d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
Size

4.0MB
MD5

a75283bc0aaee9ed8762dabaa635f1c7
SHA1

31679b4b4ca53b06da7a63a5bb63432f4cabe7df
SHA256

d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600
SHA512

a1007bc3d68e64c6896638c1edcf5921fae052ab24d7edae35ec51deb0b0cfe53188769905285ca62330e68b9249cc0686f9dee00797b8ba4638758553ecf669
SSDEEP

49152:fws/uynX9W06SSHXZvAOdf1LyvxXNmx/EapWxnjRDhel9YcFyInowXW5MTZzb:f3NfRI5wBElnxn6q

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Executes dropped EXE 21 IoCs

pid	Process
5000	Logo1_.exe
2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
3648	OneDriveSetup.exe
1960	OneDriveSetup.exe
3296	FileSyncConfig.exe
368	OneDriveStandaloneUpdater.exe
1420	Microsoft.SharePoint.exe
216	MicrosoftEdgeWebview2Setup.exe
2724	MicrosoftEdgeUpdate.exe
3660	MicrosoftEdgeUpdate.exe
3752	MicrosoftEdgeUpdate.exe
2380	BackgroundTransferHost.exe
1144	MicrosoftEdgeUpdateComRegisterShell64.exe
2356	MicrosoftEdgeUpdateComRegisterShell64.exe
3036	MicrosoftEdgeUpdate.exe
4748	MicrosoftEdgeUpdate.exe
1872	MicrosoftEdgeUpdate.exe
1692	MicrosoftEdgeUpdate.exe
1012	MicrosoftEdge_X64_119.0.2151.44.exe
2872	setup.exe
1184	MicrosoftEdgeUpdate.exe

Loads dropped DLL 53 IoCs

pid	Process
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
3296	FileSyncConfig.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
1420	Microsoft.SharePoint.exe
2724	MicrosoftEdgeUpdate.exe
3660	MicrosoftEdgeUpdate.exe
3752	MicrosoftEdgeUpdate.exe
2380	BackgroundTransferHost.exe
3752	MicrosoftEdgeUpdate.exe
1144	MicrosoftEdgeUpdateComRegisterShell64.exe
3752	MicrosoftEdgeUpdate.exe
2356	MicrosoftEdgeUpdateComRegisterShell64.exe
3752	MicrosoftEdgeUpdate.exe
3036	MicrosoftEdgeUpdate.exe
4748	MicrosoftEdgeUpdate.exe
1872	MicrosoftEdgeUpdate.exe
1872	MicrosoftEdgeUpdate.exe
4748	MicrosoftEdgeUpdate.exe
1692	MicrosoftEdgeUpdate.exe
1184	MicrosoftEdgeUpdate.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{F37369D9-1C22-40A0-A997-0B4D5F7B6637}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /autoplay"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	BackgroundTransferHost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\i386\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Checks system information in the registry 2 TTPs 18 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveStandaloneUpdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\msedgeupdateres_de.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\msedgeupdateres_es.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\msedgeupdateres_el.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\msedgeupdateres_es-419.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\119.0.2151.44\Locales\sq.pak	setup.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\119.0.2151.44\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\119.0.2151.44\msvcp140.dll	setup.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\119.0.2151.44\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\119.0.2151.44\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
File created	C:\Windows\Logo1_.exe	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\PROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\INTERFACE\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\23.209.1008.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\LocalService = "edgeupdate"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\odopen\shell\open\command	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ = "IFileSyncClient5"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\FileSyncClient.FileSyncClient\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ = "ISyncEngineEvents"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\WIN32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\TypeLib\ = "{F904F88C-E60D-4327-9FA2-865AD075B400}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BA747D4-0E17-4C7B-A5DD-6B81BB4A26D1}\InprocHandler32\ThreadingModel = "Both"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\TYPELIB\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\0\WIN32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	BackgroundTransferHost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_CLASSES\WOW6432NODE\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0"	OneDriveSetup.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
5000	Logo1_.exe
2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
3648	OneDriveSetup.exe
3648	OneDriveSetup.exe
3648	OneDriveSetup.exe
3648	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
1960	OneDriveSetup.exe
2724	MicrosoftEdgeUpdate.exe
2724	MicrosoftEdgeUpdate.exe
2724	MicrosoftEdgeUpdate.exe
2724	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3648	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	1960	OneDriveSetup.exe
Token: SeDebugPrivilege	2724	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2724	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 3028	4684	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	84
PID 4684 wrote to memory of 3028	4684	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	84
PID 4684 wrote to memory of 3028	4684	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	84
PID 4684 wrote to memory of 5000	4684	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	85
PID 4684 wrote to memory of 5000	4684	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	85
PID 4684 wrote to memory of 5000	4684	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	85
PID 5000 wrote to memory of 2424	5000	Logo1_.exe	86
PID 5000 wrote to memory of 2424	5000	Logo1_.exe	86
PID 5000 wrote to memory of 2424	5000	Logo1_.exe	86
PID 2424 wrote to memory of 2468	2424	net.exe	89
PID 2424 wrote to memory of 2468	2424	net.exe	89
PID 2424 wrote to memory of 2468	2424	net.exe	89
PID 3028 wrote to memory of 2376	3028	cmd.exe	90
PID 3028 wrote to memory of 2376	3028	cmd.exe	90
PID 5000 wrote to memory of 3280	5000	Logo1_.exe	59
PID 5000 wrote to memory of 3280	5000	Logo1_.exe	59
PID 2376 wrote to memory of 3648	2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	102
PID 2376 wrote to memory of 3648	2376	d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe	102
PID 1960 wrote to memory of 3296	1960	OneDriveSetup.exe	108
PID 1960 wrote to memory of 3296	1960	OneDriveSetup.exe	108
PID 1960 wrote to memory of 368	1960	OneDriveSetup.exe	110
PID 1960 wrote to memory of 368	1960	OneDriveSetup.exe	110
PID 368 wrote to memory of 216	368	OneDriveStandaloneUpdater.exe	113
PID 368 wrote to memory of 216	368	OneDriveStandaloneUpdater.exe	113
PID 368 wrote to memory of 216	368	OneDriveStandaloneUpdater.exe	113
PID 216 wrote to memory of 2724	216	MicrosoftEdgeWebview2Setup.exe	115
PID 216 wrote to memory of 2724	216	MicrosoftEdgeWebview2Setup.exe	115
PID 216 wrote to memory of 2724	216	MicrosoftEdgeWebview2Setup.exe	115
PID 2724 wrote to memory of 3660	2724	MicrosoftEdgeUpdate.exe	116
PID 2724 wrote to memory of 3660	2724	MicrosoftEdgeUpdate.exe	116
PID 2724 wrote to memory of 3660	2724	MicrosoftEdgeUpdate.exe	116
PID 2724 wrote to memory of 3752	2724	MicrosoftEdgeUpdate.exe	117
PID 2724 wrote to memory of 3752	2724	MicrosoftEdgeUpdate.exe	117
PID 2724 wrote to memory of 3752	2724	MicrosoftEdgeUpdate.exe	117
PID 3752 wrote to memory of 2380	3752	MicrosoftEdgeUpdate.exe	126
PID 3752 wrote to memory of 2380	3752	MicrosoftEdgeUpdate.exe	126
PID 3752 wrote to memory of 1144	3752	MicrosoftEdgeUpdate.exe	119
PID 3752 wrote to memory of 1144	3752	MicrosoftEdgeUpdate.exe	119
PID 3752 wrote to memory of 2356	3752	MicrosoftEdgeUpdate.exe	120
PID 3752 wrote to memory of 2356	3752	MicrosoftEdgeUpdate.exe	120
PID 2724 wrote to memory of 3036	2724	MicrosoftEdgeUpdate.exe	121
PID 2724 wrote to memory of 3036	2724	MicrosoftEdgeUpdate.exe	121
PID 2724 wrote to memory of 3036	2724	MicrosoftEdgeUpdate.exe	121
PID 2724 wrote to memory of 4748	2724	MicrosoftEdgeUpdate.exe	123
PID 2724 wrote to memory of 4748	2724	MicrosoftEdgeUpdate.exe	123
PID 2724 wrote to memory of 4748	2724	MicrosoftEdgeUpdate.exe	123
PID 1872 wrote to memory of 1692	1872	MicrosoftEdgeUpdate.exe	125
PID 1872 wrote to memory of 1692	1872	MicrosoftEdgeUpdate.exe	125
PID 1872 wrote to memory of 1692	1872	MicrosoftEdgeUpdate.exe	125
PID 1872 wrote to memory of 1012	1872	MicrosoftEdgeUpdate.exe	131
PID 1872 wrote to memory of 1012	1872	MicrosoftEdgeUpdate.exe	131
PID 1012 wrote to memory of 2872	1012	MicrosoftEdge_X64_119.0.2151.44.exe	132
PID 1012 wrote to memory of 2872	1012	MicrosoftEdge_X64_119.0.2151.44.exe	132
PID 1872 wrote to memory of 1184	1872	MicrosoftEdgeUpdate.exe	134
PID 1872 wrote to memory of 1184	1872	MicrosoftEdgeUpdate.exe	134
PID 1872 wrote to memory of 1184	1872	MicrosoftEdgeUpdate.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
  "C:\Users\Admin\AppData\Local\Temp\d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEA6F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe
      "C:\Users\Admin\AppData\Local\Temp\d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /updateSource:ODSU
        5⤵
        Executes dropped EXE
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /updateSource:ODSU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies system executable filetype association
        Registers COM server for autorun
        Adds Run key to start application
        Checks system information in the registry
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncConfig.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
        7⤵
        Executes dropped EXE
        Checks system information in the registry
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU80E3.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        9⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        11⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezk0MEZBQjQwLUM4ODktNDEwQy1CNkY1LTQ4RTc5MkFDQTZGMH0iIHVzZXJpZD0ie0M3NEM3NjhFLTFCQzgtNDVFQy04NjY2LUZFREM2OTc3QkY5NH0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7ODVGOTEwQTItRTM4Ny00MUMwLUJDMEUtQUQwQkFBREIwQ0YyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3Ny4xMSIgbmV4dHZlcnNpb249IjEuMy4xODEuNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQwMDkwMjA0MSIgaW5zdGFsbF90aW1lX21zPSIxMDE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        
        PID:3036
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{940FAB40-C889-410C-B6F5-48E792ACA6F0}" /silent
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.exe
        
        /silentConfig
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        
        PID:1420
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2468

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezk0MEZBQjQwLUM4ODktNDEwQy1CNkY1LTQ4RTc5MkFDQTZGMH0iIHVzZXJpZD0ie0M3NEM3NjhFLTFCQzgtNDVFQy04NjY2LUZFREM2OTc3QkY5NH0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7QjJDNEJFMjMtNTc1Qi00NkQ2LUJDM0QtODZEOUYwNzkwOUQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MTA0MzM0MTciLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:1692
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2CAC4CF6-6F17-41DB-8CD9-86A95CBAD117}\MicrosoftEdge_X64_119.0.2151.44.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2CAC4CF6-6F17-41DB-8CD9-86A95CBAD117}\MicrosoftEdge_X64_119.0.2151.44.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2CAC4CF6-6F17-41DB-8CD9-86A95CBAD117}\EDGEMITMP_574E2.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2CAC4CF6-6F17-41DB-8CD9-86A95CBAD117}\EDGEMITMP_574E2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2CAC4CF6-6F17-41DB-8CD9-86A95CBAD117}\MicrosoftEdge_X64_119.0.2151.44.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2872
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezk0MEZBQjQwLUM4ODktNDEwQy1CNkY1LTQ4RTc5MkFDQTZGMH0iIHVzZXJpZD0ie0M3NEM3NjhFLTFCQzgtNDVFQy04NjY2LUZFREM2OTc3QkY5NH0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7OTBEMTBDNjEtOTkxQi00NDY5LUExRUUtRkM0RkJDNDUzNzE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTE5LjAuMjE1MS40NCIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQyMDEyMjI3NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MjAyNzc5NTMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTkzMjQ1MTQxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9kMTdjOWZjYS04MDFiLTRjYWMtOWY4YS1iYWYyZGQyZjkwZTA_UDE9MTY5OTYzMDg3MyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1MTHBlMFIyUlhVa0JCcGpucmMycWpIUzE0ZkFUcmZzRlNFUEMlMmZVcVFCSkdvd3pHVUJTJTJmMXFtbzBva2JIeDRqVW1NUTJ4T2pFTnUxeEdpdk93R1Y5N3clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzQ4NDg1ODQiIHRvdGFsPSIxNzQ4NDg1ODQiIGRvd25sb2FkX3RpbWVfbXM9IjEyMjAzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU5MzQwMTQ5NCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2MzA0MzMzMDIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwOTcxNTIwMzIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI2NTYiIGRvd25sb2FkX3RpbWVfbXM9IjE3Mjk2IiBkb3dubG9hZGVkPSIxNzQ4NDg1ODQiIHRvdGFsPSIxNzQ4NDg1ODQiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQ2NjU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:1184

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
568f17750238ab463c745953a303648a

SHA1
25e9de37d6edb52c584c442e4f93a0448b4b37d4

SHA256
5351b82387339c78b116a077f2ba633da2a6fef86a165d92bfe28c2c3770ac81

SHA512
9034bc060e8155e07009d2142830f03b29c50525232fa1719038eae4fc742d460c5dad7b7fdd6957264c338072fbe71193a23d994510dc809ae240023b9f1ed3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\119.0.2151.44\Installer\setup.exe

Filesize
6.0MB

MD5
6132b86923d17eb24940cff1b866de79

SHA1
cb4a33966ed48b4ff6b1e28b4965e12ccc6e932f

SHA256
fa1d64691da3dde41586329bbdbefdbf44d54d4cb7791fbbfcb0558bd76abf26

SHA512
ac373cf46b276edcdefc459a1b8a14be52f01dc92f5981b622b8992821887bfcdb34d8d1d7f283bb313c1a453fe1991262f92dcb9bb4f256d2e7f83ddb1c5053

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\119.0.2151.44\MicrosoftEdge_X64_119.0.2151.44.exe

Filesize
166.7MB

MD5
8d494da0f86f512ff5d5f7c875d78ba2

SHA1
d33fb6aa7ee0e55378eca762652a94a90fa90c40

SHA256
f8fb3ef8e2f6f08590428a4c7b9ea22359ca512d901bdc262574ac44da6f0191

SHA512
b5c8a3d5fe7143667600802db929a4b620ad877103c31fadb7d198f0bf863305b8758b3eba00a7e10264cbef04dbbe7ab96df428bbee25f9ceb3fd41be5da91a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
11fe091ace9d03b9ada6d5a22d12c0d0

SHA1
5379ebe84500d425586904e7f9ac0393ab2a9d24

SHA256
50f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee

SHA512
0f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
487KB

MD5
bf1bbfb3abc86e299017bcb5474595bf

SHA1
def80689c4abc742c6dcf47e68f362ec0efd1681

SHA256
a89f39f3f9ac3f8397818e9052f9c8cc2a74810b5c7cb6c313f4c91c898a7236

SHA512
063e46c0c3898e51c5ce35c67a079e9431ef356a8c4d532b9e8a5e8f4b4c2224fc067b5b40a3d3cebc3933345d45e93ea59782d8b887a41d1d1c7881bb00bd97

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
132KB

MD5
3c8a0d339ccb62027ad531cdda00b824

SHA1
98a4b76695da9c9afaa8aacfd3d9623ef6aa9b3e

SHA256
7dca00626919b5d6f1a8190e5019a7404c507a7922be18f2edfd227492c47c6d

SHA512
c1f7f438ba4e7d9a63354bb6f628f79703aafbabdbf4a3e7bdb72ff70af8df3c22ced6ee8bb587559aebb47a8d04db05664693140857704ca9fe98e25c58ec7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncConfig.exe

Filesize
697KB

MD5
b68d0fd13b5e620380012de4c9262367

SHA1
2256c5c09003c8a499865ac41115725a2a210457

SHA256
6df820afd349c6013cb66478d1d10516e80f8a3cfcd593d814149601e77a5a86

SHA512
fce192150586b9d169a5053c58f9a168b7796bd62923fd09cfedffbae8bfa45f75e05d3a652105aff9753c47a208c4fe75fc200ce05b05486a5259aba03aa5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncConfig.exe

Filesize
697KB

MD5
b68d0fd13b5e620380012de4c9262367

SHA1
2256c5c09003c8a499865ac41115725a2a210457

SHA256
6df820afd349c6013cb66478d1d10516e80f8a3cfcd593d814149601e77a5a86

SHA512
fce192150586b9d169a5053c58f9a168b7796bd62923fd09cfedffbae8bfa45f75e05d3a652105aff9753c47a208c4fe75fc200ce05b05486a5259aba03aa5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncEvents.dll

Filesize
133KB

MD5
7b75e0db5270a4936394002fd1dbe20c

SHA1
08ceb187adc2e6a00d3f464441c0475db9350432

SHA256
c1b8cf3985ec38871cee051d51bc3bb1f047a900856f4bbff160a7f2268136f7

SHA512
52f8c7d075fdb17ff23555e903d68edbe03bffc5ed6d03a1b9206ae1c5eebad78fed22e66b2125dc4e5dc3b3fb2f162cc88bea44c1937c4e31bcea258e2cb748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncEvents.dll

Filesize
133KB

MD5
7b75e0db5270a4936394002fd1dbe20c

SHA1
08ceb187adc2e6a00d3f464441c0475db9350432

SHA256
c1b8cf3985ec38871cee051d51bc3bb1f047a900856f4bbff160a7f2268136f7

SHA512
52f8c7d075fdb17ff23555e903d68edbe03bffc5ed6d03a1b9206ae1c5eebad78fed22e66b2125dc4e5dc3b3fb2f162cc88bea44c1937c4e31bcea258e2cb748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncEvents.dll

Filesize
133KB

MD5
7b75e0db5270a4936394002fd1dbe20c

SHA1
08ceb187adc2e6a00d3f464441c0475db9350432

SHA256
c1b8cf3985ec38871cee051d51bc3bb1f047a900856f4bbff160a7f2268136f7

SHA512
52f8c7d075fdb17ff23555e903d68edbe03bffc5ed6d03a1b9206ae1c5eebad78fed22e66b2125dc4e5dc3b3fb2f162cc88bea44c1937c4e31bcea258e2cb748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncFS.DLL

Filesize
776KB

MD5
3132d1781c79cacc9f7f60ef1cef8365

SHA1
5547ca89edd80b54f1af3d68b8ebdc753017bed2

SHA256
4e30e4e31010e27c8be4cda10f0c1a0212012db99ff2683b58e2a6e2dc3d26fa

SHA512
d3308f6b702f54dd4f3197025c3051d12653258fd7099a54bab07ec3326b7efb7c55f701845a2d196990db8dbcddffab4b6f702464fea964a148aee2647a1ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncFS.dll

Filesize
776KB

MD5
3132d1781c79cacc9f7f60ef1cef8365

SHA1
5547ca89edd80b54f1af3d68b8ebdc753017bed2

SHA256
4e30e4e31010e27c8be4cda10f0c1a0212012db99ff2683b58e2a6e2dc3d26fa

SHA512
d3308f6b702f54dd4f3197025c3051d12653258fd7099a54bab07ec3326b7efb7c55f701845a2d196990db8dbcddffab4b6f702464fea964a148aee2647a1ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncFS.dll

Filesize
776KB

MD5
3132d1781c79cacc9f7f60ef1cef8365

SHA1
5547ca89edd80b54f1af3d68b8ebdc753017bed2

SHA256
4e30e4e31010e27c8be4cda10f0c1a0212012db99ff2683b58e2a6e2dc3d26fa

SHA512
d3308f6b702f54dd4f3197025c3051d12653258fd7099a54bab07ec3326b7efb7c55f701845a2d196990db8dbcddffab4b6f702464fea964a148aee2647a1ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncHost.DLL

Filesize
399KB

MD5
0e1b1801f4ba9d2793bf2403fbfaa4f3

SHA1
b7d6dfd282b56959e7bbeff332cfb38f569e80be

SHA256
b3a7c5bea888950824f616a43b7ee302b3718baf38e10032cf28e528b7bfd379

SHA512
5179dcdc5bb2171a9f189f5f8fc0456cbcf3dee3f9c6366479697fcef935716b8a25a17d2d7de8e853185878861f0a243f5d4c2439b0196ebd9ee99574cdfa93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncHost.dll

Filesize
399KB

MD5
0e1b1801f4ba9d2793bf2403fbfaa4f3

SHA1
b7d6dfd282b56959e7bbeff332cfb38f569e80be

SHA256
b3a7c5bea888950824f616a43b7ee302b3718baf38e10032cf28e528b7bfd379

SHA512
5179dcdc5bb2171a9f189f5f8fc0456cbcf3dee3f9c6366479697fcef935716b8a25a17d2d7de8e853185878861f0a243f5d4c2439b0196ebd9ee99574cdfa93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncHost.dll

Filesize
399KB

MD5
0e1b1801f4ba9d2793bf2403fbfaa4f3

SHA1
b7d6dfd282b56959e7bbeff332cfb38f569e80be

SHA256
b3a7c5bea888950824f616a43b7ee302b3718baf38e10032cf28e528b7bfd379

SHA512
5179dcdc5bb2171a9f189f5f8fc0456cbcf3dee3f9c6366479697fcef935716b8a25a17d2d7de8e853185878861f0a243f5d4c2439b0196ebd9ee99574cdfa93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncSessions.dll

Filesize
5.7MB

MD5
ee108baec8568a4e54ad8e7ccf959779

SHA1
384569f02c427e6992b05d6bceca6bc78c19b999

SHA256
9d8377682f8af86bc78619282392defa7aa430d4ede1285cb853552859e35a00

SHA512
6126b563bda8752dc2ec146809ea3a22c82e6dac1bd6360f8a7b787c3a3e26cdc96f5d48e2a0ee1aee2f9cf3a28ac7928896870904ebc1fdb360250628dc55ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncSessions.dll

Filesize
5.7MB

MD5
ee108baec8568a4e54ad8e7ccf959779

SHA1
384569f02c427e6992b05d6bceca6bc78c19b999

SHA256
9d8377682f8af86bc78619282392defa7aa430d4ede1285cb853552859e35a00

SHA512
6126b563bda8752dc2ec146809ea3a22c82e6dac1bd6360f8a7b787c3a3e26cdc96f5d48e2a0ee1aee2f9cf3a28ac7928896870904ebc1fdb360250628dc55ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncSqlite3.dll

Filesize
634KB

MD5
14fc57107ae893ff9927f4674a624f80

SHA1
2ab2f93f09eda433ebc74fa31c5091de2cb28be8

SHA256
3bb5dc96a41e83b57e1bd759ce33c7f0f8d9004520b5197bf6eae7ad97327e7c

SHA512
5c90c976f239484a7da7ca029679282c3eac484e1f7463664a799d8d5891d7a9ccf40a89867fecb884416fbe62979c9346f980369347aed5c9b69f56b1b6a0c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncSqlite3.dll

Filesize
634KB

MD5
14fc57107ae893ff9927f4674a624f80

SHA1
2ab2f93f09eda433ebc74fa31c5091de2cb28be8

SHA256
3bb5dc96a41e83b57e1bd759ce33c7f0f8d9004520b5197bf6eae7ad97327e7c

SHA512
5c90c976f239484a7da7ca029679282c3eac484e1f7463664a799d8d5891d7a9ccf40a89867fecb884416fbe62979c9346f980369347aed5c9b69f56b1b6a0c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncTelemetryExtensions.dll

Filesize
462KB

MD5
ef53244c2a3bc4de077fce77b14ea15b

SHA1
24e9fbf8991f7ceafb34e1fa279525ea6aecffc4

SHA256
6f70971879756ac7d516201c84616a5d53ba616a03e843bec61bc93bfdbbe811

SHA512
32b747e95407dd0a78fa30156f484ad4114614d72b6427703158da2295aea4ad03eacedbcb01f9b65d6ace6cceb100bff574895204295d29132802bbda9edd8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\FileSyncTelemetryExtensions.dll

Filesize
462KB

MD5
ef53244c2a3bc4de077fce77b14ea15b

SHA1
24e9fbf8991f7ceafb34e1fa279525ea6aecffc4

SHA256
6f70971879756ac7d516201c84616a5d53ba616a03e843bec61bc93bfdbbe811

SHA512
32b747e95407dd0a78fa30156f484ad4114614d72b6427703158da2295aea4ad03eacedbcb01f9b65d6ace6cceb100bff574895204295d29132802bbda9edd8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogUploader.dll

Filesize
970KB

MD5
c716f118bebd05fcccb39e186b579346

SHA1
8ba49e9f871d63d87853e87041506701f1f76468

SHA256
386920b5a1a4e8bf8b74b5b5d9ef1a7da511ff495a1bf02faa3e1d2f6606c0bd

SHA512
4370875b329c7c80c50fbec22c8891372088595c80222563c8d46f4c41a5757c950b175e73ac149a9ab8fa0b7194c7fcaf7bb6f6b866d5365654cd7d7b3a0088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogUploader.dll

Filesize
970KB

MD5
c716f118bebd05fcccb39e186b579346

SHA1
8ba49e9f871d63d87853e87041506701f1f76468

SHA256
386920b5a1a4e8bf8b74b5b5d9ef1a7da511ff495a1bf02faa3e1d2f6606c0bd

SHA512
4370875b329c7c80c50fbec22c8891372088595c80222563c8d46f4c41a5757c950b175e73ac149a9ab8fa0b7194c7fcaf7bb6f6b866d5365654cd7d7b3a0088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LoggingPlatform.DLL

Filesize
619KB

MD5
928ac505fc5617da4deda4acecefc9cf

SHA1
454f0c8ea24911ed1f593daa5f1f339b59022062

SHA256
2ae4912635150df21f1b4b1f4d88e9e21dbd706aff2207dd56640ec7cb68e7ed

SHA512
b6059bc22e0ecddc27f0c315c97c5a5551f4ae187512c8e3d457d6b6cede39f0abb1036072b3f758d4b725c31f964643a52353550041504a5e7b494270fe6e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LoggingPlatform.dll

Filesize
619KB

MD5
928ac505fc5617da4deda4acecefc9cf

SHA1
454f0c8ea24911ed1f593daa5f1f339b59022062

SHA256
2ae4912635150df21f1b4b1f4d88e9e21dbd706aff2207dd56640ec7cb68e7ed

SHA512
b6059bc22e0ecddc27f0c315c97c5a5551f4ae187512c8e3d457d6b6cede39f0abb1036072b3f758d4b725c31f964643a52353550041504a5e7b494270fe6e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LoggingPlatform.dll

Filesize
619KB

MD5
928ac505fc5617da4deda4acecefc9cf

SHA1
454f0c8ea24911ed1f593daa5f1f339b59022062

SHA256
2ae4912635150df21f1b4b1f4d88e9e21dbd706aff2207dd56640ec7cb68e7ed

SHA512
b6059bc22e0ecddc27f0c315c97c5a5551f4ae187512c8e3d457d6b6cede39f0abb1036072b3f758d4b725c31f964643a52353550041504a5e7b494270fe6e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\LogoImages\Resources.pri

Filesize
18.1MB

MD5
4fbd1578d8beef2787c69a650c6e18a9

SHA1
51c7bfd3d23b7aaef7f6f9fa16f816714900c7e9

SHA256
2d9961faa1b5b8018f803a74c8e83c0036eed830fbe70fc9c57320bd8cddf1cf

SHA512
ab82c867dad53c2c839c16f031d97ebe9ba691be9ae0d9aed6370d34cd43594330f8167bc1e1a2dbfc99848a30aea5f6d3532590a263d4248db72319a26a3f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\MSVCP140.dll

Filesize
557KB

MD5
9295c8562a1e4ae14c6f85d8e4a0de02

SHA1
9191be8a3641d87bfff9eb2e1108e5103894248d

SHA256
4ae33a369b360da01b1f8d98f36bb3cb2f75e3b52f4d94bae59d7f206ee33019

SHA512
331a61033b247947ea32a3e0d78c5038b04d050b0b854489a66fd65b67ee7b7fb3cb7902a68514de0a0251cf8a89441ce634d7c9c80e80b7bf37057c983cf804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\MSVCP140_ATOMIC_WAIT.dll

Filesize
55KB

MD5
889b09f877d57b8307a856e357a898eb

SHA1
0b8f94b4ae8968cf21ff7aed3d98b3d014f7fe4b

SHA256
9368909654d4502cf0993ff8bfc74d7959edd405e5003e406419b02830abab1f

SHA512
6043a7dfeafd0eb4d71db8ad3ba795f0905bfddc4b8ab66a573bcf23ad7fdff6783c03e9c974a88162bd0939a1d2c0d680ded32419966b0fac98a73b4b56b3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.Calc.dll

Filesize
912KB

MD5
5539ef5b0ce0815bbe3c4e6914a47852

SHA1
ff6a13cc774f3608231f4355aef1120db3f356e4

SHA256
982f348bd4c060881a25e2c2569257d5a19e1df18285b2567c6ebdc655aadbb3

SHA512
304939dd69b861c4eaa59ddbd6341a81c7dd05c13e53d67227affb7d30a54dc6e64894c7887ce686b8740762145102c54669ec47481f113820dccf3ea90ff820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.Calc.dll

Filesize
912KB

MD5
5539ef5b0ce0815bbe3c4e6914a47852

SHA1
ff6a13cc774f3608231f4355aef1120db3f356e4

SHA256
982f348bd4c060881a25e2c2569257d5a19e1df18285b2567c6ebdc655aadbb3

SHA512
304939dd69b861c4eaa59ddbd6341a81c7dd05c13e53d67227affb7d30a54dc6e64894c7887ce686b8740762145102c54669ec47481f113820dccf3ea90ff820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.WebSocketClient.dll

Filesize
1.3MB

MD5
57658bc1ed462e465b5a12bb27f76261

SHA1
37daa1f61c8cbd00de8e812035e8623b70a2bb08

SHA256
78dc407c8468aa11004cbde5ed844bcfb77e342d0795609d76fe17748a461774

SHA512
59338bf4b463d4bf77e3790129e003425cbfdf6a9ac9aad339ab141fda5df77a203ee29f6ba4c18cb2d2680d6d09d389aa9f06adc6cab01e637852e7f16566f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.WebSocketClient.dll

Filesize
1.3MB

MD5
57658bc1ed462e465b5a12bb27f76261

SHA1
37daa1f61c8cbd00de8e812035e8623b70a2bb08

SHA256
78dc407c8468aa11004cbde5ed844bcfb77e342d0795609d76fe17748a461774

SHA512
59338bf4b463d4bf77e3790129e003425cbfdf6a9ac9aad339ab141fda5df77a203ee29f6ba4c18cb2d2680d6d09d389aa9f06adc6cab01e637852e7f16566f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.dll

Filesize
17.2MB

MD5
b1008332e080f484d7795f0607f3fd35

SHA1
3e7469b6f0c42ec6578f091fe7863ea597cd4d24

SHA256
f8c84e895ee9bac74fd04957f08b4ca256115dea6d36945db97c8b97f9cf8169

SHA512
d0d8e858ecb510df80509180a7f2cd2f21c96c0cd15de9b2bd11ee5a6c8950b391bdf6ef7c495c9455ba51e88f82d356307f3a0095b62a9a742f2954df969b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.dll

Filesize
17.2MB

MD5
b1008332e080f484d7795f0607f3fd35

SHA1
3e7469b6f0c42ec6578f091fe7863ea597cd4d24

SHA256
f8c84e895ee9bac74fd04957f08b4ca256115dea6d36945db97c8b97f9cf8169

SHA512
d0d8e858ecb510df80509180a7f2cd2f21c96c0cd15de9b2bd11ee5a6c8950b391bdf6ef7c495c9455ba51e88f82d356307f3a0095b62a9a742f2954df969b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Microsoft.SharePoint.exe

Filesize
526KB

MD5
274f84e3bb97aeddbb62100937780ab0

SHA1
2c052ea07dce09517fd97f1e874a0094c90d14f3

SHA256
9ed4c03900eebb647819243d88a0ead185c5d708d7df3c4d4160570370e81b0a

SHA512
4a30067e811d84a7344e95f025ccc388675aebe79b1b86f93b5424d9b71761803b7a883d58df8b7ef925cea7cbc0e96e1d0ffad81a933ca1b97fddc5962da101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\OneDrive.exe

Filesize
2.5MB

MD5
1a180efed17f504a40aa3ade844761ce

SHA1
f86f3f0c2d8c211f895fa5870c367c50f86d9fa4

SHA256
a02bbcbafff0e1971b31a4945f6f6ad981855518c53db1fd212490bbab03092d

SHA512
426f072782ea063e9d03b55cee356cd487d6f356074726bde5bf96839d4b3f9dea48dd37af41fe264c2bdcfacef9eeccde026667ab8ba12ce0fc6ed325ca357b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
640066423ccb8a3e8feaf63e0c093349

SHA1
94c7e7c25c4576b0b5eddd4b1faff813dbee7a0d

SHA256
bf713e3e5b7c209b0c1d458e705abc2cf3795997aa6df57e002bfe4e86290c1b

SHA512
850607a7f785c0c414d8c0b45b0a0245e01cad42c53ba0541051ad94a2f0265ae127a15fca916dd9af6b2a93a304bef4b5012f3f10cc32853b1067742822711e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
ebe5b35277408198a0ad979a0cb87b7e

SHA1
93936d3bb509de4cacd33a567e1b9148f3b85b59

SHA256
1f5942e4d585111ac61292b569e150b3defdb6d504cebba79b8184556ba25d40

SHA512
a7ecdae99009b27eaebd4c2ac707bc65d65ed374814c1e8d194f46217e3ec4217c3b14d098937e51be4f867f2688f42abe2e592e2d73d7742ad2993a5dc069fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
ebe5b35277408198a0ad979a0cb87b7e

SHA1
93936d3bb509de4cacd33a567e1b9148f3b85b59

SHA256
1f5942e4d585111ac61292b569e150b3defdb6d504cebba79b8184556ba25d40

SHA512
a7ecdae99009b27eaebd4c2ac707bc65d65ed374814c1e8d194f46217e3ec4217c3b14d098937e51be4f867f2688f42abe2e592e2d73d7742ad2993a5dc069fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Telemetry.dll

Filesize
566KB

MD5
aff0c9b614e369f90d6a355bf152a744

SHA1
fc035c585f0435c66bb721f42c5dc7509e395f23

SHA256
291d357869b258b5816383ddc39a564b2d7b1ea50599642f0afcbc9dbb7192f5

SHA512
ee3b268bb7b595cadcc57dd628677ae057109ce58810a6b2938b23973c970376a713e946c04ad4cf3b903c2d92025d24757642719e4ddcd4d03e953b1731e0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Telemetry.dll

Filesize
566KB

MD5
aff0c9b614e369f90d6a355bf152a744

SHA1
fc035c585f0435c66bb721f42c5dc7509e395f23

SHA256
291d357869b258b5816383ddc39a564b2d7b1ea50599642f0afcbc9dbb7192f5

SHA512
ee3b268bb7b595cadcc57dd628677ae057109ce58810a6b2938b23973c970376a713e946c04ad4cf3b903c2d92025d24757642719e4ddcd4d03e953b1731e0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\Telemetry.dll

Filesize
566KB

MD5
aff0c9b614e369f90d6a355bf152a744

SHA1
fc035c585f0435c66bb721f42c5dc7509e395f23

SHA256
291d357869b258b5816383ddc39a564b2d7b1ea50599642f0afcbc9dbb7192f5

SHA512
ee3b268bb7b595cadcc57dd628677ae057109ce58810a6b2938b23973c970376a713e946c04ad4cf3b903c2d92025d24757642719e4ddcd4d03e953b1731e0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\UpdateRingSettings.dll

Filesize
606KB

MD5
769a6b5d1cf1f045f9825b39ef1b438a

SHA1
306abc8d7ae9ed36a140d9c2c6b69b45b5009ed7

SHA256
82945afa7f6c9ace6adf24bff38585849c7f9e5acf108e40539dfcab3ecb3630

SHA512
64f0cfc54c69d0e162b1ef07c122301b5748cc710080963eae5b373145988ac96744863a6c17d6fbd8d1d746c9b7fdbab47c59e301b3c11a7e053625c110e97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\UpdateRingSettings.dll

Filesize
606KB

MD5
769a6b5d1cf1f045f9825b39ef1b438a

SHA1
306abc8d7ae9ed36a140d9c2c6b69b45b5009ed7

SHA256
82945afa7f6c9ace6adf24bff38585849c7f9e5acf108e40539dfcab3ecb3630

SHA512
64f0cfc54c69d0e162b1ef07c122301b5748cc710080963eae5b373145988ac96744863a6c17d6fbd8d1d746c9b7fdbab47c59e301b3c11a7e053625c110e97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\UpdateRingSettings.dll

Filesize
606KB

MD5
769a6b5d1cf1f045f9825b39ef1b438a

SHA1
306abc8d7ae9ed36a140d9c2c6b69b45b5009ed7

SHA256
82945afa7f6c9ace6adf24bff38585849c7f9e5acf108e40539dfcab3ecb3630

SHA512
64f0cfc54c69d0e162b1ef07c122301b5748cc710080963eae5b373145988ac96744863a6c17d6fbd8d1d746c9b7fdbab47c59e301b3c11a7e053625c110e97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\VCRUNTIME140.dll

Filesize
96KB

MD5
d2803c2fe7bf66cbbf5ecf91c983ccc9

SHA1
8d6cb489a5c87ba94b5ed97c77b2aa79bc2bdc5c

SHA256
718f8707081b815de85a2d2f285b84872a6cef5b29b4550402340f23ff7ea448

SHA512
29fde5aa4e38f583384fe81bf07d692773dfbf087fe4187cc59b36e9f464059f2455744452a7eba2b463bf27b2e3606a5ab26948ae5772b5794ab8f3e1163a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\VCRUNTIME140_1.dll

Filesize
37KB

MD5
d8bf849789d9363066fc641b88295819

SHA1
c936365cb74f04b12b4449045900072898d2e3be

SHA256
e282d8a733476e62aaebeff37dcb2285ed03448c25ae45fa4918da8030a20073

SHA512
5a5dfdfb1c7fcb55a93444475528a9a3fd3c3baf0499452a18d8cfdf3369ab7635f5da2900ac132a52384f4d6b93b04503433a58a97cef2405a6b9e00e18712e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
228efd95dd0bca68c0758698207cadb6

SHA1
2cf50627c42dfd6b3a6c7a890c9686133317a3a1

SHA256
49cba11dfc28a83a3a2a3702de8888b8f6c8af443ac081bd33644134ffb69d12

SHA512
705c684ba9fdede0ffb574393d97ca84ffacf55e630a587a9f42e79cd61ae611ab011f3a2947efc0a2221ec8f19891a7f580f16b687868afa6e671cdb330133c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\msvcp140.dll

Filesize
557KB

MD5
9295c8562a1e4ae14c6f85d8e4a0de02

SHA1
9191be8a3641d87bfff9eb2e1108e5103894248d

SHA256
4ae33a369b360da01b1f8d98f36bb3cb2f75e3b52f4d94bae59d7f206ee33019

SHA512
331a61033b247947ea32a3e0d78c5038b04d050b0b854489a66fd65b67ee7b7fb3cb7902a68514de0a0251cf8a89441ce634d7c9c80e80b7bf37057c983cf804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\msvcp140.dll

Filesize
557KB

MD5
9295c8562a1e4ae14c6f85d8e4a0de02

SHA1
9191be8a3641d87bfff9eb2e1108e5103894248d

SHA256
4ae33a369b360da01b1f8d98f36bb3cb2f75e3b52f4d94bae59d7f206ee33019

SHA512
331a61033b247947ea32a3e0d78c5038b04d050b0b854489a66fd65b67ee7b7fb3cb7902a68514de0a0251cf8a89441ce634d7c9c80e80b7bf37057c983cf804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\msvcp140_atomic_wait.dll

Filesize
55KB

MD5
889b09f877d57b8307a856e357a898eb

SHA1
0b8f94b4ae8968cf21ff7aed3d98b3d014f7fe4b

SHA256
9368909654d4502cf0993ff8bfc74d7959edd405e5003e406419b02830abab1f

SHA512
6043a7dfeafd0eb4d71db8ad3ba795f0905bfddc4b8ab66a573bcf23ad7fdff6783c03e9c974a88162bd0939a1d2c0d680ded32419966b0fac98a73b4b56b3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\pa-Arab-PK\localizable.json

Filesize
4B

MD5
c443b04d0fc26b0a5a4573a78e0082a1

SHA1
3c957535345645dce7190b85eb10b39da96b2518

SHA256
e3566b3a06430868d71e9287dfd6c6c520a3da027aabea01951d407ee131dc2f

SHA512
7bbf6dac485c9e59d02edabc91ff5b15bc1319cef6905c0077ee16e3b1f572b61bff85f2400bc0f5b4aeab0260bd5d68787d72c7a688d79192952f7957a44de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140.dll

Filesize
96KB

MD5
d2803c2fe7bf66cbbf5ecf91c983ccc9

SHA1
8d6cb489a5c87ba94b5ed97c77b2aa79bc2bdc5c

SHA256
718f8707081b815de85a2d2f285b84872a6cef5b29b4550402340f23ff7ea448

SHA512
29fde5aa4e38f583384fe81bf07d692773dfbf087fe4187cc59b36e9f464059f2455744452a7eba2b463bf27b2e3606a5ab26948ae5772b5794ab8f3e1163a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140.dll

Filesize
96KB

MD5
d2803c2fe7bf66cbbf5ecf91c983ccc9

SHA1
8d6cb489a5c87ba94b5ed97c77b2aa79bc2bdc5c

SHA256
718f8707081b815de85a2d2f285b84872a6cef5b29b4550402340f23ff7ea448

SHA512
29fde5aa4e38f583384fe81bf07d692773dfbf087fe4187cc59b36e9f464059f2455744452a7eba2b463bf27b2e3606a5ab26948ae5772b5794ab8f3e1163a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140.dll

Filesize
96KB

MD5
d2803c2fe7bf66cbbf5ecf91c983ccc9

SHA1
8d6cb489a5c87ba94b5ed97c77b2aa79bc2bdc5c

SHA256
718f8707081b815de85a2d2f285b84872a6cef5b29b4550402340f23ff7ea448

SHA512
29fde5aa4e38f583384fe81bf07d692773dfbf087fe4187cc59b36e9f464059f2455744452a7eba2b463bf27b2e3606a5ab26948ae5772b5794ab8f3e1163a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140.dll

Filesize
96KB

MD5
d2803c2fe7bf66cbbf5ecf91c983ccc9

SHA1
8d6cb489a5c87ba94b5ed97c77b2aa79bc2bdc5c

SHA256
718f8707081b815de85a2d2f285b84872a6cef5b29b4550402340f23ff7ea448

SHA512
29fde5aa4e38f583384fe81bf07d692773dfbf087fe4187cc59b36e9f464059f2455744452a7eba2b463bf27b2e3606a5ab26948ae5772b5794ab8f3e1163a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140.dll

Filesize
96KB

MD5
d2803c2fe7bf66cbbf5ecf91c983ccc9

SHA1
8d6cb489a5c87ba94b5ed97c77b2aa79bc2bdc5c

SHA256
718f8707081b815de85a2d2f285b84872a6cef5b29b4550402340f23ff7ea448

SHA512
29fde5aa4e38f583384fe81bf07d692773dfbf087fe4187cc59b36e9f464059f2455744452a7eba2b463bf27b2e3606a5ab26948ae5772b5794ab8f3e1163a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140_1.dll

Filesize
37KB

MD5
d8bf849789d9363066fc641b88295819

SHA1
c936365cb74f04b12b4449045900072898d2e3be

SHA256
e282d8a733476e62aaebeff37dcb2285ed03448c25ae45fa4918da8030a20073

SHA512
5a5dfdfb1c7fcb55a93444475528a9a3fd3c3baf0499452a18d8cfdf3369ab7635f5da2900ac132a52384f4d6b93b04503433a58a97cef2405a6b9e00e18712e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\23.209.1008.0002\vcruntime140_1.dll

Filesize
37KB

MD5
d8bf849789d9363066fc641b88295819

SHA1
c936365cb74f04b12b4449045900072898d2e3be

SHA256
e282d8a733476e62aaebeff37dcb2285ed03448c25ae45fa4918da8030a20073

SHA512
5a5dfdfb1c7fcb55a93444475528a9a3fd3c3baf0499452a18d8cfdf3369ab7635f5da2900ac132a52384f4d6b93b04503433a58a97cef2405a6b9e00e18712e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
26582ba5881206cd6aaf862d5f0d779f

SHA1
c6627ed0ddf710cc4d0120391087121eb5c05ff0

SHA256
79947c8d10b7237f5598921bb5633de38a9a2b2b3376d8c48acd53309b569eb6

SHA512
5bf6079037dc391e851f8261503a56352a8c8a664026a0edbcb6f2fae09c0464855762998a45752506c621d19233745e5e9d6c284355b8793bb5b9850fb13cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\settings\NucleusUpdateRingConfig.json

Filesize
73KB

MD5
5a5a27167f172ba9bc5d9f58958a0848

SHA1
f92f5a2c93aac2ab134b2f253f83bc412ce85342

SHA256
80ff0cfbfc1c2ba9a8061b730f64dbde332bbd894b4a51c1bb37cdb661284bc8

SHA512
8758ac27723f134e6fc3cf8147fde514ae3410a846d889bba096e4ea039b436e461ff35dca53c21d6bcae226997ef2f75b9cf367b38a9b8c7f4ef9c5ebab83f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
640066423ccb8a3e8feaf63e0c093349

SHA1
94c7e7c25c4576b0b5eddd4b1faff813dbee7a0d

SHA256
bf713e3e5b7c209b0c1d458e705abc2cf3795997aa6df57e002bfe4e86290c1b

SHA512
850607a7f785c0c414d8c0b45b0a0245e01cad42c53ba0541051ad94a2f0265ae127a15fca916dd9af6b2a93a304bef4b5012f3f10cc32853b1067742822711e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
640066423ccb8a3e8feaf63e0c093349

SHA1
94c7e7c25c4576b0b5eddd4b1faff813dbee7a0d

SHA256
bf713e3e5b7c209b0c1d458e705abc2cf3795997aa6df57e002bfe4e86290c1b

SHA512
850607a7f785c0c414d8c0b45b0a0245e01cad42c53ba0541051ad94a2f0265ae127a15fca916dd9af6b2a93a304bef4b5012f3f10cc32853b1067742822711e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\ECSConfig.json

Filesize
355B

MD5
a99b07ac7373122b0c0c1ecc284637bb

SHA1
def7983cdc95472faeb95ddff1a457deeae46caf

SHA256
3362ae8c354763dd2b562fc87a2233d91748a7689c01cea03d0782bd494739e4

SHA512
4b57400d69b395fbb023d53d81550cc2dcba9836a6d27fafd04b8e044883b6f05d2d6b3d7560245d55afc79a9c4ac9fc15d5bc558813242902d8de0ddb40ba33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
62.0MB

MD5
ef4808cd6214be95c0fc4d1056c24172

SHA1
e36d107fe61797a0bdb17ddce772b8a7cb61bc38

SHA256
e2b5f96d776dcee8e616eeaed767ca09cb9d204a0c3033540e980c22b80cefd2

SHA512
7dd609c61a87c2d96c7d2bbd94e206befdac12ef05effb0a86a2f8db5d5cae8d879fcc5b750ffce0a52b59093aa1ba1f6714c008e58f3592b3ae4bc7ec9e9f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
62.0MB

MD5
ef4808cd6214be95c0fc4d1056c24172

SHA1
e36d107fe61797a0bdb17ddce772b8a7cb61bc38

SHA256
e2b5f96d776dcee8e616eeaed767ca09cb9d204a0c3033540e980c22b80cefd2

SHA512
7dd609c61a87c2d96c7d2bbd94e206befdac12ef05effb0a86a2f8db5d5cae8d879fcc5b750ffce0a52b59093aa1ba1f6714c008e58f3592b3ae4bc7ec9e9f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
62.0MB

MD5
ef4808cd6214be95c0fc4d1056c24172

SHA1
e36d107fe61797a0bdb17ddce772b8a7cb61bc38

SHA256
e2b5f96d776dcee8e616eeaed767ca09cb9d204a0c3033540e980c22b80cefd2

SHA512
7dd609c61a87c2d96c7d2bbd94e206befdac12ef05effb0a86a2f8db5d5cae8d879fcc5b750ffce0a52b59093aa1ba1f6714c008e58f3592b3ae4bc7ec9e9f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

Filesize
62.0MB

MD5
ef4808cd6214be95c0fc4d1056c24172

SHA1
e36d107fe61797a0bdb17ddce772b8a7cb61bc38

SHA256
e2b5f96d776dcee8e616eeaed767ca09cb9d204a0c3033540e980c22b80cefd2

SHA512
7dd609c61a87c2d96c7d2bbd94e206befdac12ef05effb0a86a2f8db5d5cae8d879fcc5b750ffce0a52b59093aa1ba1f6714c008e58f3592b3ae4bc7ec9e9f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

Filesize
73KB

MD5
5a5a27167f172ba9bc5d9f58958a0848

SHA1
f92f5a2c93aac2ab134b2f253f83bc412ce85342

SHA256
80ff0cfbfc1c2ba9a8061b730f64dbde332bbd894b4a51c1bb37cdb661284bc8

SHA512
8758ac27723f134e6fc3cf8147fde514ae3410a846d889bba096e4ea039b436e461ff35dca53c21d6bcae226997ef2f75b9cf367b38a9b8c7f4ef9c5ebab83f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEA6F.bat

Filesize
722B

MD5
781e5c9639eb4f7dbc0cff55ccc6d370

SHA1
d55e269c31efae93fed618ab78053e8834a255d4

SHA256
96d2dcab9c93e470fa196cd2d58e7fb7c58d1aeecdeb90473057e4025985e274

SHA512
240deca25cdae612677d970b6a7c28027a1190dfa4ae362a4b6bd6d4df5d3b6da526d4e11e7d1efac57b07242aba69ddc65afe7b2ce20a08449772722c3d5ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe

Filesize
3.9MB

MD5
640066423ccb8a3e8feaf63e0c093349

SHA1
94c7e7c25c4576b0b5eddd4b1faff813dbee7a0d

SHA256
bf713e3e5b7c209b0c1d458e705abc2cf3795997aa6df57e002bfe4e86290c1b

SHA512
850607a7f785c0c414d8c0b45b0a0245e01cad42c53ba0541051ad94a2f0265ae127a15fca916dd9af6b2a93a304bef4b5012f3f10cc32853b1067742822711e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1ba113efef403279542c4094f1a70c86059c03b91ed230ba26b9d27e8175600.exe.exe

Filesize
3.9MB

MD5
640066423ccb8a3e8feaf63e0c093349

SHA1
94c7e7c25c4576b0b5eddd4b1faff813dbee7a0d

SHA256
bf713e3e5b7c209b0c1d458e705abc2cf3795997aa6df57e002bfe4e86290c1b

SHA512
850607a7f785c0c414d8c0b45b0a0245e01cad42c53ba0541051ad94a2f0265ae127a15fca916dd9af6b2a93a304bef4b5012f3f10cc32853b1067742822711e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp390C.tmp

Filesize
56.7MB

MD5
f3ffbeb5658ae017a1f3c8d0753d6211

SHA1
d7cfb036b13eeb5d68f9e40dce74e4062f03e3b6

SHA256
2606a7395e0b3873c54ebd13e53d861f6fe14d073232d2d53e6bb6e7a8ff03ac

SHA512
83eb2219522023871726dbb2719c04f4121fe6bda59e3ca0d855b093c536d021cda5dce867bb63f4b831d66fb2ac142dd2e740c0973fbc8fdb037d0f7167e5df

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
886eb3bf6157b45d4a041e1e32608c70

SHA1
f476a007366ac0349789b0e803ec46be523f457a

SHA256
a0e9eac517b54fe732db8bf9ceeb76c64a43e2e53bfd18b5a4ab0f8475f3873b

SHA512
6e978385b23d3054695eaf2209e92591a667ccbde747f69cb63ae28f2db3a362d136bf16afb41ceb8eb304161cc698853f9cb825a26cc683e9a693d07c190fca

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
886eb3bf6157b45d4a041e1e32608c70

SHA1
f476a007366ac0349789b0e803ec46be523f457a

SHA256
a0e9eac517b54fe732db8bf9ceeb76c64a43e2e53bfd18b5a4ab0f8475f3873b

SHA512
6e978385b23d3054695eaf2209e92591a667ccbde747f69cb63ae28f2db3a362d136bf16afb41ceb8eb304161cc698853f9cb825a26cc683e9a693d07c190fca

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
886eb3bf6157b45d4a041e1e32608c70

SHA1
f476a007366ac0349789b0e803ec46be523f457a

SHA256
a0e9eac517b54fe732db8bf9ceeb76c64a43e2e53bfd18b5a4ab0f8475f3873b

SHA512
6e978385b23d3054695eaf2209e92591a667ccbde747f69cb63ae28f2db3a362d136bf16afb41ceb8eb304161cc698853f9cb825a26cc683e9a693d07c190fca

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2231940048-779848787-2990559741-1000\_desktop.ini

Filesize
9B

MD5
a496dc6e67a7c97fe6b5f93f052c5de1

SHA1
91d1cbd786e4ca543f5d364b42273efd1be384c5

SHA256
f656a696c47b2c37afecab6674210ad082849577f4763b778f81ca947bef3e63

SHA512
850c4fe29e0fa3388cb06d91a85330c1ac5eed337d23d2b6ee3d74142941dba27a49485ecf4a8cc73800c8c22d207b6586447ee3b20443f9a0e355614a6a1cb2

Download Submit
memory/4684-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-1432-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-1490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-1493-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-1606-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-2550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-3982-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-6287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download