461KB

MD5
7cc9a73247db4eba53b89148f274ea8c

SHA1
2c4277a8ee131712020d6bd33a020db71afea98b

SHA256
f4181d15f4ad91f8e23228b53027299c40ca6695b366898df8b7dab701b71bc3

SHA512
e44080b1bd6e4b68c468e71252c9af80ad6b0a13c944b36e8851fe3ea9fabdabfcc76b014120bc683d98463299483a1fb943f4d1c5d05b8be71054f755ae8dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\FileSyncTelemetryExtensions.dll

Filesize
461KB

MD5
7cc9a73247db4eba53b89148f274ea8c

SHA1
2c4277a8ee131712020d6bd33a020db71afea98b

SHA256
f4181d15f4ad91f8e23228b53027299c40ca6695b366898df8b7dab701b71bc3

SHA512
e44080b1bd6e4b68c468e71252c9af80ad6b0a13c944b36e8851fe3ea9fabdabfcc76b014120bc683d98463299483a1fb943f4d1c5d05b8be71054f755ae8dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogUploader.dll

Filesize
980KB

MD5
3cdc8f8873b4d5d0001bdf6ea9e711c8

SHA1
7323f3b45f0448b2e10861514504c54132cc9472

SHA256
feaccd715fbc147f14eeae765ed302bea4fc7333b3bcf8c18c3df98876ed42af

SHA512
54a816e3156634d3eacb57743ceea9edd452b432b179d4a8bd32ca66238439971efe0781935105a2d97feff3d3779532b35fa9f277a597ebb6cfe47d485a2bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogUploader.dll

Filesize
980KB

MD5
3cdc8f8873b4d5d0001bdf6ea9e711c8

SHA1
7323f3b45f0448b2e10861514504c54132cc9472

SHA256
feaccd715fbc147f14eeae765ed302bea4fc7333b3bcf8c18c3df98876ed42af

SHA512
54a816e3156634d3eacb57743ceea9edd452b432b179d4a8bd32ca66238439971efe0781935105a2d97feff3d3779532b35fa9f277a597ebb6cfe47d485a2bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LoggingPlatform.DLL

Filesize
635KB

MD5
48497289260baa0f9592f04391b496e7

SHA1
071b0fd69e1d4cf906ac67118597c81635161145

SHA256
7ffb40890d04071e442b1ebc11d667963471f41f1833febdfd568b0d95601df4

SHA512
51b6fc7fcb99543f8bd1e40c91626fa77988c606e8d54b27c645d858495ddb9638b52869fbd5d61341e8c380c86d8181bc73ccc20f42a82abcb9bd6aca98a693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LoggingPlatform.dll

Filesize
635KB

MD5
48497289260baa0f9592f04391b496e7

SHA1
071b0fd69e1d4cf906ac67118597c81635161145

SHA256
7ffb40890d04071e442b1ebc11d667963471f41f1833febdfd568b0d95601df4

SHA512
51b6fc7fcb99543f8bd1e40c91626fa77988c606e8d54b27c645d858495ddb9638b52869fbd5d61341e8c380c86d8181bc73ccc20f42a82abcb9bd6aca98a693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LoggingPlatform.dll

Filesize
635KB

MD5
48497289260baa0f9592f04391b496e7

SHA1
071b0fd69e1d4cf906ac67118597c81635161145

SHA256
7ffb40890d04071e442b1ebc11d667963471f41f1833febdfd568b0d95601df4

SHA512
51b6fc7fcb99543f8bd1e40c91626fa77988c606e8d54b27c645d858495ddb9638b52869fbd5d61341e8c380c86d8181bc73ccc20f42a82abcb9bd6aca98a693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\LogoImages\Resources.pri

Filesize
17.8MB

MD5
c692bad42473abb43c0c2fa596f98fa0

SHA1
758bc205d3f73c0ff30d39529b22f6cfda640301

SHA256
2b8970bbb8d89b030b71f4b9638aeb56c4543957e5bee7539e31180826e22a7f

SHA512
b2e62dd24c5b194bde5ffa5d4e4d58d80648936eadc393074a61427e128edaeb81f4aeab366957d8dcbacd596b0fbbf4fe8bec3a8c73382a77bd482ce62e09ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\MSVCP140.dll

Filesize
557KB

MD5
5e4239192ff5079bacf92c89f65f3c21

SHA1
46d8072f0c35f50ce92b248907778d71a4f34b5e

SHA256
c116bc8349ae9f6d479b89dd3a827606d12fff34b0d0a249f6594d194d79d195

SHA512
242da2426e58b429474c0762f87ffdb5d30c398eb46a5b8bba41b3664de2cd6f5e5cb340cc93e882d7564c979ac910a4d450894e2bdc51457b53df0029d6d89d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\MSVCP140_ATOMIC_WAIT.dll

Filesize
55KB

MD5
ecf37f3231d5552b6968f3b25cf2ff07

SHA1
cf5a6236046e56215de1e262c5ab7ff1bb51eed5

SHA256
1583bbc399c921343ae9f9ca3be74a52b9478d971dcd1624d73a0d652bbd547d

SHA512
56593279751c52de360f963a5a25460260a630ba314cbd7b97f0f4d94c8be5f43ee9645fe40f677bd45a13d0137fdbfc43c43d9950ecb7990e81df4aa1a8a07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.Calc.dll

Filesize
912KB

MD5
82b72e92dedc44ff66e237bde938ee10

SHA1
4d11da3c819d580654933b74b4ad79691119d57e

SHA256
90a2c65c209dde828d9ff2e680c93871609600025057f92e69afb9e1b3e560ed

SHA512
5c3d670c5ad5beaeecf26a490a70ad2b2956dc1ae099f12fa1f23d16c5ec324d43fedd45da6a8f67f4f3eb5c6c7b5087b934d0fb98561b00ea6e44c77f1bcf8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.Calc.dll

Filesize
912KB

MD5
82b72e92dedc44ff66e237bde938ee10

SHA1
4d11da3c819d580654933b74b4ad79691119d57e

SHA256
90a2c65c209dde828d9ff2e680c93871609600025057f92e69afb9e1b3e560ed

SHA512
5c3d670c5ad5beaeecf26a490a70ad2b2956dc1ae099f12fa1f23d16c5ec324d43fedd45da6a8f67f4f3eb5c6c7b5087b934d0fb98561b00ea6e44c77f1bcf8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.WebSocketClient.dll

Filesize
1.1MB

MD5
0f86f411bb9168effacde3e448159052

SHA1
1251702e7c56ffc27dd315685820e40ab60843bd

SHA256
9786fa83b406cc3c2a521bd38c9251078fc4fce1c550ff6cc4fb7199982a179f

SHA512
1c5cd601ffda10f8007d9adf51eeb65308b7dd2f7d689026a646fa3722a747ca864429ca699258e726c5c8d7125a6e1449b73d0bc6b7192de5c56f38be5d704c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.WebSocketClient.dll

Filesize
1.1MB

MD5
0f86f411bb9168effacde3e448159052

SHA1
1251702e7c56ffc27dd315685820e40ab60843bd

SHA256
9786fa83b406cc3c2a521bd38c9251078fc4fce1c550ff6cc4fb7199982a179f

SHA512
1c5cd601ffda10f8007d9adf51eeb65308b7dd2f7d689026a646fa3722a747ca864429ca699258e726c5c8d7125a6e1449b73d0bc6b7192de5c56f38be5d704c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.dll

Filesize
14.1MB

MD5
5b379deaad1d9d962bebabc2042c9aac

SHA1
d7f2bfa0c0b32abebae1d244ab68ae64d94f28c5

SHA256
81da3f0b1ed1b9354ea6935a9efb18515ed5c301cb08015c26f42d746345d5ca

SHA512
1d20c2de5d81dfd8b01ad6954e8a1522cc0a49ff593ed4944b97c0c2f5b80f9359eb4a1e5bb64eb4ea29d934cdbbb1502192869518b2a0e55397b2261caa9bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.dll

Filesize
14.1MB

MD5
5b379deaad1d9d962bebabc2042c9aac

SHA1
d7f2bfa0c0b32abebae1d244ab68ae64d94f28c5

SHA256
81da3f0b1ed1b9354ea6935a9efb18515ed5c301cb08015c26f42d746345d5ca

SHA512
1d20c2de5d81dfd8b01ad6954e8a1522cc0a49ff593ed4944b97c0c2f5b80f9359eb4a1e5bb64eb4ea29d934cdbbb1502192869518b2a0e55397b2261caa9bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Microsoft.SharePoint.exe

Filesize
543KB

MD5
7326e55a5ba82975839398aee65689ef

SHA1
2ce82eb1f5c4be7b9b6d3d8ccd574ec6bc0d1707

SHA256
d7a67983b097a6e17ac8d7bc232e16bbe9d1f9fb738fdc6b907d3e4b6754c36e

SHA512
3e9ce366e6abe33be98b91ef3853105ac9a727192e05dd6ca837b476d60af7c0e66ce2f1ba506ab148d1bfb2e5a878381e5f8bbcce659866adb3a0f5973c2e3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\OneDrive.exe

Filesize
2.5MB

MD5
1f5f335445b03dbf3d5deb1610ae78a9

SHA1
09d0b3d9941b4baef93abb0995eb1412cd56e22e

SHA256
c5a15cd50cc55f5bf62b77c91b0fb8f188140b3cd53525522e08fc20f4470e9b

SHA512
5b1b17dee9ad6d617cf660639e5db9d7de063af51b677d711361b205dc32161b70a74a22c20dd8a34af2309e71f59ff4edfa695d80520d6bfc594fb0de3b6891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\OneDriveStandaloneUpdater.exe

Filesize
4.0MB

MD5
7e01917fd596842fc8eaa63c66050363

SHA1
adf8a7bed48509bf6b170cfc4bac7e1f1f74c32f

SHA256
5cada5c75dd81608cad8c819c353e980cbd95fd6e2bc3cce1d379eec02543146

SHA512
a00b50d8a08dbb986d622f6a991d063d05ab07341713b7ec80f75874693141d4316ac9428be2e9120b13e4f4c562d520e5f01eb0f026c7910b4b214fd9560baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
481e20e939fce5fc9cab409fb5ab69b3

SHA1
0919007af4dab021c1c46be0b6e58a589e6be684

SHA256
d06e67c0ae05cb3c9b3cd765e7f837f546c88f7e95d0140c0db2276ee0f85da4

SHA512
c60bde836084f22445c1555982c77a5853568a12fdd34f8a4fc750f7578e93f142efc980ca11b6aca0e74427a9646d27f1f6b6a4a217110524cc5c7bd127cd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
481e20e939fce5fc9cab409fb5ab69b3

SHA1
0919007af4dab021c1c46be0b6e58a589e6be684

SHA256
d06e67c0ae05cb3c9b3cd765e7f837f546c88f7e95d0140c0db2276ee0f85da4

SHA512
c60bde836084f22445c1555982c77a5853568a12fdd34f8a4fc750f7578e93f142efc980ca11b6aca0e74427a9646d27f1f6b6a4a217110524cc5c7bd127cd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Telemetry.dll

Filesize
585KB

MD5
aeea0576290833bde7c4593e8ad5f943

SHA1
73c3fa5e8af9be0e8ac1a429babb941b35d58435

SHA256
e2a4487ed8a9b624d9113bd2544c80354ac698d2effffc4a2856b49f1604c93f

SHA512
27e44f02e87773b56b21ac8a24c57550917f0fec9517513cf41ae9b7abc81744d94c76bf7dd85deda879ba22dbc3c90ee852843c5887abb5b7d820a93395d605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Telemetry.dll

Filesize
585KB

MD5
aeea0576290833bde7c4593e8ad5f943

SHA1
73c3fa5e8af9be0e8ac1a429babb941b35d58435

SHA256
e2a4487ed8a9b624d9113bd2544c80354ac698d2effffc4a2856b49f1604c93f

SHA512
27e44f02e87773b56b21ac8a24c57550917f0fec9517513cf41ae9b7abc81744d94c76bf7dd85deda879ba22dbc3c90ee852843c5887abb5b7d820a93395d605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\Telemetry.dll

Filesize
585KB

MD5
aeea0576290833bde7c4593e8ad5f943

SHA1
73c3fa5e8af9be0e8ac1a429babb941b35d58435

SHA256
e2a4487ed8a9b624d9113bd2544c80354ac698d2effffc4a2856b49f1604c93f

SHA512
27e44f02e87773b56b21ac8a24c57550917f0fec9517513cf41ae9b7abc81744d94c76bf7dd85deda879ba22dbc3c90ee852843c5887abb5b7d820a93395d605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\UpdateRingSettings.dll

Filesize
561KB

MD5
5f6beeed41bb1a68885cec47aecf1942

SHA1
32defc0c8efdb43f5d8ee6b7e851cb79d00ef5df

SHA256
e7802d8ee7f09c3d2c159bfc387842f0f5ef38753f75efc5da21e4a3e298decf

SHA512
07b4f5b67dd31841cb63f2deb61fdf413c7bd797b7c8fbf0a3c690f2e5ca35dc4ffed3a89f474a3c60d95bad2ed6069bc2c1ac5f8bc428f48fb2d630db6899de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\UpdateRingSettings.dll

Filesize
561KB

MD5
5f6beeed41bb1a68885cec47aecf1942

SHA1
32defc0c8efdb43f5d8ee6b7e851cb79d00ef5df

SHA256
e7802d8ee7f09c3d2c159bfc387842f0f5ef38753f75efc5da21e4a3e298decf

SHA512
07b4f5b67dd31841cb63f2deb61fdf413c7bd797b7c8fbf0a3c690f2e5ca35dc4ffed3a89f474a3c60d95bad2ed6069bc2c1ac5f8bc428f48fb2d630db6899de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\UpdateRingSettings.dll

Filesize
561KB

MD5
5f6beeed41bb1a68885cec47aecf1942

SHA1
32defc0c8efdb43f5d8ee6b7e851cb79d00ef5df

SHA256
e7802d8ee7f09c3d2c159bfc387842f0f5ef38753f75efc5da21e4a3e298decf

SHA512
07b4f5b67dd31841cb63f2deb61fdf413c7bd797b7c8fbf0a3c690f2e5ca35dc4ffed3a89f474a3c60d95bad2ed6069bc2c1ac5f8bc428f48fb2d630db6899de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\UpdateRingSettings.dll

Filesize
561KB

MD5
5f6beeed41bb1a68885cec47aecf1942

SHA1
32defc0c8efdb43f5d8ee6b7e851cb79d00ef5df

SHA256
e7802d8ee7f09c3d2c159bfc387842f0f5ef38753f75efc5da21e4a3e298decf

SHA512
07b4f5b67dd31841cb63f2deb61fdf413c7bd797b7c8fbf0a3c690f2e5ca35dc4ffed3a89f474a3c60d95bad2ed6069bc2c1ac5f8bc428f48fb2d630db6899de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\VCRUNTIME140.dll

Filesize
95KB

MD5
251bab3694c10f7705e7db0c6db87d2f

SHA1
d6c978b56232a189a4de1c88e05bbdc21ea4a6e8

SHA256
20c3e4f0de55ac7ed97ff99f06bfe1db6d1cbf4402ff3af85fa333586e84989d

SHA512
2ccfc6d405f00355523dbc28801eed1cf765bbe8f1687eb7c4705dfa1f849718f19acb413ad1630bca3edcca5d835746170fe3b23e14edd1802ace1e4b864696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\VCRUNTIME140_1.dll

Filesize
36KB

MD5
fb8f2dfc53a3dd3d841217ebdf54abf1

SHA1
2dcb8919b1df84b9b8b1de9887fbf5d767b7bcff

SHA256
79e7aa5832a28181876c00fce449697d8df4ae2bf56308571fff001b16ee6bbf

SHA512
7b8fca50ad58b9919053fb5479c0487a6cbbcd88caeccb911fc01e64814d6b73c15d0cd466c6604108ea583191360f729a59c934c1b6a22d8158e89dd2ccf37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\adal.dll

Filesize
1.4MB

MD5
15d935ca80cb49a3f061e9a8b4aa60ef

SHA1
c8978066dedc3a3e4d22edf42ba429121ed82e90

SHA256
5f8c3401b9a2af450fabbe531aa363f4ed0b45117379f30dd19c58258dd1ade8

SHA512
c54d213adc7ed0f6b71df90d7a72cf12e41ad30088415d600662563bbcfa99e586bac09aa1372191510fdd3b1fdd0903cb14491103ff65a5dee5494a747756b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\adal.dll

Filesize
1.4MB

MD5
15d935ca80cb49a3f061e9a8b4aa60ef

SHA1
c8978066dedc3a3e4d22edf42ba429121ed82e90

SHA256
5f8c3401b9a2af450fabbe531aa363f4ed0b45117379f30dd19c58258dd1ade8

SHA512
c54d213adc7ed0f6b71df90d7a72cf12e41ad30088415d600662563bbcfa99e586bac09aa1372191510fdd3b1fdd0903cb14491103ff65a5dee5494a747756b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
10c43c447f7b54e422762dbe7359de79

SHA1
676cae65210aac82b5031f701b8234be517b86d6

SHA256
439145080ac14d46220ef8786592c9732220bd2d63ff59879538bb65afe810ff

SHA512
42c590b2d6883867a69d596366be128a6fcb9c281c43a22a6fd0a654767f338b41509c263e79223e6666843572618a1d54caf857a99f7c21d8bae7e7be09080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
10c43c447f7b54e422762dbe7359de79

SHA1
676cae65210aac82b5031f701b8234be517b86d6

SHA256
439145080ac14d46220ef8786592c9732220bd2d63ff59879538bb65afe810ff

SHA512
42c590b2d6883867a69d596366be128a6fcb9c281c43a22a6fd0a654767f338b41509c263e79223e6666843572618a1d54caf857a99f7c21d8bae7e7be09080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\libssl-1_1-x64.dll

Filesize
682KB

MD5
f876ebac71bafb3ab52cea57874203e0

SHA1
6e2d2d59085b341ff68f304fe463db278568ae6e

SHA256
9fa131ac284f4a612d68681e1fde18fb85a91b133e3bbff83126949fe09fe8b8

SHA512
61f6e7eaa2bab4ffbf718a268d751355037e0f037dc6a6a2a235b3ef399b77b8bac6635a08250bce9be3c8c1c264e991d95b54eddf5323fca0e18dfb64d71aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\libssl-1_1-x64.dll

Filesize
682KB

MD5
f876ebac71bafb3ab52cea57874203e0

SHA1
6e2d2d59085b341ff68f304fe463db278568ae6e

SHA256
9fa131ac284f4a612d68681e1fde18fb85a91b133e3bbff83126949fe09fe8b8

SHA512
61f6e7eaa2bab4ffbf718a268d751355037e0f037dc6a6a2a235b3ef399b77b8bac6635a08250bce9be3c8c1c264e991d95b54eddf5323fca0e18dfb64d71aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\msvcp140.dll

Filesize
557KB

MD5
5e4239192ff5079bacf92c89f65f3c21

SHA1
46d8072f0c35f50ce92b248907778d71a4f34b5e

SHA256
c116bc8349ae9f6d479b89dd3a827606d12fff34b0d0a249f6594d194d79d195

SHA512
242da2426e58b429474c0762f87ffdb5d30c398eb46a5b8bba41b3664de2cd6f5e5cb340cc93e882d7564c979ac910a4d450894e2bdc51457b53df0029d6d89d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\msvcp140.dll

Filesize
557KB

MD5
5e4239192ff5079bacf92c89f65f3c21

SHA1
46d8072f0c35f50ce92b248907778d71a4f34b5e

SHA256
c116bc8349ae9f6d479b89dd3a827606d12fff34b0d0a249f6594d194d79d195

SHA512
242da2426e58b429474c0762f87ffdb5d30c398eb46a5b8bba41b3664de2cd6f5e5cb340cc93e882d7564c979ac910a4d450894e2bdc51457b53df0029d6d89d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\msvcp140_atomic_wait.dll

Filesize
55KB

MD5
ecf37f3231d5552b6968f3b25cf2ff07

SHA1
cf5a6236046e56215de1e262c5ab7ff1bb51eed5

SHA256
1583bbc399c921343ae9f9ca3be74a52b9478d971dcd1624d73a0d652bbd547d

SHA512
56593279751c52de360f963a5a25460260a630ba314cbd7b97f0f4d94c8be5f43ee9645fe40f677bd45a13d0137fdbfc43c43d9950ecb7990e81df4aa1a8a07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\vcruntime140.dll

Filesize
95KB

MD5
251bab3694c10f7705e7db0c6db87d2f

SHA1
d6c978b56232a189a4de1c88e05bbdc21ea4a6e8

SHA256
20c3e4f0de55ac7ed97ff99f06bfe1db6d1cbf4402ff3af85fa333586e84989d

SHA512
2ccfc6d405f00355523dbc28801eed1cf765bbe8f1687eb7c4705dfa1f849718f19acb413ad1630bca3edcca5d835746170fe3b23e14edd1802ace1e4b864696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\vcruntime140.dll

Filesize
95KB

MD5
251bab3694c10f7705e7db0c6db87d2f

SHA1
d6c978b56232a189a4de1c88e05bbdc21ea4a6e8

SHA256
20c3e4f0de55ac7ed97ff99f06bfe1db6d1cbf4402ff3af85fa333586e84989d

SHA512
2ccfc6d405f00355523dbc28801eed1cf765bbe8f1687eb7c4705dfa1f849718f19acb413ad1630bca3edcca5d835746170fe3b23e14edd1802ace1e4b864696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\vcruntime140_1.dll

Filesize
36KB

MD5
fb8f2dfc53a3dd3d841217ebdf54abf1

SHA1
2dcb8919b1df84b9b8b1de9887fbf5d767b7bcff

SHA256
79e7aa5832a28181876c00fce449697d8df4ae2bf56308571fff001b16ee6bbf

SHA512
7b8fca50ad58b9919053fb5479c0487a6cbbcd88caeccb911fc01e64814d6b73c15d0cd466c6604108ea583191360f729a59c934c1b6a22d8158e89dd2ccf37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\vcruntime140_1.dll

Filesize
36KB

MD5
fb8f2dfc53a3dd3d841217ebdf54abf1

SHA1
2dcb8919b1df84b9b8b1de9887fbf5d767b7bcff

SHA256
79e7aa5832a28181876c00fce449697d8df4ae2bf56308571fff001b16ee6bbf

SHA512
7b8fca50ad58b9919053fb5479c0487a6cbbcd88caeccb911fc01e64814d6b73c15d0cd466c6604108ea583191360f729a59c934c1b6a22d8158e89dd2ccf37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\vcruntime140_1.dll

Filesize
36KB

MD5
fb8f2dfc53a3dd3d841217ebdf54abf1

SHA1
2dcb8919b1df84b9b8b1de9887fbf5d767b7bcff

SHA256
79e7aa5832a28181876c00fce449697d8df4ae2bf56308571fff001b16ee6bbf

SHA512
7b8fca50ad58b9919053fb5479c0487a6cbbcd88caeccb911fc01e64814d6b73c15d0cd466c6604108ea583191360f729a59c934c1b6a22d8158e89dd2ccf37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.107.0521.0001\vcruntime140_1.dll

Filesize
36KB

MD5
fb8f2dfc53a3dd3d841217ebdf54abf1

SHA1
2dcb8919b1df84b9b8b1de9887fbf5d767b7bcff

SHA256
79e7aa5832a28181876c00fce449697d8df4ae2bf56308571fff001b16ee6bbf

SHA512
7b8fca50ad58b9919053fb5479c0487a6cbbcd88caeccb911fc01e64814d6b73c15d0cd466c6604108ea583191360f729a59c934c1b6a22d8158e89dd2ccf37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
9caed8c96174ed88142f7436e5510143

SHA1
7f63c366f1326b142a767d92899a4943a014d7cc

SHA256
e1b72fdb6fb9da58322f43b4ac4d23a84be5800fefd87fea07b6895ce091fea6

SHA512
94f50b56085a5ee5638b9651fd9d8674dd90da1cffddc4ae5b8c3e86d915f6e4d71d461254c4ea16e9b3f4659bcc83c03b5013a3ac89924a6d324272d5fc4407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\settings\NucleusUpdateRingConfig.json

Filesize
74KB

MD5
fd3bfdbb42299877e334e2551f7ed7b8

SHA1
8a6757d6c3367141724759aaed13b2a01dcdc8ae

SHA256
d6e3cff30abd33747f3fb42ab4aae4a297a3d49caeddb980913aa3aa8d04594a

SHA512
8b763b48ce8308437047e33bb5cb74e05207c193c6d35bc77f02e4084ef66bf1ad9f2d524a2d65e6938b4a99f69ae07847e4294bf4ffa34e14c033c9d5687211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
4.0MB

MD5
7e01917fd596842fc8eaa63c66050363

SHA1
adf8a7bed48509bf6b170cfc4bac7e1f1f74c32f

SHA256
5cada5c75dd81608cad8c819c353e980cbd95fd6e2bc3cce1d379eec02543146

SHA512
a00b50d8a08dbb986d622f6a991d063d05ab07341713b7ec80f75874693141d4316ac9428be2e9120b13e4f4c562d520e5f01eb0f026c7910b4b214fd9560baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
4.0MB

MD5
7e01917fd596842fc8eaa63c66050363

SHA1
adf8a7bed48509bf6b170cfc4bac7e1f1f74c32f

SHA256
5cada5c75dd81608cad8c819c353e980cbd95fd6e2bc3cce1d379eec02543146

SHA512
a00b50d8a08dbb986d622f6a991d063d05ab07341713b7ec80f75874693141d4316ac9428be2e9120b13e4f4c562d520e5f01eb0f026c7910b4b214fd9560baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
58.3MB

MD5
e8e4139d999a7ddb1d5ebcc031c9c812

SHA1
d3ac821ee3238d54e020f926182a666f919d0441

SHA256
b2d59ac23187e6bb48410052e8a1ef5970fab6a27a7cd60e80a2ccdf3c5d4798

SHA512
7b6268c53fd8430afbccecc91cc87c68d15203baa6162137a0f168c6822c952c708ba5c69ca7769f9e43ee673bd4fcbbc94eb5a18842e1d7fed9a1f9ca962cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
58.3MB

MD5
e8e4139d999a7ddb1d5ebcc031c9c812

SHA1
d3ac821ee3238d54e020f926182a666f919d0441

SHA256
b2d59ac23187e6bb48410052e8a1ef5970fab6a27a7cd60e80a2ccdf3c5d4798

SHA512
7b6268c53fd8430afbccecc91cc87c68d15203baa6162137a0f168c6822c952c708ba5c69ca7769f9e43ee673bd4fcbbc94eb5a18842e1d7fed9a1f9ca962cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
58.3MB

MD5
e8e4139d999a7ddb1d5ebcc031c9c812

SHA1
d3ac821ee3238d54e020f926182a666f919d0441

SHA256
b2d59ac23187e6bb48410052e8a1ef5970fab6a27a7cd60e80a2ccdf3c5d4798

SHA512
7b6268c53fd8430afbccecc91cc87c68d15203baa6162137a0f168c6822c952c708ba5c69ca7769f9e43ee673bd4fcbbc94eb5a18842e1d7fed9a1f9ca962cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
58.3MB

MD5
e8e4139d999a7ddb1d5ebcc031c9c812

SHA1
d3ac821ee3238d54e020f926182a666f919d0441

SHA256
b2d59ac23187e6bb48410052e8a1ef5970fab6a27a7cd60e80a2ccdf3c5d4798

SHA512
7b6268c53fd8430afbccecc91cc87c68d15203baa6162137a0f168c6822c952c708ba5c69ca7769f9e43ee673bd4fcbbc94eb5a18842e1d7fed9a1f9ca962cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

Filesize
74KB

MD5
fd3bfdbb42299877e334e2551f7ed7b8

SHA1
8a6757d6c3367141724759aaed13b2a01dcdc8ae

SHA256
d6e3cff30abd33747f3fb42ab4aae4a297a3d49caeddb980913aa3aa8d04594a

SHA512
8b763b48ce8308437047e33bb5cb74e05207c193c6d35bc77f02e4084ef66bf1ad9f2d524a2d65e6938b4a99f69ae07847e4294bf4ffa34e14c033c9d5687211

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp

Filesize
53.1MB

MD5
27bc2110acc80333efa8b652151d56a6

SHA1
f7db132c55db4bcbf11b71be48c4b66413d042a0

SHA256
a4c793654eb6a2d4c92096496b437e2baf637efb119cb2ec00bbdc54d56e3c5b

SHA512
228d6e2f7b18121014f94f6367b2406be2dfcac08e07330f3fd9f60d620d540c54397ccaba7c839760aca4e490f9a820247afeb6db31d5eaf7574e901716ba03

Download Submit