Malware Analysis Report

2024-10-24 17:05

Sample ID 240202-tkb2eaaaa5
Target soan_2_2.zip
SHA256 94c0a9f4adcb87a5705f7ad0776b27ee6471131f21fadad162de21590669f649
Tags
pyinstaller crealstealer discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94c0a9f4adcb87a5705f7ad0776b27ee6471131f21fadad162de21590669f649

Threat Level: Known bad

The file soan_2_2.zip was found to be: Known bad.

Malicious Activity Summary

pyinstaller crealstealer discovery persistence spyware stealer

Crealstealer family

An infostealer written in Python and packaged with PyInstaller.

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Registers COM server for autorun

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks system information in the registry

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 16:06

Signatures

An infostealer written in Python and packaged with PyInstaller.

Description Indicator Process Target
N/A N/A N/A N/A

Crealstealer family

crealstealer

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 16:06

Reported

2024-02-02 16:27

Platform

win10-20231215-en

Max time kernel

346s

Max time network

866s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\soan_2_2.zip

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /autoplay" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuthLib.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{A87958FF-B414-7748-9183-DBF183A25905} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ = "IGetLibrariesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget\CLSID = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TYPELIB C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\TYPELIB C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\NucleusToastActivator.NucleusToastActivator\CLSID\ = "{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ = "IFileSyncClient8" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID\ = "OOBERequestHandler.OOBERequestHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CLSID\ = "{AB807329-7324-431B-8B36-DBD581F56E0B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\ = "{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\TYPELIB C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\soan_2_2.zip

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

/updateInstalled /background

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 225.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 132.194.113.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YLFDN1IZ\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 aded4aa943525cd7b2d441c47ec2b259
SHA1 ccf282730df48e617cb775fca1140ef7d36bc17c
SHA256 b25948a8f08852b8429f028914376ad3f4afa507708481c3df1a05c1af457ac1
SHA512 0baec066aa6c1bda75c2b2e3e721f1e03e9569eee8e43a896cafc5c020f35ae704372d00899d68c923079f57276405131f51d8465e69f21243e22801b8040255

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 62fe0c765b7125d0b053d74588ba3d45
SHA1 0de31ceeb9db24c51a8506673dbcfcbbbc8b46e6
SHA256 19bb9c6dd3ebb9f50d6baca19eaaaeb0a0759c6f1705f874ffea5cf9ed927618
SHA512 f4b635c193eee16dcda3f59ba2265bec5c03378c0bcf99889233a99e8cfe6ca0cd1b140b6fb1939d4b84174d099e289ee582a40998fd98c646fa0c5fe8f474b4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 d8fab3f2c80a14d9c90a61099e9436e1
SHA1 3203ae30c08a75029a89594c9895f77208c83667
SHA256 00f566ecea462f7b21ecbffb8aa2a7e40b4ed546cddc87d7c0dabbe115237580
SHA512 42382159275c6a19a154165353a36ea50d9a7259842d9f7af52681337d56a49f74b4619257eb3c4a14fe4e3bf33054e25c709d189ef6123cf3af90aa4861c095

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 53d730faa9948634c6c403e999a765f0
SHA1 ebd6189d01e51822c883a335973dc5f7c6009d1f
SHA256 0647e3e48e84143a24c5559cc4a22dfe85ee1d22a595a8966f08441b5a6cfbe7
SHA512 d45dd3912145dcbc7a38506f55e2611acfef84234b5457e068273881f7bedccd1b4ada5a148326d1f3b9e0daec69272e868e1f92bf271daaccf23c49dae840d7

C:\Users\Admin\AppData\Local\Temp\tmp19EC.tmp

MD5 652ec82af8aa614631131b788850df89
SHA1 a579facd902be530fda89c10921b7d1480518ada
SHA256 80b4041dfedd8830d2e9bca7154b351351fdb725ad2061d89a09393f0414c53b
SHA512 7fa9fa7de89f480ff00b7e93961b22871f15e12460401ce648845fd6b3a23d426619f77e64b4807f2fd6916640bcaf2081b27e7ee6c88b631daba2875e13b78b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 cc04d6015cd4395c9b980b280254156e
SHA1 87b176f1330dc08d4ffabe3f7e77da4121c8e749
SHA256 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e
SHA512 d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

MD5 09773d7bb374aeec469367708fcfe442
SHA1 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6
SHA256 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2
SHA512 f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe

MD5 ea6a4de38d96cb0a164f8626a7624e0a
SHA1 fe61adc62b6ef6308a0234966ff650df7020fe0e
SHA256 bf9e76166d1c3a7f834d378d2d710790cb0dfa9550cb708b235396b23f840f60
SHA512 eb71315e7f5507ce26630b98a0e24e6e4b68dff4fdc846adcb7d8ffc6994f77bfa6da969cf8b357ef6e92076e7235966779856c015695d4b1f31ccbe8082fe52

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

MD5 3c29933ab3beda6803c4b704fba48c53
SHA1 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c
SHA256 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633
SHA512 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

MD5 5ae2d05d894d1a55d9a1e4f593c68969
SHA1 a983584f58d68552e639601538af960a34fa1da7
SHA256 d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c
SHA512 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

MD5 7473be9c7899f2a2da99d09c596b2d6d
SHA1 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac
SHA256 e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3
SHA512 a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

MD5 85e1b7cb5f06e97d5cb8bfeabf5bb5e3
SHA1 20d250e4b3f2edff83ab6e491539f6cc93d8b167
SHA256 38ad1a585c30ce17a7e86db323f533d019711dce1f8aadd4f5515b091371cef8
SHA512 92c4eb5a38da25119a9bcb3b48e0c6887b15ee8aaf1e90accc49de07cf311c2a747e812197699d8236038d7c550eb8331edfe230173c56f85170dbf828b768e8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

MD5 096d0e769212718b8de5237b3427aacc
SHA1 4b912a0f2192f44824057832d9bb08c1a2c76e72
SHA256 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef
SHA512 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

MD5 d9d00ecb4bb933cdbb0cd1b5d511dcf5
SHA1 4e41b1eda56c4ebe5534eb49e826289ebff99dd9
SHA256 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89
SHA512 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

MD5 ed306d8b1c42995188866a80d6b761de
SHA1 eadc119bec9fad65019909e8229584cd6b7e0a2b
SHA256 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301
SHA512 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

MD5 09f3f8485e79f57f0a34abd5a67898ca
SHA1 e68ae5685d5442c1b7acc567dc0b1939cad5f41a
SHA256 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3
SHA512 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

MD5 1f156044d43913efd88cad6aa6474d73
SHA1 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26
SHA256 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816
SHA512 df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

MD5 22e17842b11cd1cb17b24aa743a74e67
SHA1 f230cb9e5a6cb027e6561fabf11a909aa3ba0207
SHA256 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42
SHA512 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

MD5 552b0304f2e25a1283709ad56c4b1a85
SHA1 92a9d0d795852ec45beae1d08f8327d02de8994e
SHA256 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535
SHA512 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

MD5 2c7a9e323a69409f4b13b1c3244074c4
SHA1 3c77c1b013691fa3bdff5677c3a31b355d3e2205
SHA256 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2
SHA512 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

MD5 f4e9f958ed6436aef6d16ee6868fa657
SHA1 b14bc7aaca388f29570825010ebc17ca577b292f
SHA256 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b
SHA512 cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

MD5 e593676ee86a6183082112df974a4706
SHA1 c4e91440312dea1f89777c2856cb11e45d95fe55
SHA256 deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb
SHA512 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll

MD5 c5492e88487a89786a238aa0326ecdae
SHA1 b34859c1ff5916eefea8c190f84471171fd9204b
SHA256 f93983bd7e360165d64da61a2cbab2e5932227c2f1d38485d74d2fe3cac95f0c
SHA512 46ece6f3d6cf48b49cbf6332f6350deb8ed674cac51a52189dd9102d112ef8bb51e13197e408080f98f35080eafb5d410396b4876317a70d8645f37f02446854

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll

MD5 90f7bbc40d8ab8ba956e18e5bbe8b6fe
SHA1 7ed27deb554fd017fe45d93ed69eb3580dae5d6c
SHA256 acac6ac7d8f8eeca6e07533b28e90d5a3cab9c4c84db39dc1205a0e364d5c444
SHA512 67234df6bc005d347e0e17f0c10566db2e5d3fe9742f2043b627a68712ddeb9a5a320af617a2232f09fc8243abe4b93bbdbd8a7a552a2fe336ac237d8762adfd

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll

MD5 b3a9fbefe44d100da641f671fd8a0d93
SHA1 bec9544067efa61fa849f35a1b3c55dbe597bfd5
SHA256 d5f8f00f5ad68bbd7f5b05e994e3731ba860602e8a4161671baa538b044dc5dc
SHA512 195a27150e255a9b1e775c0d03de41119b59a6eb91b7a59d38507ce661725d13f7aa250473002554c89cc5c4af525f10648d7c62f3fa67b0c52870e0cb0ad269

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll

MD5 63fe699cabf3397b8040800e021eff7f
SHA1 1e6785e22677f70de4417f727349b599b8cba2e9
SHA256 57f257332beba19628cf5dff2dc10515db5d07e070e9e12b40e8cef0525230e8
SHA512 8406245437472d292cd80758f7e131014e10c4fab9d6c246ddb75af284f9a3b49593039a5f66811ff829c9d98804bb421889539e0a2401ea90b6a84efe5315a3

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll

MD5 f53491346c6f42111544c1b2b4b86905
SHA1 e6e457230f6f4117066ba14b9b162be3eb3a7156
SHA256 d06600a0f386cefc1b694763757c1aeed33f360f2963e05e90ce699eb9ae3ec5
SHA512 4ac7f4f8149efdd82b202ccda4a47873449519e507b448e095e9a5ff67fbbf248c983307e49d9716525f5e7f96cde86e68dd51e2efba4f08b1c10fe7d9b5610e

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll

MD5 cefcd5d1f068c4265c3976a4621543d4
SHA1 4d874d6d6fa19e0476a229917c01e7c1dd5ceacd
SHA256 c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817
SHA512 d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll

MD5 d1fa069e1ff5a1314d31eb4efff29725
SHA1 f9ef5f9f25dfc22de0478e85001a728b683c5800
SHA256 3cfada409e5335ecb78cd87acca0570801c9477d9f8406f97f1acdd892e64d1a
SHA512 80ff1bb73df718052d84528eac0445a9a62de2ceada721a40a92f76df7d0b92a68e7581af52fbd834e428f87a334c4880e84de95ac217917cdfc93dad09b8064

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\MSVCP140.dll

MD5 f4d6a2e2d08d92767e631a620a235655
SHA1 42157c05b5fa862e8989327dcb935d89e8698b33
SHA256 230a0d67a2df442ec90effbfcecf8d2cbe3a0a7257463a568a37d693adaacfa6
SHA512 f346edfd265e2401c3aa45fc12e438c65aeaad9afe430999507b871d1122c957ad3836edaaf078d2959df96f2d175aa089ff9200fc46649154a2116f7addc0c5

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll

MD5 2da0b7f96c2884f6371ffe303c60bb18
SHA1 4cdc45e5b34d3407dd77019c6a58091336c94c57
SHA256 aa6b880930f1e7f244de21a2e1cc0db003652533b54adcc4366170294d5e269b
SHA512 3910d33352afcd17b8a2147ceef7f1b192fdbaa04d04d7da158367889f816b762c8ca681ccc7be7fd09c3cade728e8b440e525bb5877decd459cd4bb7e466cc5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.DLL

MD5 63e421e3c48f0157d512967d1a62e75d
SHA1 ac1b70e155a0b438d2347c9f86001f64c2d4f701
SHA256 2da4fe0743c039ddc1b310f014247c0f0d4aa31c7c22715cf12b078b6d9fdff7
SHA512 bae4200735eb2a7e765be290ea81c34f368e18cc31f74988521de478636a7de4b1ef126503349fac0a735333d0265e0374e9f7e798fd80b173b2ee06a46fbfbd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

MD5 239a61b89e11eb164f8e95a03129f8f2
SHA1 00d4f7976758a84e8fb7018f3da77d82a940dd34
SHA256 df36bd465e044c61c200a8687ba1614d548d0a37a4009da7952c1b627de97335
SHA512 4dd94a7edaf6b97b81ceb499a3901a92f626cfab074c8218f5ab7a79e5564bb223834c1aad8c76e7e989daf7ba38405225ded956b6f9866e2e657ec6ce34fc8d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

MD5 13e6baac125114e87f50c21017b9e010
SHA1 561c84f767537d71c901a23a061213cf03b27a58
SHA256 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e
SHA512 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll

MD5 ec5a3529cbc44086d344ec5db0276cf1
SHA1 6bb238684be427533bfeb0046e8a81fe02064f55
SHA256 3ac2ad82c76a26ec23c55475a00d74d80053a2b5fe4fc551554d99558dee00e7
SHA512 816d7365699f5046b5134b5f727db40e0264804cfd7b90748c60a24f2efb925b3c0da4b97cf605ff99082896b4523db650e1e0cbe201d33ab073a5530fde18a2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogUploader.dll

MD5 7641ff13332b09216b25010946db659f
SHA1 3f4b253fc42b007276905e1f3e83d04a62ce3b82
SHA256 699f84844e0bfc89340b120aef9d51a31325cb61d97c67cfd7dfa3477248f215
SHA512 57e74cb88a92b89df76d9c85f5adaf4805429ae8465307f59d6b7aac4569bd562b167f1a339cd4da881bea0bc48ed1ea1d810161ff60d389437cbb7757563258

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5WinExtras.dll

MD5 65f9e865a30b033181eef3e91feb2f6e
SHA1 35ad169a46f875c3ef0d5b556c794e780bba66db
SHA256 421df99771052696642b56e784b133448a46d2ffe64c40d6a09230d6caa58205
SHA512 45035ac06b45010850fcb5db3d5726c4272ed2e805196289303e425a54b56d6e8a2e6f0afb808deb1c7974bc338fec1a572c9fb2f9f1dfea1c428741425868b4

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5QmlModels.dll

MD5 ae15759bded0056dfbd560c6edb265a1
SHA1 45a2ad5ea01e3b135bd45b509be82416305d6d98
SHA256 ff61ff5c37f4e9cfc0ef470eddcc7564b9e2fe4b33cdda281958015e794b27da
SHA512 bee0fb17d371e94218b5c77a31c558bcae93f11280920ade37d5e04bcf7c424f4cb588e41d7a44564c15fbd477a1f10be15ea9918fddcc38e5b87b0f1b98683d

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\libssl-1_1.dll

MD5 332373aaa18e113a561a25c70a7143dc
SHA1 48455de78d0e89b913986e5ae3f1a41377488149
SHA256 8211218a223909324fbcbf66db5e6adcef89a7b33f0d7d85b33fa0967ad189bc
SHA512 969d95cfcaf0887594e94ebc5e7b418d0eeafa6fcd207187c6b234903b4b51903ffe7a272b7b8ec2c4364bbe2859fbeb4ff10cdea2c115ff20eb610f12abf009

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\libssl-1_1.dll

MD5 ca0d6538894893d5cd95cd38febefb15
SHA1 75ef6fa57b4a66893166c191f8fe7d0ddab7dc4a
SHA256 b554fb725fe91f3992da73b0ba4be09702792462d06eeca1f8ade2e9a52a56e7
SHA512 2c57016d72cf0c9b6b1dbf9c2fe4bfa663088dd7894f2a31949906170f6cbfd874848c86a0a90e48f5612664ece980b6f88714eb21ea3c3b221a559ee96f5163

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Gui.dll

MD5 181302e3db1ccdfbad0a210317784162
SHA1 3a370bd986129a5068e826b83d7eacf36571f0fe
SHA256 3dfcb071a3f349740447804e2840d0d05e9213172a43c1ed3d9f24a80f30ef64
SHA512 ed58655cf09270c70eb993f343a021399a888dfb54d6da721e4324f8b69b5940d8cdc9a49d63ad1e015738b120382374fdba191c1c7d1c7013d693e4fd4f77ab

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\WnsClientApi.dll

MD5 2e9d037bd13115f7d00a7065bcda04a7
SHA1 019e0f1e6d6bc2acda7a0a562ad440c10399de81
SHA256 7718f142fe18ced9e255e486d9cf08ab8dd96acd42d6c3d20e7da927ffc9ea6f
SHA512 84c9a4b879c7cd872b960469d76ce2eb2af4bc8d852f97aaba1d59b427b21ff9a162ef8eec7f282e5934a02228042d1e6a3bd1b6327049ed26979719dd9ef3df

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Network.dll

MD5 a345b02ef3f1c02fa109b846cc710011
SHA1 6a3e18cf165ff448ed7e10fbb606b986e527407a
SHA256 719424727af753b036e411cbf0c7fae1d4f8bae63db0cefe49384724d778a775
SHA512 3f42c5e6ea19114536741f434efba97e5294a1304dfce4447e57dd178ce99726027446215a97efa4deeb1832dee45f216381dc6b79732315993a5bb69506083a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5QmlModels.dll

MD5 7ca509e56c0c2c01e2b2d513cee64b3e
SHA1 ead63b63ddd9b2ad716b2b6555e85cc02fe9eeba
SHA256 7bad451bf3fe06a7f02071a908b9f5c284d3e8879c49d94ce8eafabf4f187933
SHA512 7284979e951d5e3fa0d2bf005c7a9226f19041517d033ab423f0c24cd86e4b29886b69e2f15ca791cd1a40e9d9f80bc76047bf0ee4083c617ff9c802c16b2e50

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Widgets.dll

MD5 3a425315ccdf84abddbe25748b2d0bfd
SHA1 0a6dcce697681aefdc84c5629da55611781eef8d
SHA256 fcca126a2065c7951739aa299986f8a343b750b41365ac35b69425ee1d3cfb16
SHA512 25cb19028b16c257e892ba85b42189ac09051e7db4c997558fb19e3523482728091f403829abfa001440d2c9ab5fdc4fcc9e1c6be053e70ed16960876b3b3363

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5WinExtras.dll

MD5 f71c21e523fbbd02e044f83a38a660b5
SHA1 9318ec09316e21e412391e25ba2be3dbebeb6354
SHA256 13843b14a899f1313365ea781348ef25cde24174e590ed56ebd2fcfaaac2b056
SHA512 3d95693a1a6247b2491110c4ea61035352237eb13226a4f4bdf72f38de41fb36dd38bcecec3201e054c63fc0d90275cf92d6bc6eca419d0e068a02f67d698259

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Network.dll

MD5 fb5f0a49ffc41f1d3b1b4cb26dcf9de4
SHA1 73b5cd77bf4726874626682b5f4a055bd362fc48
SHA256 342ee464122895e8eecce3a4289883d44e47da69346668dea240c53483f5246a
SHA512 423cf59c9f6256547e30256471ea0147510641a7d704a6ac7e3b57a38c9305848cdd2e760c1100f55f86dd26f705298b077bcdd2406ca023a26f8897e9d7a814

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\libcrypto-1_1.dll

MD5 15c504d2b45a10c2a8a624b5d618d668
SHA1 5fe03ba326b5300fca3e15650387c267e8a6ba8b
SHA256 078f296eee7fd8b3417142d7da2fe8742f8650a2d4943e920a496ceae7d60153
SHA512 4e6e7a63f05fac9fae08f83aaf04271c6478f7af29a0be67b70284ca9cf22a663578d40be3325e870c1a3e6fbcfbc0f25d00dbc885147ad60fc2860c6a7fbf89

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\libcrypto-1_1.dll

MD5 ae5fc2a07155537c32ec59f4d9363a5a
SHA1 e0b6ebabef14f6c4d0883dcae7f413a58696b1e4
SHA256 ee08d7ae594a350aa07176347f5fbd63d83e2daaa63591f54f51322663915dcf
SHA512 6e9664e405817c303fa9cbd1532efae61e909931dae9352e163afef3ebc2813703af3c08e9fce1695b60b86ae14c2d0377c65fef972ce6e73b38a5441a6b4068

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\SyncEngine.dll

MD5 9c65a8f2e87723a79868b4791425cef6
SHA1 2d9757521a7e7d20598d535983300bc5df889bb7
SHA256 689ba41e3dd6eab9a3231cda590f788d506bbcdbbdd81ec576142568ee7cee02
SHA512 9a430ecca89441a99e38629045b823f7b5f6c7f1c9c77c21001ed8d9818bba8d7c3a05e931c234cfe548f88d2a11af4eaf3ae637f5d7f175f29111fef8a8f22d

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Quick.dll

MD5 6e4a6473125f394a6c5995263c3964e2
SHA1 77496f0960c64e14dd773611925bea64743b42b5
SHA256 63b25ef67d9431e0a7e019cf2f511a856f50e54316e95c3c0d95f4dab5893192
SHA512 861587108542e1c85a1647abc9b9b1706e267c29cc6184306bc466298864f9c933decd383f61fec53f59cfc641ad010434a2f0fb15e0e1d06aba098397d1d735

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Widgets.dll

MD5 178ba831938b21e1db955107b47e59dd
SHA1 a744af3157fce0a319a590c89f5e1037eac52392
SHA256 5f87116b6724276fa9c3b43e778287b177fd47c7d20bcfc4691be8d8c5dae618
SHA512 c14b6a7d22e0a1214212b765e88b6b1b3213f9509976dd6aa3432aeb1778c5858e59e57d04d4f78923a1e99d97de359c00e0f534a86aa1f03428a4ed349e3215

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Core.dll

MD5 9fd3090cfe1d877e5bc9b9aefa767a84
SHA1 a8baf0f66e4f7255926d639d658873a49670409b
SHA256 874cbec08ad1317e0807f8f687862817bf62bb35ea0474f2fb6d8fbabc78f59d
SHA512 710d79ef4a2b06a1fc879453a4daf652f6397df9ebd3642f1769504f95178cac868cbbbe9d0c4b400d27bc53c748ca728d7af73182b82b0bd95827764ebb5f68

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Gui.dll

MD5 1b4904f5759ddcb635d7a7d60b56f0bb
SHA1 867e33a510d21a62164619e9a330bc9792d20e5d
SHA256 4aae3c5d258e409e31424f2f81ba35c0dc2288f3b92fd559f24d14f781efe312
SHA512 a4d09f24391b6b68f0b83d8d266d8ac79a4efa1bb04a5ba0bbcb1a08346c8af2b0db07be9a9783a59cf042b43f6e966ba96b9817c40e384ee26038586e44769b

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Qml.dll

MD5 bf600ecd2e4c5494bee85f47db6a6947
SHA1 e5118f7ed60d50054cc322ed66aba18bccb2e7ad
SHA256 c3e8947861c8c6d11237cbe818d1011574c7e0f6025059674b3934b5ff67c02a
SHA512 3503ad52a0f7dfa0ee034706f74a9ebe14a636ea4912c7c059632028f0fbd5f0add0857ffe9e1cbd5e1e04f09136965ccaa5b841bfaf17a8cce98ce630542905

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Quick.dll

MD5 0c5faa41f289ef8f5f756ff8f046e88a
SHA1 8e7ae9e51587c114d84e1d19a8da3d823a8553ea
SHA256 38341dade9a7ddabbc2ea3c2c953e2df97c1c7f7ced0f3fd646a7406798c98ca
SHA512 e3cb820b8ab258e02f8650861a82f9a260dd62711ab496bfcf50ec3760fcb94aaa51baa840f53ce3759e8838489aeabb9ad323d183edae813405784839be86f4

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\WebView2Loader.dll

MD5 925531f12a2f4a687598e7a4643d2faa
SHA1 26ca3ee178a50d23a09754adf362e02739bc1c39
SHA256 41a13ba97534c7f321f3f29ef1650bd445bd3490153a2bb2d57e0fbc70d339c1
SHA512 221934308658f0270e8a6ed89c9b164efb3516b2cc877216adb3fbd1dd5b793a3189afe1f6e2a7ef4b6106e988210eeb325b6aa78685e68964202e049516c984

memory/4668-922-0x0000000007440000-0x0000000007450000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Qml.dll

MD5 707962c1a61647b4b08431273861d0f2
SHA1 8ee307a3dcaa470fda19d5d0d18c5825209a29ac
SHA256 6bd58bee1d3131010c36eb599a3c1466066f29405a18fd200dfb5a0f8f0184ea
SHA512 2a780fe87a8272c28ee127fcd7f0d971ca9ba5adcfd6668604d206f08af9f4867877de1480e705334ecdeec3504b81d93c731416dbf42b047b949a39001d379d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Core.dll

MD5 3b1cf13280e7c25222e94c5d1a7ee0aa
SHA1 bd055113c6cb1ccd99b0e08b99576b1df2d24f9b
SHA256 cc7f22665780d728e15440b84be943e8ad11a45eb919bb5d615a04c84bd93005
SHA512 fb26cec892a5cb2868bb20f877b2c4b60482b09fd5531e9c431a5c4b49be94d66cf4f9181f55ffa0d83b422ce44fe7c7eec366502642c4764d31cc5ba9543949

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\adal.dll

MD5 6cb3209ab281794c1074c70658d26c05
SHA1 e82444088e808d0c40149c3cb3fab620c91b10b1
SHA256 f9d39c05207bbc1ba05b861fcd3775368f9f5ce7c59dce2f7b082265543413a1
SHA512 17eabb80c0a79b0fd86e7311037378ef7cc5395105481b628a94532925a556dd0cabefe975acd5e0e324b3ebbdd35249afd462a1718b077b02e2a0865eb184a3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\adal.dll

MD5 612732ab8e3cb9c871676b09c54f4c04
SHA1 1845981b41048bcde51c279eddda2dfd893a2b66
SHA256 f3a0e33bc04e9daca63ab13d32d86ebbd928411435956b80f12a43fa43dd3777
SHA512 797682c6ba8a03de62d73dcf5391d98ee50151373dea80bf3fd48b2cf7713d3a03c408a66a8ab86e604f98cde755d4b70056283907bfb66d3f4a6e909f111a1c

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogUploader.dll

MD5 fbe918886d4441024d1e4c3abe4d47d6
SHA1 5d1179ee0500738a45bbeead033d7e4cf074a762
SHA256 21744585b39d3fcd9c609a5033c8bfcb28e9b85a99ebfd0f63a29b96ffd29558
SHA512 749ee68e1705c6b2e08b4c358ec9172a9c83d5c652b5f6661a3c3fc461618d3cd38336a0b18b1b65bc7ad5e400e437e8a427ca5cb5a40b00ef615aa34dff9742

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncViews.dll

MD5 db1bfbbbbda00ff890efc71fd07d6e45
SHA1 0381cc823d7a9e77567e38eb9107c7bc9163c352
SHA256 824c0983fa04c3423a2a1a927d2f6f703ad33246e1714da5cfa33a03a7a682e3
SHA512 6aca9e7c1278c8375998caf9af655dde2d50999ba716a44100b48be1b7bf0616624a5cf14488c3749fc6ab89e04d3799ebf1945aa62a2fe07e5148b9f3c6cf28

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncViews.dll

MD5 629973d5ea9c30f27b2c8483a216f33e
SHA1 398134a8a7c9277ce9c7598ea08b7f54115b2593
SHA256 1c6ae99f7f911bdc193d03a170b8fb55307ac3f1dbdda56e2dc750d53c4cea3d
SHA512 8323992e9d0b6c01d9549561e64374acba73e9c6d26809c55ca891141c66fa7d544c93b1e276f06faa437df573bf1245b629d3ceed26ef01d171baa932f5ca65

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll

MD5 8bd0fbb813d49b92f1c4be5768419680
SHA1 150626f8f398abb74b5e211743772df1715eb3ff
SHA256 e12c58d67cf8cbbe015f3547a12a670cf4783b21d9dd83c32b5b648933393e09
SHA512 37c3b46b971446d1439de63dcde60778e8031ce19c835b85398643c366653fe2f1f36568f329332893ae59aebba7df7335cc25e440c0af59020aa73a4b0c5cac

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\SyncEngine.DLL

MD5 376fd5564a1fbec0d35770d44776d302
SHA1 4e0b8cc7e9ea558af533e87b2efc35d6452aec7f
SHA256 5bf2c642848ce90eaf86fc62f8f6ecc091efbb7259e76ca920485a13e6f2226b
SHA512 bbed306609957f73ce544acfd90ea3c0d222165f51aeaa3d62ae481971f256b5de39a6838d5f47e87a26abeef317713556e76a0d546f791c5859de6d761ee8aa

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll

MD5 2661c6ef205c37e71cb857f3f0d3bc50
SHA1 9101bfdcc28279e7e8991173ecf17611875c26bc
SHA256 345843b6e037806b7d65d9ddfa4627d27e6819d90852bfe0bd78928e8fae21e4
SHA512 6eb2a720a269d94dfb8b8ac93ec67d44514903bcc383f55df1264a715e9cb960899f8744967569b766e9364061502181cebc42e55265da12bbd610af87da5aa1

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll

MD5 b0b3ae926067d8b446cc6c4045800c78
SHA1 b07754ade85b2df97b2f3edcaa41d815c61ffcd0
SHA256 08c1f65ec08dbe23bd3c5d7c7647e8d2845b44525ef8b31a613a18a9ef3f54ac
SHA512 109e86709a530711c0b87d534880ad3d3880d2aa7428f05ab53ed47a4ecc5aaaa64c4c6df2fd9bbb53f0fb63f58517fcc3a7b4e1fdd79230363f64d6257737b8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll

MD5 27ae78b27d6aaa1b7cf0c7070744d93a
SHA1 f290c98ee9d7ea6bd8fa81bdc57d1012ed8b84b7
SHA256 6c1b8ad74a217158e76f8e83039b2e31f4abb7034edec98d52f4499a8ca3f0b0
SHA512 bbc1ac592bd8e13796e3773c58c19b9b6a2827ab6a7ce58b1a8be4c9cefc5124ddad1e592cc2279cf5748f591a944a39d66dbff42863e1e857324525bc10ad2e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll

MD5 b57dba19902cb89091d30ebb8d868b48
SHA1 7e847f460e77a68dd0e92be14d28c7a2687fbb3a
SHA256 f27f84eb494b0d5e95cf50c48d2992edc2dc7544517489e5c58a9eaca5826a69
SHA512 735ec1e951db8269c64b8cfd876d545ae6c4ed92557ad0f69ac0c1f42738d843fe222e932ff98f65414e840721e5974beb9aec24255648f82bc99b85f00b5976

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll

MD5 6c2fdecab5e7e0280216ac6113c8003a
SHA1 459596e3c332d9d049549fe961d69c4198c04e50
SHA256 c46a22b8acc1d260393cbe2787c79dc7083128da7b9a5663b5633916746b2375
SHA512 516730780154f608999238fafc38eddbc0dd0a6e556acf0bb1de92208e8a9463f7ed0b19197e544f784790f47df69b565fbc660861fb558a98b07f3df00aa019

C:\Users\Admin\AppData\Local\Temp\aria-debug-4364.log

MD5 5ec2118ed6c8d372cc70fab0bb53640e
SHA1 2d9067f190cecd138fbdf0ceb72277d6aed2e34e
SHA256 60e2e547444537c6bcde78a804cf1e093e90b5d0b2403101ff5e1a02ef55ad4a
SHA512 2923909d2019a406873f3df17612f5af4d1bb0b2ebbf53a5085716f890f786fa13754f2a851364e1d8f95202cf2b9f1cd2d3a38ab769f5a47a148111f2c89c2a

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncTelemetryExtensions.dll

MD5 51b6038293549c2858b4395ca5c0376e
SHA1 93bf452a6a750b52653812201a909c6bc1f19fa3
SHA256 a742c9e35d824b592b3d9daf15efb3d4a28b420533ddf35a1669a5b77a00bb75
SHA512 b8cfdab124ee424b1b099ff73d0a6c6f4fd0bf56c8715f7f26dbe39628a2453cd63d5e346dbf901fcbfb951dfbd726b288466ff32297498e63dea53289388c0c

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll

MD5 3746c2c72a58bf183672be6ea3e3dc31
SHA1 c57fd2a247d0758fda967a41e579ba84a7cb0d44
SHA256 e8a68344b28dba140d5a9abbe484a64bc7d19a78bd379712c1a8d50b7da31add
SHA512 bd57e93bf1dd57bc64dfbb8ab6c058273d9f40b6f0344cb2b95e4f5469f7320af2c5766045f85a6a2516229454678ae6a6ca1115971b2f84ea49a9cfa2859977

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll

MD5 bde86ac2d1455f3c47d1d1e1db852774
SHA1 b0e6eca9a5e00b82ac3e0f6b23985d5f6b8e6c88
SHA256 f5657d39e2b8439f7e300c2b8919ca29d54391a32aef9a7ef5ea75ab3c488259
SHA512 b6192bb7ec76fc5348dcebdfeb23ae29c9511f7b3b8865caebeda0c231b66d8f060cb611fd7befc334a30fb97dd343c12929ef3e4267f35ae122fd99e6bb947e

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll

MD5 8431f7fc6cf6db39833970cd0ec17a8e
SHA1 114427e606f60d7ad881dbf75ef072ab4a195eda
SHA256 14cd2f88e5bbd70b159b7ef604df909518fbed96482c5a3b0849390e588863f5
SHA512 4004ae942a73d35cb40da2826b4a383d290510ad15bed5dc380e331bd910826c3f463a03caa3ccee8daaca7e11b2ee6a026c4f299c27d3fa2c3a1414200dc822

\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll

MD5 a6713645adef83490f5b9116e2ffcccf
SHA1 91d18966536ff3116e2e3452a40d32436d7b11dc
SHA256 a64e0ab682a1e28adcf8cef887bff0e760b4cd154bdbe5f05b8e5bda0dca5dd7
SHA512 54a1967fb2a16aa7c5183de9ccd49855d97bc6f5acc96ba65e64ddbd5c9a737805d117ee4aae5ed4cbf37348191eb5c9c41dcd9c3c1ad084445812e009af080d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll

MD5 7df46a79d331cae63c9ae3fb160b6436
SHA1 5cf6d0659bc5ff7b381c2aa5b8d083597b324e51
SHA256 acddc90d451ea1afec61e9e944643245c9e73f8acdb39f2d5d7b59e045a9a881
SHA512 fb2b3bba3732e53d91ffb4a0eac5b82be89a6dfc7003d26a33aead6595ed6c846a9cfb055e45b90e1790106663ba2aa7f843e01c5f84624bfee3f079c213f2f5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 fb7cd856b973b459f24b4d6f4610f6e3
SHA1 3562739447b8180c18cb08446dcfb6a1ef4af3ba
SHA256 2ef829b0ba1c935cbb52fe8135239228762bab87c3c03ecf2b87183a7e4eb7ee
SHA512 2c8e11883d23b3f8c1fc045cff974da2b1435147ece66d21f1e562659a3bf8ad0dfd817507d87229c8c6ff8bc5db180fe34c893ab0690d55b4aa42604e90d952

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

MD5 a23c55ae34e1b8d81aa34514ea792540
SHA1 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf
SHA256 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd
SHA512 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

MD5 d03b7edafe4cb7889418f28af439c9c1
SHA1 16822a2ab6a15dda520f28472f6eeddb27f81178
SHA256 a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665
SHA512 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

MD5 57a6876000151c4303f99e9a05ab4265
SHA1 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794
SHA256 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4
SHA512 c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

MD5 adbbeb01272c8d8b14977481108400d6
SHA1 1cc6868eec36764b249de193f0ce44787ba9dd45
SHA256 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85
SHA512 c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

MD5 f1c75409c9a1b823e846cc746903e12c
SHA1 f0e1f0cf35369544d88d8a2785570f55f6024779
SHA256 fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6
SHA512 ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

MD5 de5ba8348a73164c66750f70f4b59663
SHA1 1d7a04b74bd36ecac2f5dae6921465fc27812fec
SHA256 a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73
SHA512 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

MD5 8347d6f79f819fcf91e0c9d3791d6861
SHA1 5591cf408f0adaa3b86a5a30b0112863ec3d6d28
SHA256 e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750
SHA512 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

MD5 19876b66df75a2c358c37be528f76991
SHA1 181cab3db89f416f343bae9699bf868920240c8b
SHA256 a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425
SHA512 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

MD5 e01cdbbd97eebc41c63a280f65db28e9
SHA1 1c2657880dd1ea10caf86bd08312cd832a967be1
SHA256 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f
SHA512 ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

MD5 771bc7583fe704745a763cd3f46d75d2
SHA1 e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752
SHA256 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d
SHA512 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

MD5 b83ac69831fd735d5f3811cc214c7c43
SHA1 5b549067fdd64dcb425b88fabe1b1ca46a9a8124
SHA256 cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185
SHA512 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

MD5 72747c27b2f2a08700ece584c576af89
SHA1 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33
SHA256 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b
SHA512 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 dc40d33c727dfd5f7e9229a9309cf88b
SHA1 ead643df404f280834d484f3275b309e098caec1
SHA256 66cab68b94d4e3c8807bab2ff22660b6a79209c601f9fa47a5079ed158c2a75f
SHA512 5c2ee34bef85eb7fd6e2eb719a035a9ba97aa133703518da5423e40a0320ff0a576df3876fbad30ad3f58800f4963fe466ffd58ec238f5754b158306d0f56974

memory/4668-958-0x0000000007440000-0x0000000007450000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 16:06

Reported

2024-02-02 16:28

Platform

win10-20231215-en

Max time kernel

1060s

Max time network

1067s

Command Line

"C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\soan.exe C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe

"C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe"

C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe

"C:\Users\Admin\AppData\Local\Temp\soan2\soan.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 api.ipify.org udp
FR 51.178.66.33:443 api.gofile.io tcp
US 173.231.16.76:443 api.ipify.org tcp
US 173.231.16.76:443 api.ipify.org tcp
US 8.8.8.8:53 geolocation-db.com udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 76.16.231.173.in-addr.arpa udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store3.gofile.io udp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 233.10.175.136.in-addr.arpa udp
US 173.231.16.76:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.138.232:443 discord.com tcp
US 173.231.16.76:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI30322\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI30322\python312.dll

MD5 48ebfefa21b480a9b0dbfc3364e1d066
SHA1 b44a3a9b8c585b30897ddc2e4249dfcfd07b700a
SHA256 0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2
SHA512 4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

C:\Users\Admin\AppData\Local\Temp\_MEI30322\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI30322\base_library.zip

MD5 ccee0ea5ba04aa4fcb1d5a19e976b54f
SHA1 f7a31b2223f1579da1418f8bfe679ad5cb8a58f5
SHA256 eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29
SHA512 4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

C:\Users\Admin\AppData\Local\Temp\_MEI30322\_ctypes.pyd

MD5 452305c8c5fda12f082834c3120db10a
SHA1 9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7
SHA256 543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e
SHA512 3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

C:\Users\Admin\AppData\Local\Temp\_MEI30322\python3.DLL

MD5 4038af0427bce296ca8f3e98591e0723
SHA1 b2975225721959d87996454d049e6d878994cbf2
SHA256 a5bb3eb6fdfd23e0d8b2e4bccd6016290c013389e06daae6cb83964fa69e2a4f
SHA512 db762442c6355512625b36f112eca6923875d10aaf6476d79dc6f6ffc9114e8c7757ac91dbcd1fb00014122bc7f656115160cf5d62fa7fa1ba70bc71346c1ad3

\Users\Admin\AppData\Local\Temp\_MEI30322\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

\Users\Admin\AppData\Local\Temp\_MEI30322\_bz2.pyd

MD5 90f58f625a6655f80c35532a087a0319
SHA1 d4a7834201bd796dc786b0eb923f8ec5d60f719b
SHA256 bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946
SHA512 b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

C:\Users\Admin\AppData\Local\Temp\_MEI30322\_lzma.pyd

MD5 cf8de1137f36141afd9ff7c52a3264ee
SHA1 afde95a1d7a545d913387624ef48c60f23cf4a3f
SHA256 22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16
SHA512 821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-synch-l1-1-0.dll

MD5 6ea31229d13a2a4b723d446f4242425b
SHA1 036e888b35281e73b89da1b0807ea8e89b139791
SHA256 8eccaba9321df69182ee3fdb8fc7d0e7615ae9ad3b8ca53806ed47f4867395ae
SHA512 fa834e0e54f65d9a42ad1f4fb1086d26edfa182c069b81cff514feb13cfcb7cb5876508f1289efbc2d413b1047d20bab93ced3e5830bf4a6bb85468decd87cb6

C:\Users\Admin\AppData\Local\Temp\_MEI30322\_asyncio.pyd

MD5 70fb0b118ac9fd3292dde530e1d789b8
SHA1 4adc8d81e74fc04bce64baf4f6147078eefbab33
SHA256 f8305023f6ad81ddc7124b311e500a58914b05a9b072bf9a6d079ea0f6257793
SHA512 1ab72ea9f96c6153b9b5d82b01354381b04b93b7d58c0b54a441b6a748c81cccd2fc27bb3b10350ab376ff5ada9d83af67cce17e21ccbf25722baf1f2aef3c98

C:\Users\Admin\AppData\Local\Temp\_MEI30322\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI30322\unicodedata.pyd

MD5 fc47b9e23ddf2c128e3569a622868dbe
SHA1 2814643b70847b496cbda990f6442d8ff4f0cb09
SHA256 2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309
SHA512 7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

C:\Users\Admin\AppData\Local\Temp\_MEI30322\sqlite3.dll

MD5 31cd2695493e9b0669d7361d92d46d94
SHA1 19c1bc5c3856665eca5390a2f9cd59b564c0139b
SHA256 17d547994008f1626be2877497912687cb3ebd9a407396804310fd12c85aead4
SHA512 9dd8d1b900999e8cea91f3d5f3f72d510f9cc28d7c6768a4046a9d2aa9e78a6ace1248ec9574f5f6e53a6f1bdbfdf153d9bf73dba05788625b03398716c87e1c

C:\Users\Admin\AppData\Local\Temp\_MEI30322\select.pyd

MD5 e1604afe8244e1ce4c316c64ea3aa173
SHA1 99704d2c0fa2687997381b65ff3b1b7194220a73
SHA256 74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5
SHA512 7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

C:\Users\Admin\AppData\Local\Temp\_MEI30322\pyexpat.pyd

MD5 e2d1c738d6d24a6dd86247d105318576
SHA1 384198f20724e4ede9e7b68e2d50883c664eee49
SHA256 cdc09fbae2f103196215facd50d108be3eff60c8ee5795dcc80bf57a0f120cdf
SHA512 3f9cb64b4456438dea82a0638e977f233faf0a08433f01ca87ba65c7e80b0680b0ec3009fa146f02ae1fdcc56271a66d99855d222e77b59a1713caf952a807da

C:\Users\Admin\AppData\Local\Temp\_MEI30322\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\_MEI30322\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-utility-l1-1-0.dll

MD5 9a3b4e5b18a946d6954f61673576fa11
SHA1 74206258cfd864f08e26ea3081d66297221b1d52
SHA256 ce74a264803d3e5761ed2c364e2196ac1b391cb24029af24aee8ef537ec68738
SHA512 da21178f2e7f4b15c28ae7cb0cc5891eaa3bdd0192042965861c729839983c7dcba9cfb96930b52dbe8a592b4713aa40762e54d846b8135456a09ae5bacbb727

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-time-l1-1-0.dll

MD5 82e6d4ff7887b58206199e6e4be0feaf
SHA1 943e42c95562682c99a7ed3058ea734e118b0c44
SHA256 fb425bf6d7eb8202acd10f3fbd5d878ab045502b6c928ebf39e691e2b1961454
SHA512 ff774295c68bfa6b3c00a1e05251396406dee1927c16d4e99f4514c15ae674fd7ac5cadfe9bfffef764209c94048b107e70ac7614f6a8db453a9ce03a3db12e0

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-string-l1-1-0.dll

MD5 cf115db7dcf92a69cb4fd6e2ae42fed5
SHA1 b39aa5eca6be3f90b71dc37a5ecf286e3ddca09a
SHA256 eb8fe2778c54213aa2cc14ab8cec89ebd062e18b3e24968aca57e1f344588e74
SHA512 8abd2754171c90bbd37ca8dfc3db6edaf57ccdd9bc4ce82aef702a5ce8bc9e36b593dc863d9a2abd3b713a2f0693b04e52867b51cd578977a4a9fde175dba97a

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-stdio-l1-1-0.dll

MD5 9a7e2a550c64dabff61dad8d1574c79a
SHA1 8908de9d45f76764140687389bfaed7711855a2d
SHA256 db059947ace80d2c801f684a38d90fd0292bdaa1c124cd76467da7c4329a8a32
SHA512 70a6eb10a3c3bad45ba99803117e589bda741ecbb8bbdd2420a5ae981003aebe21e28cb437c177a3b23f057f299f85af7577fec9693d59a1359e5ffc1e8eaabd

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-runtime-l1-1-0.dll

MD5 3ae4741db3ddbcb205c6acbbae234036
SHA1 5026c734dcee219f73d291732722691a02c414f2
SHA256 c26540e3099fa91356ee69f5058cf7b8aee63e23d6b58385476d1883e99033c3
SHA512 9dd5e12265da0f40e3c1432fb25fd19be594684283e961a2eaffd87048d4f892d075dcd049ab08aeee582542e795a0d124b490d321d7beb7963fd778ef209929

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-process-l1-1-0.dll

MD5 ad586ea6ac80ac6309421deeea701d2f
SHA1 bc2419dff19a9ab3c555bc00832c7074ec2d9186
SHA256 39e363c47d4d45beda156cb363c5241083b38c395e4be237f3cfeda55176453c
SHA512 15c17cba6e73e2e2adb0e85af8ed3c0b71d37d4613d561ce0e818bdb2ca16862253b3cb291e0cf2475cedcb7ce9f7b4d66752817f61cf11c512869ef8dabc92a

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-math-l1-1-0.dll

MD5 e9036fd8b4d476807a22cb2eb4485b8a
SHA1 0e49d745643f6b0a7d15ea12b6a1fe053c829b30
SHA256 bfc8ad242bf673bf9024b5bbe4158ca6a4b7bdb45760ae9d56b52965440501bd
SHA512 f1af074cce2a9c3a92e3a211223e05596506e7874ede5a06c8c580e002439d102397f2446ce12cc69c38d5143091443833820b902bb07d990654ce9d14e0a7f0

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-locale-l1-1-0.dll

MD5 d8302fc8fac16f2afebf571a5ae08a71
SHA1 0c1aee698e2b282c4d19011454da90bb5ab86252
SHA256 b9ae70e8f74615ea2dc6fc74ec8371616e57c8eff8555547e7167bb2db3424f2
SHA512 cd2f4d502cd37152c4b864347fb34bc77509cc9e0e7fe0e0a77624d78cda21f244af683ea8b47453aa0fa6ead2a0b2af4816040d8ea7cdad505f470113322009

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-heap-l1-1-0.dll

MD5 546da2b69f039da9da801eb7455f7ab7
SHA1 b8ff34c21862ee79d94841c40538a90953a7413b
SHA256 a93c8af790c37a9b6bac54003040c283bef560266aeec3d2de624730a161c7dc
SHA512 4a3c8055ab832eb84dd2d435f49b5b748b075bbb484248188787009012ee29dc4e04d8fd70110e546ce08d0c4457e96f4368802caee5405cff7746569039a555

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 931246f429565170bb80a1144b42a8c4
SHA1 e544fad20174cf794b51d1194fd780808f105d38
SHA256 a3ba0ee6a4abc082b730c00484d4462d16bc13ee970ee3eee96c34fc9b6ef8ed
SHA512 4d1d811a1e61a8f1798a617200f0a5ffbde9939a0c57b6b3901be9ca8445b2e50fc736f1dce410210965116249d77801940ef65d9440700a6489e1b9a8dc0a39

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-environment-l1-1-0.dll

MD5 f983f25bf0ad58bcfa9f1e8fd8f94fcb
SHA1 27ede57c1a59b64db8b8c3c1b7f758deb07942e8
SHA256 a5c8c787c59d0700b5605925c8c255e5ef7902716c675ec40960640b15ff5aca
SHA512 ac797ff4f49be77803a3fe5097c006bb4806a3f69e234bf8d1440543f945360b19694c8ecf132ccfbd17b788afce816e5866154c357c27dfeb0e97c0a594c166

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-convert-l1-1-0.dll

MD5 33b85a64c4af3a65c4b72c0826668500
SHA1 315ddb7a49283efe7fcae1b51ebd6db77267d8df
SHA256 8b24823407924688ecafc771edd9c58c6dbcc7de252e7ebd20751a5b9dd7abef
SHA512 b3a62cb67c7fe44ca57ac16505a9e9c3712c470130df315b591a9d39b81934209c8b48b66e1e18da4a5323785120af2d9e236f39c9b98448f88adab097bc6651

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-crt-conio-l1-1-0.dll

MD5 42ee890e5e916935a0d3b7cdee7147e0
SHA1 d354db0aac3a997b107ec151437ef17589d20ca5
SHA256 91d7a4c39baac78c595fc6cf9fd971aa0a780c297da9a8b20b37b0693bdcd42c
SHA512 4fae6d90d762ed77615d0f87833152d16b2c122964754b486ea90963930e90e83f3467253b7ed90d291a52637374952570bd9036c6b8c9eaebe8b05663ebb08e

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-util-l1-1-0.dll

MD5 427f0e19148d98012968564e4b7e622a
SHA1 488873eb98133e20acd106b39f99e3ebdfaca386
SHA256 0cbacaccedaf9b6921e6c1346de4c0b80b4607dacb0f7e306a94c2f15fa6d63d
SHA512 03fa49bdadb65b65efed5c58107912e8d1fccfa13e9adc9df4441e482d4b0edd6fa1bd8c8739ce09654b9d6a176e749a400418f01d83e7ae50fa6114d6aead2b

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-timezone-l1-1-0.dll

MD5 2554060f26e548a089cab427990aacdf
SHA1 8cc7a44a16d6b0a6b7ed444e68990ff296d712fe
SHA256 5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044
SHA512 fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 9ca65d4fe9b76374b08c4a0a12db8d2f
SHA1 a8550d6d04da33baa7d88af0b4472ba28e14e0af
SHA256 8a1e56bd740806777bc467579bdc070bcb4d1798df6a2460b9fe36f1592189b8
SHA512 19e0d2065f1ca0142b26b1f5efdd55f874f7dde7b5712dd9dfd4988a24e2fcd20d4934bdda1c2d04b95e253aa1bee7f1e7809672d7825cd741d0f6480787f3b3

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-synch-l1-2-0.dll

MD5 dd6f223b4f9b84c6e9b2a7cf49b84fc7
SHA1 2ee75d635d21d628e8083346246709a71b085710
SHA256 8356f71c5526808af2896b2d296ce14e812e4585f4d0c50d7648bc851b598bef
SHA512 9c12912daea5549a3477baa2cd05180702cf24dd185be9f1fca636db6fbd25950c8c2b83f18d093845d9283c982c0255d6402e3cdea0907590838e0acb8cc8c1

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-string-l1-1-0.dll

MD5 84b1347e681e7c8883c3dc0069d6d6fa
SHA1 9e62148a2368724ca68dfa5d146a7b95c710c2f2
SHA256 1cb48031891b967e2f93fdd416b0324d481abde3838198e76bc2d0ca99c4fd09
SHA512 093097a49080aec187500e2a9e9c8ccd01f134a3d8dc8ab982e9981b9de400dae657222c20fb250368ecddc73b764b2f4453ab84756b908fcb16df690d3f4479

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-processthreads-l1-1-1.dll

MD5 4380d56a3b83ca19ea269747c9b8302b
SHA1 0c4427f6f0f367d180d37fc10ecbe6534ef6469c
SHA256 a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a
SHA512 1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 8711e4075fa47880a2cb2bb3013b801a
SHA1 b7ceec13e3d943f26def4c8a93935315c8bb1ac3
SHA256 5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6
SHA512 7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-memory-l1-1-0.dll

MD5 c4098d0e952519161f4fd4846ec2b7fc
SHA1 8138ca7eb3015fc617620f05530e4d939cafbd77
SHA256 51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4
SHA512 95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 772f1b596a7338f8ea9ddff9aba9447d
SHA1 cda9f4b9808e9cef2aeac2ac6e7cdf0e8687c4c5
SHA256 cc1bfce8fe6f9973cca15d7dfcf339918538c629e6524f10f1931ae8e1cd63b4
SHA512 8c94890c8f0e0a8e716c777431022c2f77b69ebfaa495d541e2d3312ae1da307361d172efce94590963d17fe3fcac8599dcabe32ab56e01b4d9cf9b4f0478277

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-profile-l1-1-0.dll

MD5 9082d23943b0aa48d6af804a2f3609a2
SHA1 c11b4e12b743e260e8b3c22c9face83653d02efe
SHA256 7ecc2e3fe61f9166ff53c28d7cb172a243d94c148d3ef13545bc077748f39267
SHA512 88434a2b996ed156d5effbb7960b10401831e9b2c9421a0029d2d8fa651b9411f973e988565221894633e9ffcd6512f687afbb302efe2273d4d1282335ee361d

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-processthreads-l1-1-0.dll

MD5 8e6eb11588fa9625b68960a46a9b1391
SHA1 ff81f0b3562e846194d330fadf2ab12872be8245
SHA256 ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6
SHA512 fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 eaf36a1ead954de087c5aa7ac4b4adad
SHA1 9dd6bc47e60ef90794a57c3a84967b3062f73c3c
SHA256 cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb
SHA512 1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-localization-l1-2-0.dll

MD5 20ddf543a1abe7aee845de1ec1d3aa8e
SHA1 0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf
SHA256 d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8
SHA512 96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 8dfc224c610dd47c6ec95e80068b40c5
SHA1 178356b790759dc9908835e567edfb67420fbaac
SHA256 7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2
SHA512 fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-interlocked-l1-1-0.dll

MD5 4f631924e3f102301dac36b514be7666
SHA1 b3740a0acdaf3fba60505a135b903e88acb48279
SHA256 e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af
SHA512 56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-heap-l1-1-0.dll

MD5 6168023bdb7a9ddc69042beecadbe811
SHA1 54ee35abae5173f7dc6dafc143ae329e79ec4b70
SHA256 4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062
SHA512 f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-handle-l1-1-0.dll

MD5 d584c1e0f0a0b568fce0efd728255515
SHA1 2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a
SHA256 3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18
SHA512 c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-file-l1-2-0.dll

MD5 bcb8b9f6606d4094270b6d9b2ed92139
SHA1 bd55e985db649eadcb444857beed397362a2ba7b
SHA256 fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118
SHA512 869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-file-l1-1-0.dll

MD5 ea00855213f278d9804105e5045e2882
SHA1 07c6141e993b21c4aa27a6c2048ba0cff4a75793
SHA256 f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6
SHA512 b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 f1534c43c775d2cceb86f03df4a5657d
SHA1 9ed81e2ad243965e1090523b0c915e1d1d34b9e1
SHA256 6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2
SHA512 62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-debug-l1-1-0.dll

MD5 71f1d24c7659171eafef4774e5623113
SHA1 8712556b19ed9f80b9d4b6687decfeb671ad3bfe
SHA256 c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef
SHA512 0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-datetime-l1-1-0.dll

MD5 c5e3e5df803c9a6d906f3859355298e1
SHA1 0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4
SHA256 956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e
SHA512 deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9

C:\Users\Admin\AppData\Local\Temp\_MEI30322\api-ms-win-core-console-l1-1-0.dll

MD5 40ba4a99bf4911a3bca41f5e3412291f
SHA1 c9a0e81eb698a419169d462bcd04d96eaa21d278
SHA256 af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6
SHA512 f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23