c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneDriveStandaloneUpdater.exe
Size

3.9MB
MD5

1f53141e8051d6ca7545dcb0f42c99a5
SHA1

579574aaf2cf9d91e480129829f660213373f070
SHA256

48d9e16fcac51fb4e586e4e3125bf4a788bdbc5f699a88028dcd638638b863c5
SHA512

02eb9d9e59c467067698001507400b0eda0d0b191baaf76abb7724274776ee8b106785c4879e96d560ef13862032b2fea2f3a75393ca79ae534ac2207bd042c8
SSDEEP

49152:KjF6hNYMncP9xXW3OjbG4YjTPwvgngf5AVnUZX8nnnjHW8DXpcxGzy691J6kcTGJ:DJWXX1gH5Dugy6AW

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2840	OneDriveStandaloneUpdater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 18 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\id.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\pt-BR.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\gd.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\VisualElements\LogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\ffmpeg.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\qu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU24AA.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU24AA.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\ar.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1856_1032319657\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\edge_feedback\camera_mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\mi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\msedge.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU24AA.tmp\msedgeupdateres_ms.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Notifications\SoftLandingAssetDark.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.183\Locales\mt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Mu\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Notifications\SoftLandingAssetLight.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU24AA.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\show_third_party_software_licenses.bat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\identity_proxy\beta.identity_helper.exe.manifest	setup.exe

Executes dropped EXE 19 IoCs

pid	Process
3660	OneDriveSetup.exe
2412	OneDriveSetup.exe
3736	FileSyncConfig.exe
2920	OneDriveStandaloneUpdater.exe
4796	Microsoft.SharePoint.exe
3352	MicrosoftEdgeWebview2Setup.exe
5016	MicrosoftEdgeUpdate.exe
5004	MicrosoftEdgeUpdate.exe
3648	MicrosoftEdgeUpdate.exe
660	MicrosoftEdgeUpdateComRegisterShell64.exe
1488	MicrosoftEdgeUpdateComRegisterShell64.exe
2992	MicrosoftEdgeUpdateComRegisterShell64.exe
1840	MicrosoftEdgeUpdate.exe
1808	MicrosoftEdgeUpdate.exe
1216	MicrosoftEdgeUpdate.exe
1404	MicrosoftEdgeUpdate.exe
636	MicrosoftEdge_X64_115.0.1901.183.exe
1856	setup.exe
4632	MicrosoftEdgeUpdate.exe

Loads dropped DLL 55 IoCs

pid	Process
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
3736	FileSyncConfig.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
4796	Microsoft.SharePoint.exe
5016	MicrosoftEdgeUpdate.exe
5004	MicrosoftEdgeUpdate.exe
3648	MicrosoftEdgeUpdate.exe
660	MicrosoftEdgeUpdateComRegisterShell64.exe
3648	MicrosoftEdgeUpdate.exe
1488	MicrosoftEdgeUpdateComRegisterShell64.exe
3648	MicrosoftEdgeUpdate.exe
2992	MicrosoftEdgeUpdateComRegisterShell64.exe
3648	MicrosoftEdgeUpdate.exe
1840	MicrosoftEdgeUpdate.exe
1808	MicrosoftEdgeUpdate.exe
1216	MicrosoftEdgeUpdate.exe
1216	MicrosoftEdgeUpdate.exe
1808	MicrosoftEdgeUpdate.exe
1404	MicrosoftEdgeUpdate.exe
4632	MicrosoftEdgeUpdate.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{F37369D9-1C22-40A0-A997-0B4D5F7B6637}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileSyncShell64.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{F37369D9-1C22-40A0-A997-0B4D5F7B6637}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\i386\\FileCoAuthLib.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.137.0702.0001\\FileCoAuth.exe\""	OneDriveSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4224	3672	WerFault.exe	46

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\mssharepointclient\DefaultIcon	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\Interface\{886DFE8E-D1BB-4062-B7C6-57DA328A37F8}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID\ = "FileSyncClient.AutoPlayHandler"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Interface\{54034913-37F9-4E26-8646-3D2EF536C786}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_CLASSES\WOW6432NODE\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\TYPELIB	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2840	OneDriveStandaloneUpdater.exe
2840	OneDriveStandaloneUpdater.exe
2840	OneDriveStandaloneUpdater.exe
2840	OneDriveStandaloneUpdater.exe
2840	OneDriveStandaloneUpdater.exe
2840	OneDriveStandaloneUpdater.exe
3660	OneDriveSetup.exe
3660	OneDriveSetup.exe
3660	OneDriveSetup.exe
3660	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
2412	OneDriveSetup.exe
5016	MicrosoftEdgeUpdate.exe
5016	MicrosoftEdgeUpdate.exe
5016	MicrosoftEdgeUpdate.exe
5016	MicrosoftEdgeUpdate.exe
5016	MicrosoftEdgeUpdate.exe
5016	MicrosoftEdgeUpdate.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2840	OneDriveStandaloneUpdater.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3672	Process not Found
Token: SeShutdownPrivilege	3672	Process not Found
Token: SeIncreaseQuotaPrivilege	3660	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	2412	OneDriveSetup.exe
Token: SeDebugPrivilege	5016	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5016	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3660	2840	OneDriveStandaloneUpdater.exe	100
PID 2840 wrote to memory of 3660	2840	OneDriveStandaloneUpdater.exe	100
PID 2412 wrote to memory of 3736	2412	OneDriveSetup.exe	106
PID 2412 wrote to memory of 3736	2412	OneDriveSetup.exe	106
PID 2412 wrote to memory of 2920	2412	OneDriveSetup.exe	108
PID 2412 wrote to memory of 2920	2412	OneDriveSetup.exe	108
PID 2920 wrote to memory of 3352	2920	OneDriveStandaloneUpdater.exe	110
PID 2920 wrote to memory of 3352	2920	OneDriveStandaloneUpdater.exe	110
PID 2920 wrote to memory of 3352	2920	OneDriveStandaloneUpdater.exe	110
PID 3352 wrote to memory of 5016	3352	MicrosoftEdgeWebview2Setup.exe	111
PID 3352 wrote to memory of 5016	3352	MicrosoftEdgeWebview2Setup.exe	111
PID 3352 wrote to memory of 5016	3352	MicrosoftEdgeWebview2Setup.exe	111
PID 5016 wrote to memory of 5004	5016	MicrosoftEdgeUpdate.exe	112
PID 5016 wrote to memory of 5004	5016	MicrosoftEdgeUpdate.exe	112
PID 5016 wrote to memory of 5004	5016	MicrosoftEdgeUpdate.exe	112
PID 5016 wrote to memory of 3648	5016	MicrosoftEdgeUpdate.exe	113
PID 5016 wrote to memory of 3648	5016	MicrosoftEdgeUpdate.exe	113
PID 5016 wrote to memory of 3648	5016	MicrosoftEdgeUpdate.exe	113
PID 3648 wrote to memory of 660	3648	MicrosoftEdgeUpdate.exe	114
PID 3648 wrote to memory of 660	3648	MicrosoftEdgeUpdate.exe	114
PID 3648 wrote to memory of 1488	3648	MicrosoftEdgeUpdate.exe	115
PID 3648 wrote to memory of 1488	3648	MicrosoftEdgeUpdate.exe	115
PID 3648 wrote to memory of 2992	3648	MicrosoftEdgeUpdate.exe	116
PID 3648 wrote to memory of 2992	3648	MicrosoftEdgeUpdate.exe	116
PID 5016 wrote to memory of 1840	5016	MicrosoftEdgeUpdate.exe	117
PID 5016 wrote to memory of 1840	5016	MicrosoftEdgeUpdate.exe	117
PID 5016 wrote to memory of 1840	5016	MicrosoftEdgeUpdate.exe	117
PID 5016 wrote to memory of 1808	5016	MicrosoftEdgeUpdate.exe	118
PID 5016 wrote to memory of 1808	5016	MicrosoftEdgeUpdate.exe	118
PID 5016 wrote to memory of 1808	5016	MicrosoftEdgeUpdate.exe	118
PID 1216 wrote to memory of 1404	1216	MicrosoftEdgeUpdate.exe	120
PID 1216 wrote to memory of 1404	1216	MicrosoftEdgeUpdate.exe	120
PID 1216 wrote to memory of 1404	1216	MicrosoftEdgeUpdate.exe	120
PID 1216 wrote to memory of 636	1216	MicrosoftEdgeUpdate.exe	121
PID 1216 wrote to memory of 636	1216	MicrosoftEdgeUpdate.exe	121
PID 636 wrote to memory of 1856	636	MicrosoftEdge_X64_115.0.1901.183.exe	122
PID 636 wrote to memory of 1856	636	MicrosoftEdge_X64_115.0.1901.183.exe	122
PID 1216 wrote to memory of 4632	1216	MicrosoftEdgeUpdate.exe	123
PID 1216 wrote to memory of 4632	1216	MicrosoftEdgeUpdate.exe	123
PID 1216 wrote to memory of 4632	1216	MicrosoftEdgeUpdate.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /updateSource:ODSU
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /updateSource:ODSU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix
    3⤵
    - Adds Run key to start application
    - Checks computer location settings
    - Checks system information in the registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:3736
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Program Files (x86)\Microsoft\Temp\EU24AA.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU24AA.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        6⤵
        Sets file execution options in registry
        Checks computer location settings
        Checks system information in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:660
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTA1NDk0OTctN0M0Ni00QUNELTkyQzYtNERGNDAzQjZFNDQxfSIgdXNlcmlkPSJ7MUNFQzZEMjktODdDMC00NDg2LThDOUItNEQzNUI3M0RCQzYxfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntENTYwOUIzNS05NjIwLTRFNkYtOThEMS1FNzkwNDRGMjExOER9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTQ3LjM3IiBuZXh0dmVyc2lvbj0iMS4zLjE3Ny4xMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE1NDc5NTA4MyIgaW5zdGFsbF90aW1lX21zPSIxMjY1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        7⤵
        Checks system information in the registry
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1840
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{E0549497-7C46-4ACD-92C6-4DF403B6E441}" /silent
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1808
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.exe
      /silentConfig
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      Loads dropped DLL
      PID:4796

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTA1NDk0OTctN0M0Ni00QUNELTkyQzYtNERGNDAzQjZFNDQxfSIgdXNlcmlkPSJ7MUNFQzZEMjktODdDMC00NDg2LThDOUItNEQzNUI3M0RCQzYxfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyMDFBOTc3Mi00Q0I2LTQ1OEItODcyQi0zNUMwMEEzNTNCRDl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE2NzYwODUwOCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1404
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9ADF320D-6AAD-4499-B928-8C07196AC54E}\MicrosoftEdge_X64_115.0.1901.183.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9ADF320D-6AAD-4499-B928-8C07196AC54E}\MicrosoftEdge_X64_115.0.1901.183.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9ADF320D-6AAD-4499-B928-8C07196AC54E}\EDGEMITMP_D6E9A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9ADF320D-6AAD-4499-B928-8C07196AC54E}\EDGEMITMP_D6E9A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9ADF320D-6AAD-4499-B928-8C07196AC54E}\MicrosoftEdge_X64_115.0.1901.183.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:1856
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTA1NDk0OTctN0M0Ni00QUNELTkyQzYtNERGNDAzQjZFNDQxfSIgdXNlcmlkPSJ7MUNFQzZEMjktODdDMC00NDg2LThDOUItNEQzNUI3M0RCQzYxfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntCQjI3NDJBRS1BRjZELTQ0RTktQTE5QS02QTRCQkIzMEQxQUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMTUuMC4xOTAxLjE4MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE4NTczMzAwOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxODY1MTQ3NzIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzQ5MTcwODI1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy83YzFlMTc1My0yMjkzLTQ2NDItODc3ZS01M2MyMDJjNmI0ODQ_UDE9MTY5MDY1NjE5NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1idHgwc2taRERoTjI5YjZtJTJmejVGek5wY2xQOG96OHlxUERxVmNyRGNVV2g0N0xPJTJmYmRpZDZTN2x6dnlxMEJKeE5YbnQ4NnRRcEVSNW1scVBqR2FGdFElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNTA3NzcyODgiIHRvdGFsPSIxNTA3NzcyODgiIGRvd25sb2FkX3RpbWVfbXM9IjExMDE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM0OTMyNjg1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzNjQxNzEzMzYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2MjgzODkzMjkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMTI1IiBkb3dubG9hZF90aW1lX21zPSIxNjI2NiIgZG93bmxvYWRlZD0iMTUwNzc3Mjg4IiB0b3RhbD0iMTUwNzc3Mjg4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIyNjQyMiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 3672 -ip 3672
1⤵
PID:4608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3672 -s 516
1⤵
- Program crash
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.183\Installer\setup.exe

Filesize
3.5MB

MD5
d463c9c3651f1be4f789b6eb02f6784f

SHA1
223311a9f809158d33c377eb18d0163c6dedb207

SHA256
fb55843e093c83d347e36e15a10d36b9973410261395f7f7ed3850b0c576bcd9

SHA512
7586df47344821e6823c7f5e1e5291210be613dc1cff78315cd0358c7b9d85f19aa57403573234aad0162ff3eb3795f7f7196cf95575f4b7089e20dbeba62ad2

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\115.0.1901.183\MicrosoftEdge_X64_115.0.1901.183.exe

Filesize
143.8MB

MD5
879842ed39f030bbcd770fcc1baa9a09

SHA1
d67dd62d30ee28e964cab3972b1eeb8b4102e1cb

SHA256
074c1a1e86497333b3c166a9b5dd648d77c48593c218fccae876d27048abc4a6

SHA512
ccb3d8ae440935002ac10ff7987a68cb0245a90d62daa25844877b92bc2dd93a5be0b049cac850a8dad402b2d0e5ceb6322fb875589cfcc967a57484a079f67b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
d182a0d12ca3a95fe1f2f5134861ae1b

SHA1
0c5f3e8a767a2b5ab7510d6139f47336e333e906

SHA256
14ba66344ddd4816d823d5ecc97bf94da5d441299401e8955f44b1df7969be06

SHA512
ab33ae1e3684c40b1a1d801d8b0ad8e0d624c9b3db60945a0c30a3efa02a2d69d284620859421407c9891db0fab4c4c57ece10b22b7b801dcb34ccd6f4ea2f12

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
63KB

MD5
4fda56feb9d6527870116940b95160d7

SHA1
0f54a8ece5472f06448a65f34ba672df0f2fae76

SHA256
0c9018782ff59bba8285f8fc944488d6f0fe0184ef07f36f587426f1f99314fd

SHA512
843cf7180259112b8033fb132355f6c816247cc81f5bf18505592a1ddb6fa484414aa33cff9b18d647429043ed7f945161014f61a46cb177d61fb818faacc226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncConfig.exe

Filesize
722KB

MD5
5e6e1691de3db0b88f191ef11f001771

SHA1
6979019562aee02553341f6bc1de52bf2609e688

SHA256
08fa1156ce10aaabeb16f923f8389626829ddc4f9c12ac7f5a78277ad613783b

SHA512
8cc4d840250c9c4b2e1564b7b4424ca14f56d71084b4ac8f32a3b653a6952533a1b2a0dca31a9bfadd4290b5d3cd312119318b91ca2d7ef0e1ca05935b419a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncConfig.exe

Filesize
722KB

MD5
5e6e1691de3db0b88f191ef11f001771

SHA1
6979019562aee02553341f6bc1de52bf2609e688

SHA256
08fa1156ce10aaabeb16f923f8389626829ddc4f9c12ac7f5a78277ad613783b

SHA512
8cc4d840250c9c4b2e1564b7b4424ca14f56d71084b4ac8f32a3b653a6952533a1b2a0dca31a9bfadd4290b5d3cd312119318b91ca2d7ef0e1ca05935b419a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncFS.DLL

Filesize
729KB

MD5
685af70532508f22c778ae4ed4432b9d

SHA1
f0b79cdd244208aba65b4f5159f969ef8adb6dcc

SHA256
e843f1fd3922981306636619b31cd14b19979185d7d52a0e4caec7c5509e881f

SHA512
3aa706c8ae435ebf9434408802e54de6433cfa072c706640eca7c9f1d560b0527badc30ddd84e7eb14cfd52e6c6e9479e1870b9aeced2205f038441f4c76aa3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncFS.dll

Filesize
729KB

MD5
685af70532508f22c778ae4ed4432b9d

SHA1
f0b79cdd244208aba65b4f5159f969ef8adb6dcc

SHA256
e843f1fd3922981306636619b31cd14b19979185d7d52a0e4caec7c5509e881f

SHA512
3aa706c8ae435ebf9434408802e54de6433cfa072c706640eca7c9f1d560b0527badc30ddd84e7eb14cfd52e6c6e9479e1870b9aeced2205f038441f4c76aa3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncFS.dll

Filesize
729KB

MD5
685af70532508f22c778ae4ed4432b9d

SHA1
f0b79cdd244208aba65b4f5159f969ef8adb6dcc

SHA256
e843f1fd3922981306636619b31cd14b19979185d7d52a0e4caec7c5509e881f

SHA512
3aa706c8ae435ebf9434408802e54de6433cfa072c706640eca7c9f1d560b0527badc30ddd84e7eb14cfd52e6c6e9479e1870b9aeced2205f038441f4c76aa3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncHost.DLL

Filesize
416KB

MD5
9358006cfcd65f7435dfd1dbfacea474

SHA1
f35ddbb7a901acecdcf996f6d20282067b3738cd

SHA256
47593a99bd4385e95654ec20d8a916d5266922af9259dedfb0d5d1110ac3764f

SHA512
5b3e5eff45fb2e2f934dc832ab086320fa404ddd9d6c976d232300ba2a125f379ea3a4369c6887f8e4e19f6306da50e4f415b2700f4070ebbe163870cb60ffbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncHost.dll

Filesize
416KB

MD5
9358006cfcd65f7435dfd1dbfacea474

SHA1
f35ddbb7a901acecdcf996f6d20282067b3738cd

SHA256
47593a99bd4385e95654ec20d8a916d5266922af9259dedfb0d5d1110ac3764f

SHA512
5b3e5eff45fb2e2f934dc832ab086320fa404ddd9d6c976d232300ba2a125f379ea3a4369c6887f8e4e19f6306da50e4f415b2700f4070ebbe163870cb60ffbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncHost.dll

Filesize
416KB

MD5
9358006cfcd65f7435dfd1dbfacea474

SHA1
f35ddbb7a901acecdcf996f6d20282067b3738cd

SHA256
47593a99bd4385e95654ec20d8a916d5266922af9259dedfb0d5d1110ac3764f

SHA512
5b3e5eff45fb2e2f934dc832ab086320fa404ddd9d6c976d232300ba2a125f379ea3a4369c6887f8e4e19f6306da50e4f415b2700f4070ebbe163870cb60ffbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncSessions.dll

Filesize
5.6MB

MD5
da4458bfa74585b5a03876ef9f519aea

SHA1
33ea805e683647945d5a0fa3719ad51eef4d0088

SHA256
a9c324524d0af0e5c16f69178b532d1ab956f89332d14a07407e46693b1b24aa

SHA512
898144bc951e9e30d2110678a2368a0b97b32361400664be90da652f449825dfaa6de8f18b13244726665e9cbff5684d5b7bb93913860a827eb414deef2baccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncSessions.dll

Filesize
5.6MB

MD5
da4458bfa74585b5a03876ef9f519aea

SHA1
33ea805e683647945d5a0fa3719ad51eef4d0088

SHA256
a9c324524d0af0e5c16f69178b532d1ab956f89332d14a07407e46693b1b24aa

SHA512
898144bc951e9e30d2110678a2368a0b97b32361400664be90da652f449825dfaa6de8f18b13244726665e9cbff5684d5b7bb93913860a827eb414deef2baccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncSessions.dll

Filesize
5.6MB

MD5
da4458bfa74585b5a03876ef9f519aea

SHA1
33ea805e683647945d5a0fa3719ad51eef4d0088

SHA256
a9c324524d0af0e5c16f69178b532d1ab956f89332d14a07407e46693b1b24aa

SHA512
898144bc951e9e30d2110678a2368a0b97b32361400664be90da652f449825dfaa6de8f18b13244726665e9cbff5684d5b7bb93913860a827eb414deef2baccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncSqlite3.dll

Filesize
633KB

MD5
0635f5d79cfba056302679de990f1601

SHA1
1f4319687a61d761a144d2d894099dc173788027

SHA256
c3988a58a4711bbd8831f7ea140479358c6c82b0302d9b7731b3ebaf14b66f9c

SHA512
5823e33995558b9c7c91509921835ba67bb696296a285a32e6de6f4115e978226870c9bad64f06a588eb3648ac27388da7d0c1b6b9a942b43a536f09df70c2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncSqlite3.dll

Filesize
633KB

MD5
0635f5d79cfba056302679de990f1601

SHA1
1f4319687a61d761a144d2d894099dc173788027

SHA256
c3988a58a4711bbd8831f7ea140479358c6c82b0302d9b7731b3ebaf14b66f9c

SHA512
5823e33995558b9c7c91509921835ba67bb696296a285a32e6de6f4115e978226870c9bad64f06a588eb3648ac27388da7d0c1b6b9a942b43a536f09df70c2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncSqlite3.dll

Filesize
633KB

MD5
0635f5d79cfba056302679de990f1601

SHA1
1f4319687a61d761a144d2d894099dc173788027

SHA256
c3988a58a4711bbd8831f7ea140479358c6c82b0302d9b7731b3ebaf14b66f9c

SHA512
5823e33995558b9c7c91509921835ba67bb696296a285a32e6de6f4115e978226870c9bad64f06a588eb3648ac27388da7d0c1b6b9a942b43a536f09df70c2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncTelemetryExtensions.dll

Filesize
461KB

MD5
4cf08fe7789253f7ff9e7baa13190639

SHA1
29447b21f7f9ee5071cda43d1343fc6b91553686

SHA256
a5caea5f00ca28b0f3e5b3101aa1565a66ffe238dcc2de783c3c7d991ab9585b

SHA512
1f9d80d235dd62f02defe774dc18dfa164a2ba235f9d7084337931b211f2c0373b32cfa6bf9a3e7f9545305dfcf9f47f1058fc3a29c4446d831304da5e1a3a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\FileSyncTelemetryExtensions.dll

Filesize
461KB

MD5
4cf08fe7789253f7ff9e7baa13190639

SHA1
29447b21f7f9ee5071cda43d1343fc6b91553686

SHA256
a5caea5f00ca28b0f3e5b3101aa1565a66ffe238dcc2de783c3c7d991ab9585b

SHA512
1f9d80d235dd62f02defe774dc18dfa164a2ba235f9d7084337931b211f2c0373b32cfa6bf9a3e7f9545305dfcf9f47f1058fc3a29c4446d831304da5e1a3a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogUploader.dll

Filesize
979KB

MD5
123faa959489f51ed9acccc72ee8dd0e

SHA1
a012caceefec6b106e1ea4cb79076ded6719e0ab

SHA256
1a5447f970846d7d76526cad59dd2a38eb35744e8f3c8ccbeea692bebb3747ee

SHA512
07d841599a01974356cee7ea11ecbfafe8bbce20ab445a144ec1ccfe4fd71e56136e2cf8962085959e36ffa53550603eb99aade0f3c3f2b1cbafac326fd2b199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogUploader.dll

Filesize
979KB

MD5
123faa959489f51ed9acccc72ee8dd0e

SHA1
a012caceefec6b106e1ea4cb79076ded6719e0ab

SHA256
1a5447f970846d7d76526cad59dd2a38eb35744e8f3c8ccbeea692bebb3747ee

SHA512
07d841599a01974356cee7ea11ecbfafe8bbce20ab445a144ec1ccfe4fd71e56136e2cf8962085959e36ffa53550603eb99aade0f3c3f2b1cbafac326fd2b199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LoggingPlatform.DLL

Filesize
637KB

MD5
f08c439601e810d76d66b712963d082d

SHA1
25d01d477f6ca9eb8a16847f4d05228aaa5e8246

SHA256
cae410046b2ae750462e97d200ce663408da28f79fd876daccc31ec4fbbb9dbd

SHA512
29ab860355ae372c7d1dac67cc3037f5cc539c8b8847b9efc828c083af64e96db0280777064b84e2adfc93da30c4999e145b0052e791075bd696146afad6e506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LoggingPlatform.dll

Filesize
637KB

MD5
f08c439601e810d76d66b712963d082d

SHA1
25d01d477f6ca9eb8a16847f4d05228aaa5e8246

SHA256
cae410046b2ae750462e97d200ce663408da28f79fd876daccc31ec4fbbb9dbd

SHA512
29ab860355ae372c7d1dac67cc3037f5cc539c8b8847b9efc828c083af64e96db0280777064b84e2adfc93da30c4999e145b0052e791075bd696146afad6e506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LoggingPlatform.dll

Filesize
637KB

MD5
f08c439601e810d76d66b712963d082d

SHA1
25d01d477f6ca9eb8a16847f4d05228aaa5e8246

SHA256
cae410046b2ae750462e97d200ce663408da28f79fd876daccc31ec4fbbb9dbd

SHA512
29ab860355ae372c7d1dac67cc3037f5cc539c8b8847b9efc828c083af64e96db0280777064b84e2adfc93da30c4999e145b0052e791075bd696146afad6e506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\LogoImages\Resources.pri

Filesize
17.8MB

MD5
c692bad42473abb43c0c2fa596f98fa0

SHA1
758bc205d3f73c0ff30d39529b22f6cfda640301

SHA256
2b8970bbb8d89b030b71f4b9638aeb56c4543957e5bee7539e31180826e22a7f

SHA512
b2e62dd24c5b194bde5ffa5d4e4d58d80648936eadc393074a61427e128edaeb81f4aeab366957d8dcbacd596b0fbbf4fe8bec3a8c73382a77bd482ce62e09ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\MSVCP140.dll

Filesize
557KB

MD5
fac17d9a31c0eb6003f9e9a547fb2345

SHA1
95307155159463e396409c79a150582e91b36911

SHA256
12be3698b658e6ba30d74224f9f14e88c1e87fae3a82bf996ea77eed45c055e0

SHA512
60906dccf44329b770235268e65761a87a6c5d7571c3f0788492e24f3d37838eef7e1cd56df8a066db5f3414b8fba2ea4e5ca3bb338d45db6376caac063813e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\MSVCP140_ATOMIC_WAIT.dll

Filesize
55KB

MD5
042411f25be55d6bc88ca235f5d4092e

SHA1
edebbaa206bd1060310232c19fc2b7745ee5bedf

SHA256
625efc109b6c1aa4ca84ed0bfab7a05524ff416ca7c18a3fb577031e3dfb3514

SHA512
5c0b0bbdf0214be44d41937ce0d6a69d0b07f3acba6ba48dca23be8012329e7799016ead5125dd98c51084670714a04b7e3664fdfb358f098b02467fdf977a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.Calc.dll

Filesize
912KB

MD5
dc22cd9a1aeb5bff926e80d79704807a

SHA1
8338e523a3f9a68a8864d393894fecb11f84d6c4

SHA256
4c9c14c83e6a556969e7df97181080e749a2954db5de7e225195202d698b36ab

SHA512
493f55968137caee2961cf450ec383117c48b9330c3855129107a406ac16830ee67d0857fcb5ffcf98856a2b8afb3052d4f6c6bc1cd7b385ad7d7993982149f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.Calc.dll

Filesize
912KB

MD5
dc22cd9a1aeb5bff926e80d79704807a

SHA1
8338e523a3f9a68a8864d393894fecb11f84d6c4

SHA256
4c9c14c83e6a556969e7df97181080e749a2954db5de7e225195202d698b36ab

SHA512
493f55968137caee2961cf450ec383117c48b9330c3855129107a406ac16830ee67d0857fcb5ffcf98856a2b8afb3052d4f6c6bc1cd7b385ad7d7993982149f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.WebSocketClient.dll

Filesize
1.2MB

MD5
a330632f99378c2c9c24224677d4fff9

SHA1
f094d35be0fc5dee5aec9742df5df529bf0324f8

SHA256
ead244309f7a86417abf3ba50a39bd5165c7b9740f52d1f11be537b4f48f1edd

SHA512
e66e0ae023fadfa0dcc1c0226cbd019d8e4253e08961310e40946101011d7b22737af2ac0a820bae220dc11db87530bafe8fc7265245e1875b917301be722af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.WebSocketClient.dll

Filesize
1.2MB

MD5
a330632f99378c2c9c24224677d4fff9

SHA1
f094d35be0fc5dee5aec9742df5df529bf0324f8

SHA256
ead244309f7a86417abf3ba50a39bd5165c7b9740f52d1f11be537b4f48f1edd

SHA512
e66e0ae023fadfa0dcc1c0226cbd019d8e4253e08961310e40946101011d7b22737af2ac0a820bae220dc11db87530bafe8fc7265245e1875b917301be722af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.dll

Filesize
15.2MB

MD5
d47b5cb341cef2e5a4b3b7faa1b32ab7

SHA1
d6304c86fa573fbeff8d77869b3395141a5d7dc5

SHA256
9330ef30809028a7544dc0d4d1a89ec056d5a0d69fd323d57ddc22e92b47495d

SHA512
fdee6205e484fed0d2f925584b84ffb0832ff85baba8113a05a14ecd424355c7bd68a8690bf6d77617bda0e3f95c1caf5779425640f7f9879b52e35dbc64a6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.dll

Filesize
15.2MB

MD5
d47b5cb341cef2e5a4b3b7faa1b32ab7

SHA1
d6304c86fa573fbeff8d77869b3395141a5d7dc5

SHA256
9330ef30809028a7544dc0d4d1a89ec056d5a0d69fd323d57ddc22e92b47495d

SHA512
fdee6205e484fed0d2f925584b84ffb0832ff85baba8113a05a14ecd424355c7bd68a8690bf6d77617bda0e3f95c1caf5779425640f7f9879b52e35dbc64a6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Microsoft.SharePoint.exe

Filesize
546KB

MD5
11f77b47c19316fad5cfab80fa08ee45

SHA1
b8416affa10e4b0657e256efd5fb95babe680dd2

SHA256
e1a9f62d12472b4afd57beddf9f593f3cfdfc4d37ccf950333c09f22c87ed26b

SHA512
98298f30f5abdb13ca37244b0510f2df9e12dcb3de327b1c580b0f8575335b3f2579e81fc970307a371d841c89a47a8bbd9055d2faa19e6adad723cd587e57ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\OneDrive.exe

Filesize
2.5MB

MD5
174826c78c0aa36da1457e711e4c9e80

SHA1
56ee9857c7a0643d6f6d5e56c3f4689bb1499829

SHA256
159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02

SHA512
1a8b837459bc16aed3d4ccba26916c6d48e92b0668ec12871e95d5faffe7067436912e40a38b20b1eabc628b63f7c56ac0105342dbe76c75f49c5851bc213a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
ce73de7d6ceec46735bb2294d5a2828e

SHA1
67c679c35d24ec0f5f31fe5acf258a6b97ea1135

SHA256
2f590d865a00a51ea3d11dbef06e6a480eeb314f34bb6634f722f36f83a399a0

SHA512
0a8050b32b3915e6d851daad8cd349625c5bf0add980b0fc75bff64c1d3d05e396f15b60edb8e78ca356cd5145a0f1de3d0b1f36b629c0ba075f7a6c6bb50b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
5df8da4b22b8d734d476882b1434a89e

SHA1
e17956baee7e02096db1ef901d043005109c4330

SHA256
a9601c0a02d0db7fd10ebdd978a262042db6fa0c3b3dc49dbd4100365ac64a41

SHA512
dbc3a30cdadabac0f3ef24c500e2928b558c58bf807963c352e3dfd67cc0788e9062675e531e7fb33f7205d6905f6894272d8efdd74e6c3449576cbce97d57b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
5df8da4b22b8d734d476882b1434a89e

SHA1
e17956baee7e02096db1ef901d043005109c4330

SHA256
a9601c0a02d0db7fd10ebdd978a262042db6fa0c3b3dc49dbd4100365ac64a41

SHA512
dbc3a30cdadabac0f3ef24c500e2928b558c58bf807963c352e3dfd67cc0788e9062675e531e7fb33f7205d6905f6894272d8efdd74e6c3449576cbce97d57b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Telemetry.dll

Filesize
586KB

MD5
8a028256ceba153813c6980acb617689

SHA1
a21a1c122fef03a2bff81d1c7753a9957510d7ed

SHA256
288aa69cd5916a797b27df33bc8861265d6e9a0fe6ddf9e507e13783d357b0c6

SHA512
77c028e238940648dd890fb1bf2342270d41cd9b7b4d3ca67a8fe556caf6b160a234286311460bb8f7aa7f2dc78f05c6e7619b14b077fa029d67c7e4c8bbb8cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Telemetry.dll

Filesize
586KB

MD5
8a028256ceba153813c6980acb617689

SHA1
a21a1c122fef03a2bff81d1c7753a9957510d7ed

SHA256
288aa69cd5916a797b27df33bc8861265d6e9a0fe6ddf9e507e13783d357b0c6

SHA512
77c028e238940648dd890fb1bf2342270d41cd9b7b4d3ca67a8fe556caf6b160a234286311460bb8f7aa7f2dc78f05c6e7619b14b077fa029d67c7e4c8bbb8cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\Telemetry.dll

Filesize
586KB

MD5
8a028256ceba153813c6980acb617689

SHA1
a21a1c122fef03a2bff81d1c7753a9957510d7ed

SHA256
288aa69cd5916a797b27df33bc8861265d6e9a0fe6ddf9e507e13783d357b0c6

SHA512
77c028e238940648dd890fb1bf2342270d41cd9b7b4d3ca67a8fe556caf6b160a234286311460bb8f7aa7f2dc78f05c6e7619b14b077fa029d67c7e4c8bbb8cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\UpdateRingSettings.dll

Filesize
564KB

MD5
e1b957a439c22ce094289fa5d86a12fd

SHA1
359d90780d70afa988d18e34008fa77f1daf7ee2

SHA256
494add0ad073f188b7eb25fca8c0bdaab1f7f2d3f266cfe80b6cfb53369a1e82

SHA512
15cc58de5000d78b645f567b4e2943d243eacd6d0b83552c67cdc22e7a4e059582c640b2923590676501f721d227648b583d723a43376dde61e3eed868963cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\UpdateRingSettings.dll

Filesize
564KB

MD5
e1b957a439c22ce094289fa5d86a12fd

SHA1
359d90780d70afa988d18e34008fa77f1daf7ee2

SHA256
494add0ad073f188b7eb25fca8c0bdaab1f7f2d3f266cfe80b6cfb53369a1e82

SHA512
15cc58de5000d78b645f567b4e2943d243eacd6d0b83552c67cdc22e7a4e059582c640b2923590676501f721d227648b583d723a43376dde61e3eed868963cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\UpdateRingSettings.dll

Filesize
564KB

MD5
e1b957a439c22ce094289fa5d86a12fd

SHA1
359d90780d70afa988d18e34008fa77f1daf7ee2

SHA256
494add0ad073f188b7eb25fca8c0bdaab1f7f2d3f266cfe80b6cfb53369a1e82

SHA512
15cc58de5000d78b645f567b4e2943d243eacd6d0b83552c67cdc22e7a4e059582c640b2923590676501f721d227648b583d723a43376dde61e3eed868963cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\VCRUNTIME140.dll

Filesize
95KB

MD5
098129066ffdc306e02dd14f8917e2c7

SHA1
fb2615b733110f4fc07a9cc8007b591614fd7144

SHA256
215c05ceed1890785fcdd0830354a28de8d273ee7a267d8ed13ba1044e1adc72

SHA512
3daa2178e2d5e54e152d42561f37bb57a17ba18861f35630f668cf631195642729d2c268f94e8934e616de674c219e3e61be317ed37a26065abe9bc6d81e69b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\VCRUNTIME140_1.dll

Filesize
36KB

MD5
b4769c3bc424c442b4c93449258095dc

SHA1
bc3a6a0ad09e70e07ee5b4be64f961acc13dced5

SHA256
ede9137d29111b55c4ddc23bcc76c552e7ae32bf0bf4fb67cba86de457b407f5

SHA512
19127687e06f0f20ea26c60de9eba81e471613953625c682685b472eb36cd67c77bf08f42a0f6eb55b4a1d5f0dc50b994618f5bbfc2fb17334d9c261a5d3346d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\adal.dll

Filesize
1.4MB

MD5
648aab26fba565f702ec25930e377e86

SHA1
800d51e8ad3306a60cbbfc5c17a34807aaa56c1b

SHA256
cd04fc843ae68fdbb4a63abbcdb58e4b6ec7558205e7fc46fcb75c4c9c9a9de2

SHA512
d7a652bfb3ed82b1f743eb988f23619d41d1b35de0bc283b66f65c91d177833d4dd66e0dec767316b707cf42ba9c7848f6842ed589ea87bd2fb0aa425a2ad619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\adal.dll

Filesize
1.4MB

MD5
648aab26fba565f702ec25930e377e86

SHA1
800d51e8ad3306a60cbbfc5c17a34807aaa56c1b

SHA256
cd04fc843ae68fdbb4a63abbcdb58e4b6ec7558205e7fc46fcb75c4c9c9a9de2

SHA512
d7a652bfb3ed82b1f743eb988f23619d41d1b35de0bc283b66f65c91d177833d4dd66e0dec767316b707cf42ba9c7848f6842ed589ea87bd2fb0aa425a2ad619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
a9bc6fedd50a941c22c79d5caee1a98a

SHA1
a3e55e0089a1af4b3cf3cec9f99736140f79651f

SHA256
ae1edda31cff6fa32d4566e09c9ced33665e2ffd5912d16bdcdb433bf6e18444

SHA512
b7f8c1190a53c71f2303f734dd248f581b618a9fbdc85a946bc1f07056f2364cbe02e7a0715809248c440a1932ade9e506015ee66d3566632a4e85158425451f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\msvcp140.dll

Filesize
557KB

MD5
fac17d9a31c0eb6003f9e9a547fb2345

SHA1
95307155159463e396409c79a150582e91b36911

SHA256
12be3698b658e6ba30d74224f9f14e88c1e87fae3a82bf996ea77eed45c055e0

SHA512
60906dccf44329b770235268e65761a87a6c5d7571c3f0788492e24f3d37838eef7e1cd56df8a066db5f3414b8fba2ea4e5ca3bb338d45db6376caac063813e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\msvcp140.dll

Filesize
557KB

MD5
fac17d9a31c0eb6003f9e9a547fb2345

SHA1
95307155159463e396409c79a150582e91b36911

SHA256
12be3698b658e6ba30d74224f9f14e88c1e87fae3a82bf996ea77eed45c055e0

SHA512
60906dccf44329b770235268e65761a87a6c5d7571c3f0788492e24f3d37838eef7e1cd56df8a066db5f3414b8fba2ea4e5ca3bb338d45db6376caac063813e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\msvcp140_atomic_wait.dll

Filesize
55KB

MD5
042411f25be55d6bc88ca235f5d4092e

SHA1
edebbaa206bd1060310232c19fc2b7745ee5bedf

SHA256
625efc109b6c1aa4ca84ed0bfab7a05524ff416ca7c18a3fb577031e3dfb3514

SHA512
5c0b0bbdf0214be44d41937ce0d6a69d0b07f3acba6ba48dca23be8012329e7799016ead5125dd98c51084670714a04b7e3664fdfb358f098b02467fdf977a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\msvcp140_atomic_wait.dll

Filesize
55KB

MD5
042411f25be55d6bc88ca235f5d4092e

SHA1
edebbaa206bd1060310232c19fc2b7745ee5bedf

SHA256
625efc109b6c1aa4ca84ed0bfab7a05524ff416ca7c18a3fb577031e3dfb3514

SHA512
5c0b0bbdf0214be44d41937ce0d6a69d0b07f3acba6ba48dca23be8012329e7799016ead5125dd98c51084670714a04b7e3664fdfb358f098b02467fdf977a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140.dll

Filesize
95KB

MD5
098129066ffdc306e02dd14f8917e2c7

SHA1
fb2615b733110f4fc07a9cc8007b591614fd7144

SHA256
215c05ceed1890785fcdd0830354a28de8d273ee7a267d8ed13ba1044e1adc72

SHA512
3daa2178e2d5e54e152d42561f37bb57a17ba18861f35630f668cf631195642729d2c268f94e8934e616de674c219e3e61be317ed37a26065abe9bc6d81e69b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140.dll

Filesize
95KB

MD5
098129066ffdc306e02dd14f8917e2c7

SHA1
fb2615b733110f4fc07a9cc8007b591614fd7144

SHA256
215c05ceed1890785fcdd0830354a28de8d273ee7a267d8ed13ba1044e1adc72

SHA512
3daa2178e2d5e54e152d42561f37bb57a17ba18861f35630f668cf631195642729d2c268f94e8934e616de674c219e3e61be317ed37a26065abe9bc6d81e69b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140.dll

Filesize
95KB

MD5
098129066ffdc306e02dd14f8917e2c7

SHA1
fb2615b733110f4fc07a9cc8007b591614fd7144

SHA256
215c05ceed1890785fcdd0830354a28de8d273ee7a267d8ed13ba1044e1adc72

SHA512
3daa2178e2d5e54e152d42561f37bb57a17ba18861f35630f668cf631195642729d2c268f94e8934e616de674c219e3e61be317ed37a26065abe9bc6d81e69b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140.dll

Filesize
95KB

MD5
098129066ffdc306e02dd14f8917e2c7

SHA1
fb2615b733110f4fc07a9cc8007b591614fd7144

SHA256
215c05ceed1890785fcdd0830354a28de8d273ee7a267d8ed13ba1044e1adc72

SHA512
3daa2178e2d5e54e152d42561f37bb57a17ba18861f35630f668cf631195642729d2c268f94e8934e616de674c219e3e61be317ed37a26065abe9bc6d81e69b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140_1.dll

Filesize
36KB

MD5
b4769c3bc424c442b4c93449258095dc

SHA1
bc3a6a0ad09e70e07ee5b4be64f961acc13dced5

SHA256
ede9137d29111b55c4ddc23bcc76c552e7ae32bf0bf4fb67cba86de457b407f5

SHA512
19127687e06f0f20ea26c60de9eba81e471613953625c682685b472eb36cd67c77bf08f42a0f6eb55b4a1d5f0dc50b994618f5bbfc2fb17334d9c261a5d3346d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140_1.dll

Filesize
36KB

MD5
b4769c3bc424c442b4c93449258095dc

SHA1
bc3a6a0ad09e70e07ee5b4be64f961acc13dced5

SHA256
ede9137d29111b55c4ddc23bcc76c552e7ae32bf0bf4fb67cba86de457b407f5

SHA512
19127687e06f0f20ea26c60de9eba81e471613953625c682685b472eb36cd67c77bf08f42a0f6eb55b4a1d5f0dc50b994618f5bbfc2fb17334d9c261a5d3346d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\vcruntime140_1.dll

Filesize
36KB

MD5
b4769c3bc424c442b4c93449258095dc

SHA1
bc3a6a0ad09e70e07ee5b4be64f961acc13dced5

SHA256
ede9137d29111b55c4ddc23bcc76c552e7ae32bf0bf4fb67cba86de457b407f5

SHA512
19127687e06f0f20ea26c60de9eba81e471613953625c682685b472eb36cd67c77bf08f42a0f6eb55b4a1d5f0dc50b994618f5bbfc2fb17334d9c261a5d3346d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
9caed8c96174ed88142f7436e5510143

SHA1
7f63c366f1326b142a767d92899a4943a014d7cc

SHA256
e1b72fdb6fb9da58322f43b4ac4d23a84be5800fefd87fea07b6895ce091fea6

SHA512
94f50b56085a5ee5638b9651fd9d8674dd90da1cffddc4ae5b8c3e86d915f6e4d71d461254c4ea16e9b3f4659bcc83c03b5013a3ac89924a6d324272d5fc4407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
f9c3b1543ae74d1a2164043cdad1f853

SHA1
eb2ba18a8f34eaeefee47a8537df7f7962fb32c4

SHA256
6a8595e53c93bf7692ff8e30750154bd7f2aef646bf5afb21e47b7994e6fab0d

SHA512
4cfc39ad1b91c52ec0b835cc46168bfe5785594fe566362fe2b6d8d9dfb19d80d4f66d058d6e35c4e1e285dd2e20cb01e61d2fc3d9ea59050382ac5433dc52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\settings\NucleusUpdateRingConfig.json

Filesize
75KB

MD5
e8c3188bf6093844532ae5c62e8510a7

SHA1
6990d7d02d26922e28ad4339f7e83494813f27b0

SHA256
6d656e16321d374f1ce271a34563e591dfed11b3718dc5ddb9a0bb4ce57d4684

SHA512
b2fb2467343f052e541225d3936a9b49ca12ffb9744969394452cf300827c3a6396850e4a09ff1e5ccc8d2681536ee1c5452ccf0dbdb6dca227108b40286eecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
2.5MB

MD5
174826c78c0aa36da1457e711e4c9e80

SHA1
56ee9857c7a0643d6f6d5e56c3f4689bb1499829

SHA256
159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02

SHA512
1a8b837459bc16aed3d4ccba26916c6d48e92b0668ec12871e95d5faffe7067436912e40a38b20b1eabc628b63f7c56ac0105342dbe76c75f49c5851bc213a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
ce73de7d6ceec46735bb2294d5a2828e

SHA1
67c679c35d24ec0f5f31fe5acf258a6b97ea1135

SHA256
2f590d865a00a51ea3d11dbef06e6a480eeb314f34bb6634f722f36f83a399a0

SHA512
0a8050b32b3915e6d851daad8cd349625c5bf0add980b0fc75bff64c1d3d05e396f15b60edb8e78ca356cd5145a0f1de3d0b1f36b629c0ba075f7a6c6bb50b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
ce73de7d6ceec46735bb2294d5a2828e

SHA1
67c679c35d24ec0f5f31fe5acf258a6b97ea1135

SHA256
2f590d865a00a51ea3d11dbef06e6a480eeb314f34bb6634f722f36f83a399a0

SHA512
0a8050b32b3915e6d851daad8cd349625c5bf0add980b0fc75bff64c1d3d05e396f15b60edb8e78ca356cd5145a0f1de3d0b1f36b629c0ba075f7a6c6bb50b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\ECSConfig.json

Filesize
355B

MD5
5250b6856374174a37ed039d2b7ccda7

SHA1
1cdc5585660e8691d5da751f6a2839785ee76b29

SHA256
72549e6378188239a3cd0afa3a04238c86e17afe8cf6f6e674b7b8dcdc3e6745

SHA512
198c1548d3d6c249955cfab93e81e75a8774b8c9fc78bc6b4614f0cf3632808481630b449223dfde9c487a33896c9aacb348f6ef981493427e31df88d59431a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
59.1MB

MD5
3822dbde53983e0056f9bdfe291c02b5

SHA1
4a3f94ef03d822314baf2ed61f0055d99e56fef4

SHA256
9f5f7372a763e5d1ba1811c9f71779e2b065e2db79e2175acddef2904c8b2224

SHA512
ef1659c4a60b667fc251e735f93980e107243ba297c5d3edc87f8adca09b6a343b963a5a8533d7148bcba5a0d29c54889cd733a99cf794dc9b66d5d50c7a30f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
59.1MB

MD5
3822dbde53983e0056f9bdfe291c02b5

SHA1
4a3f94ef03d822314baf2ed61f0055d99e56fef4

SHA256
9f5f7372a763e5d1ba1811c9f71779e2b065e2db79e2175acddef2904c8b2224

SHA512
ef1659c4a60b667fc251e735f93980e107243ba297c5d3edc87f8adca09b6a343b963a5a8533d7148bcba5a0d29c54889cd733a99cf794dc9b66d5d50c7a30f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
59.1MB

MD5
3822dbde53983e0056f9bdfe291c02b5

SHA1
4a3f94ef03d822314baf2ed61f0055d99e56fef4

SHA256
9f5f7372a763e5d1ba1811c9f71779e2b065e2db79e2175acddef2904c8b2224

SHA512
ef1659c4a60b667fc251e735f93980e107243ba297c5d3edc87f8adca09b6a343b963a5a8533d7148bcba5a0d29c54889cd733a99cf794dc9b66d5d50c7a30f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
59.1MB

MD5
3822dbde53983e0056f9bdfe291c02b5

SHA1
4a3f94ef03d822314baf2ed61f0055d99e56fef4

SHA256
9f5f7372a763e5d1ba1811c9f71779e2b065e2db79e2175acddef2904c8b2224

SHA512
ef1659c4a60b667fc251e735f93980e107243ba297c5d3edc87f8adca09b6a343b963a5a8533d7148bcba5a0d29c54889cd733a99cf794dc9b66d5d50c7a30f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

Filesize
75KB

MD5
e8c3188bf6093844532ae5c62e8510a7

SHA1
6990d7d02d26922e28ad4339f7e83494813f27b0

SHA256
6d656e16321d374f1ce271a34563e591dfed11b3718dc5ddb9a0bb4ce57d4684

SHA512
b2fb2467343f052e541225d3936a9b49ca12ffb9744969394452cf300827c3a6396850e4a09ff1e5ccc8d2681536ee1c5452ccf0dbdb6dca227108b40286eecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\resources.pri

Filesize
17.8MB

MD5
c692bad42473abb43c0c2fa596f98fa0

SHA1
758bc205d3f73c0ff30d39529b22f6cfda640301

SHA256
2b8970bbb8d89b030b71f4b9638aeb56c4543957e5bee7539e31180826e22a7f

SHA512
b2e62dd24c5b194bde5ffa5d4e4d58d80648936eadc393074a61427e128edaeb81f4aeab366957d8dcbacd596b0fbbf4fe8bec3a8c73382a77bd482ce62e09ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD438.tmp

Filesize
53.9MB

MD5
c31e481f27b6bec51a16cda859821d4d

SHA1
b39de5d788a80203ffcde7ea443266feeb99ba48

SHA256
417c3acde475eff3bbfa100ca332c8a459a44e513dcd071f9d5b1b4f619b80a1

SHA512
653667b850945a3dd84d8142a781475f2a13f8902c9c340954e9d41514eaa06e6ec31f68701a24f21ce34370b9d2c920f678fa8592b00a62bda7033289113c46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk

Filesize
2KB

MD5
2c487198c1b2868b88276047fec65cdf

SHA1
043dec8716339f5accf6e5977d5c627de0f89765

SHA256
6115aa17d2c32febd752da0089534efce1dd5c5d96e806322c7f39ae048da6da

SHA512
dc02aea6c5ec0af2ccd58b20aeda2e31e4a9fbd5eb30df07570edeefaef09312c8471395b0e482523b533009556fba81f20bb28feab4f7131f78034d8fe84a85

Download Submit
memory/3672-133-0x0000017F9B820000-0x0000017F9B821000-memory.dmp

Filesize
4KB

Download