Analysis Overview
SHA256
2c77f01d2d3d4e3f32e25437d8afc259e3c5f9e8f40fb8d7688637b11649b682
Threat Level: Shows suspicious behavior
The file TokenGen.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Registers COM server for autorun
Modifies system executable filetype association
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Checks system information in the registry
Enumerates physical storage devices
Unsigned PE
Detects Pyinstaller
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 12:49
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-23 12:49
Reported
2024-02-23 12:53
Platform
win10v2004-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 12:49
Reported
2024-02-23 12:53
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TokenGen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TokenGen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TokenGen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TokenGen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TokenGen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TokenGen.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TokenGen.exe
"C:\Users\Admin\AppData\Local\Temp\TokenGen.exe"
C:\Users\Admin\AppData\Local\Temp\TokenGen.exe
"C:\Users\Admin\AppData\Local\Temp\TokenGen.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Title Token Generator v1.9
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21762\TokenGen.exe.manifest
| MD5 | 6db386d733f82ea48868aa6f545377e5 |
| SHA1 | ff3ed40b56cae8bb21201c89d67736b4771194a7 |
| SHA256 | 409347cac216532b65046ef28eb80ab0be81ec44b42b2b3a64e2a90faabbdb8c |
| SHA512 | f9a49c21c5efe2f8bda03e05cd7f375cdcdb9fbf67f7e5db2ab005f3f4f346dc015dd5e2107aeb2f21810acc8c0e9f0351d6092320c25f6ca4c8ed66d08f1f22 |
C:\Users\Admin\AppData\Local\Temp\_MEI21762\python38.dll
| MD5 | 7e771d92e814a9fe3520b9f1af6176e0 |
| SHA1 | 2b1d2fc31fdc2d1940d3835e1e62214414e6cffd |
| SHA256 | 54326ecd163c7fffcdd02620490b6bde727c6a3153bff9706cf086510e4aa36d |
| SHA512 | 547bdf9048d3b3bc88741ce2307ed4a48b10407d17dbb9f5ba5a727d59d208069abddb90d24b3d4bf0aa5ced2bdcabec3230baf73f2576652035afe5a1297667 |
\Users\Admin\AppData\Local\Temp\_MEI21762\VCRUNTIME140.dll
| MD5 | 4c360f78de1f5baaa5f110e65fac94b4 |
| SHA1 | 20a2e66fd577293b33ba1c9d01ef04582deaf3a5 |
| SHA256 | ad1b0992b890bfe88ef52d0a830873acc0aecc9bd6e4fc22397dbccf4d2b4e37 |
| SHA512 | c6bba093d2e83b178a783d1ddfd1530c3adcb623d299d56db1b94ed34c0447e88930200bf45e5fb961f8fd7ad691310b586a7d754d7a6d7d27d58b74986a4db8 |
C:\Users\Admin\AppData\Local\Temp\_MEI21762\base_library.zip
| MD5 | 1162eb4c51c50e54909a31d03a30548b |
| SHA1 | 5724bda677dfd2545ab02496ffcda76522c17137 |
| SHA256 | 228dfd18d006a848d50999c278cc74f21423afe9268874d0277a9fcc8e9593ab |
| SHA512 | fb78949ff304bc3fbe3e1b12b282638fb84ccdf08f92c9ce930fb2d69c3dad78926f4a5f5b93e061b1e082c28e236827b7420f755e2a911090caaa9f4fc08d15 |
C:\Users\Admin\AppData\Local\Temp\_MEI21762\_ctypes.pyd
| MD5 | 3a2e78784b929003a6baceebdb0efa4d |
| SHA1 | abb48b6a96e22b9bd6d2a8443f5811088c540922 |
| SHA256 | f205948b01b29cb244ae09c5b57fd4b6c8f356dfcd2f8cb49e7cfd177a748cf9 |
| SHA512 | ad5a9a5143b7e452d92cc7ea5db12967b2073b626be3437d17041d7ae6d82ee24b15d161d2f708639d3bbf8c657202cd845009a219657557203497ea355876ce |
C:\Users\Admin\AppData\Local\Temp\_MEI21762\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI21762\_socket.pyd
| MD5 | cea329ce0935e99a8bc01070f07fefaf |
| SHA1 | 9d81307e9559d0661633530e5756957b05d84268 |
| SHA256 | d1a4d66c557c2fe7dc441614ca62e67f37ec44bef5a762bac41bac15d491a930 |
| SHA512 | b6aea9c2221bf35b0895c35942cf3c9613ec7919540b4c24a3b97d7a0846256e9ba654e8f233fadca1b15ff0b7d30d73adfaec85bcadb6100fd73e62d3a068ab |
C:\Users\Admin\AppData\Local\Temp\_MEI21762\select.pyd
| MD5 | 26bc7e9826bc13a4d0cf681b0e5cf3c8 |
| SHA1 | effff42e88cdd66bc4397de1a6d3b5ae540f820b |
| SHA256 | 8e7366cf6e128f977f8977a8db45a714ba72e643b31bd26b7676f33d3d8df612 |
| SHA512 | 16d92785a234e60301aa6c4c5d508bdaff805689d4f160ab3c0c4d0c2376dd3616f676ad2fa81c08ea80e4fb862c3a15e1b59212508dddb388c8a768726b018a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 12:49
Reported
2024-02-23 12:54
Platform
win10v2004-20240221-en
Max time kernel
210s
Max time network
207s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /autoplay" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ = "IOneDriveInfoProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\INTERFACE\{A87958FF-B414-7748-9183-DBF183A25905}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\ = "NucleusNativeMessaging Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VERSIONINDEPENDENTPROGID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ = "FileSyncEx" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\INTERFACE\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\PROXYSTUBCLSID32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\odopen\UseOriginalUrlEncoding = "1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VERSIONINDEPENDENTPROGID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\PROXYSTUBCLSID32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\ = "SyncingOverlayHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\PROXYSTUBCLSID32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\ = "SyncEngineFileInfoProvider Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TokenGen.exe
"C:\Users\Admin\AppData\Local\Temp\TokenGen.exe"
C:\Users\Admin\AppData\Local\Temp\TokenGen.exe
"C:\Users\Admin\AppData\Local\Temp\TokenGen.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Title Token Generator v1.9
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\321.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.109.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.194.113.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logincdn.msftauth.net | udp |
| US | 192.229.221.185:443 | logincdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | 185.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI27882\python38.dll
| MD5 | 7e771d92e814a9fe3520b9f1af6176e0 |
| SHA1 | 2b1d2fc31fdc2d1940d3835e1e62214414e6cffd |
| SHA256 | 54326ecd163c7fffcdd02620490b6bde727c6a3153bff9706cf086510e4aa36d |
| SHA512 | 547bdf9048d3b3bc88741ce2307ed4a48b10407d17dbb9f5ba5a727d59d208069abddb90d24b3d4bf0aa5ced2bdcabec3230baf73f2576652035afe5a1297667 |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\TokenGen.exe.manifest
| MD5 | 6db386d733f82ea48868aa6f545377e5 |
| SHA1 | ff3ed40b56cae8bb21201c89d67736b4771194a7 |
| SHA256 | 409347cac216532b65046ef28eb80ab0be81ec44b42b2b3a64e2a90faabbdb8c |
| SHA512 | f9a49c21c5efe2f8bda03e05cd7f375cdcdb9fbf67f7e5db2ab005f3f4f346dc015dd5e2107aeb2f21810acc8c0e9f0351d6092320c25f6ca4c8ed66d08f1f22 |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\VCRUNTIME140.dll
| MD5 | 4c360f78de1f5baaa5f110e65fac94b4 |
| SHA1 | 20a2e66fd577293b33ba1c9d01ef04582deaf3a5 |
| SHA256 | ad1b0992b890bfe88ef52d0a830873acc0aecc9bd6e4fc22397dbccf4d2b4e37 |
| SHA512 | c6bba093d2e83b178a783d1ddfd1530c3adcb623d299d56db1b94ed34c0447e88930200bf45e5fb961f8fd7ad691310b586a7d754d7a6d7d27d58b74986a4db8 |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\base_library.zip
| MD5 | 1162eb4c51c50e54909a31d03a30548b |
| SHA1 | 5724bda677dfd2545ab02496ffcda76522c17137 |
| SHA256 | 228dfd18d006a848d50999c278cc74f21423afe9268874d0277a9fcc8e9593ab |
| SHA512 | fb78949ff304bc3fbe3e1b12b282638fb84ccdf08f92c9ce930fb2d69c3dad78926f4a5f5b93e061b1e082c28e236827b7420f755e2a911090caaa9f4fc08d15 |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\_ctypes.pyd
| MD5 | 3a2e78784b929003a6baceebdb0efa4d |
| SHA1 | abb48b6a96e22b9bd6d2a8443f5811088c540922 |
| SHA256 | f205948b01b29cb244ae09c5b57fd4b6c8f356dfcd2f8cb49e7cfd177a748cf9 |
| SHA512 | ad5a9a5143b7e452d92cc7ea5db12967b2073b626be3437d17041d7ae6d82ee24b15d161d2f708639d3bbf8c657202cd845009a219657557203497ea355876ce |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\_socket.pyd
| MD5 | cea329ce0935e99a8bc01070f07fefaf |
| SHA1 | 9d81307e9559d0661633530e5756957b05d84268 |
| SHA256 | d1a4d66c557c2fe7dc441614ca62e67f37ec44bef5a762bac41bac15d491a930 |
| SHA512 | b6aea9c2221bf35b0895c35942cf3c9613ec7919540b4c24a3b97d7a0846256e9ba654e8f233fadca1b15ff0b7d30d73adfaec85bcadb6100fd73e62d3a068ab |
C:\Users\Admin\AppData\Local\Temp\_MEI27882\select.pyd
| MD5 | 26bc7e9826bc13a4d0cf681b0e5cf3c8 |
| SHA1 | effff42e88cdd66bc4397de1a6d3b5ae540f820b |
| SHA256 | 8e7366cf6e128f977f8977a8db45a714ba72e643b31bd26b7676f33d3d8df612 |
| SHA512 | 16d92785a234e60301aa6c4c5d508bdaff805689d4f160ab3c0c4d0c2376dd3616f676ad2fa81c08ea80e4fb862c3a15e1b59212508dddb388c8a768726b018a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\628PWMEE\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | 035da0f4db3383ad2dec3c8e1957cc01 |
| SHA1 | 83f3038d443615304203a905034c7274ea43688d |
| SHA256 | e5f38e297fde312958e9686a99261943bdd58bcd23b80a25b1b503c0fde8e44f |
| SHA512 | 5c0705e7e6908d14be97ab7125a8296ee6ffa160b7cc8b9bb3f285ffb0b04fdafe769927c9ec39dd89874769116dc58af53265ab0e610c7fed0cd75e6e509243 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | 12c1c98c8a19af0dbe56bc80c0931d5c |
| SHA1 | b002fbe468dc8cc9d8d658a8f2b8f0deab62b450 |
| SHA256 | 543551d89829dda0dbd9a7391303bbce8d996324c39c5bc208a7400f0816f936 |
| SHA512 | b26f5acbbec7b8869da31781334e1f402cd63529fd87c196735cbb8aa7861f93ea11b76e26f59de27661c2b29e2ab587fde51342298760668bb0b439e0fafafc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | 1d0c3734bfd21c245d5ffe64d37b328b |
| SHA1 | 629019a8d65d5827cb7e03af9c80d29a26ed43d4 |
| SHA256 | 3b7c86884be3a2dd9af39333c407d5eecd32d161d5e374164116f384bd74ab77 |
| SHA512 | 4a89561aae312f5aeddcb7b4e0ad542eda9a01955189d5547076eeee6165dd99993a921e526a7582714fa49fa060d50a522ff59697a1b8449de331e9825f0346 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | cf0997330472de8d034700d332f9ea29 |
| SHA1 | 8ac68f0b1984d99bcb6a9bf4ca32aa4cf099e289 |
| SHA256 | c270be9ebcec7f7fef82586d3244b53808817a0992108555f898f2df0f01c42b |
| SHA512 | 5b14fe1e187c60cc524ce1480e85cbf932e6fdefaf4b9a5a1d7a7d7ebc282b12d3f81cf3df6b0592299f862d8b5558db07c0b47dfb421a33284c9dfae28d2a6a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | f3397cd7125001860ee19c141696bd78 |
| SHA1 | 25b8ca99e17ae49b4f9f70b0d6e0e7d9e2dcf827 |
| SHA256 | 2b453dc5a730c6f04c2f6aa8274d848e2f470f30639d7b19d2ccee63cf16d130 |
| SHA512 | 1fac75f97b0db8dea1af8a6e52f9b7b9441a77f8133ac20f20f9361050195947cfa2433d1bc5bbfcd538c7fbc11d6f5b7beecde3c075288168536a0514ea1942 |
C:\Users\Admin\AppData\Local\Temp\tmpD4AB.tmp
| MD5 | 6fa7bd4e766ee753f9bdccaea7674a17 |
| SHA1 | ac8a099747f35f22cc6f338eea5278e15688e5da |
| SHA256 | f8859659c4042c86a97904d83350c693734a6d7fbe0f4309366d341bcb814a69 |
| SHA512 | c778bcf53e532eaf66adcf164706429205ff6a029de5f9f7df6ec63e86d91fc88a33ecf51837495f7560813ae25826156cc6a682ddb25c2d80196f7c5ce92ee2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
| MD5 | c2938eb5ff932c2540a1514cc82c197c |
| SHA1 | 2d7da1c3bfa4755ba0efec5317260d239cbb51c3 |
| SHA256 | 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665 |
| SHA512 | 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
| MD5 | b83ac69831fd735d5f3811cc214c7c43 |
| SHA1 | 5b549067fdd64dcb425b88fabe1b1ca46a9a8124 |
| SHA256 | cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185 |
| SHA512 | 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
| MD5 | e01cdbbd97eebc41c63a280f65db28e9 |
| SHA1 | 1c2657880dd1ea10caf86bd08312cd832a967be1 |
| SHA256 | 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f |
| SHA512 | ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
| MD5 | 09773d7bb374aeec469367708fcfe442 |
| SHA1 | 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6 |
| SHA256 | 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2 |
| SHA512 | f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
| MD5 | 771bc7583fe704745a763cd3f46d75d2 |
| SHA1 | e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752 |
| SHA256 | 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d |
| SHA512 | 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
| MD5 | 72747c27b2f2a08700ece584c576af89 |
| SHA1 | 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33 |
| SHA256 | 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b |
| SHA512 | 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
| MD5 | 8347d6f79f819fcf91e0c9d3791d6861 |
| SHA1 | 5591cf408f0adaa3b86a5a30b0112863ec3d6d28 |
| SHA256 | e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750 |
| SHA512 | 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
| MD5 | 19876b66df75a2c358c37be528f76991 |
| SHA1 | 181cab3db89f416f343bae9699bf868920240c8b |
| SHA256 | a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425 |
| SHA512 | 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
| MD5 | d03b7edafe4cb7889418f28af439c9c1 |
| SHA1 | 16822a2ab6a15dda520f28472f6eeddb27f81178 |
| SHA256 | a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665 |
| SHA512 | 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
| MD5 | 57a6876000151c4303f99e9a05ab4265 |
| SHA1 | 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794 |
| SHA256 | 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4 |
| SHA512 | c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
| MD5 | a23c55ae34e1b8d81aa34514ea792540 |
| SHA1 | 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf |
| SHA256 | 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd |
| SHA512 | 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
| MD5 | adbbeb01272c8d8b14977481108400d6 |
| SHA1 | 1cc6868eec36764b249de193f0ce44787ba9dd45 |
| SHA256 | 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85 |
| SHA512 | c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
| MD5 | f1c75409c9a1b823e846cc746903e12c |
| SHA1 | f0e1f0cf35369544d88d8a2785570f55f6024779 |
| SHA256 | fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6 |
| SHA512 | ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
| MD5 | de5ba8348a73164c66750f70f4b59663 |
| SHA1 | 1d7a04b74bd36ecac2f5dae6921465fc27812fec |
| SHA256 | a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73 |
| SHA512 | 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
| MD5 | e593676ee86a6183082112df974a4706 |
| SHA1 | c4e91440312dea1f89777c2856cb11e45d95fe55 |
| SHA256 | deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb |
| SHA512 | 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
| MD5 | 13e6baac125114e87f50c21017b9e010 |
| SHA1 | 561c84f767537d71c901a23a061213cf03b27a58 |
| SHA256 | 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e |
| SHA512 | 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
| MD5 | 2c7a9e323a69409f4b13b1c3244074c4 |
| SHA1 | 3c77c1b013691fa3bdff5677c3a31b355d3e2205 |
| SHA256 | 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2 |
| SHA512 | 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
| MD5 | 22e17842b11cd1cb17b24aa743a74e67 |
| SHA1 | f230cb9e5a6cb027e6561fabf11a909aa3ba0207 |
| SHA256 | 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42 |
| SHA512 | 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
| MD5 | 552b0304f2e25a1283709ad56c4b1a85 |
| SHA1 | 92a9d0d795852ec45beae1d08f8327d02de8994e |
| SHA256 | 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535 |
| SHA512 | 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
| MD5 | 096d0e769212718b8de5237b3427aacc |
| SHA1 | 4b912a0f2192f44824057832d9bb08c1a2c76e72 |
| SHA256 | 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef |
| SHA512 | 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
| MD5 | d9d00ecb4bb933cdbb0cd1b5d511dcf5 |
| SHA1 | 4e41b1eda56c4ebe5534eb49e826289ebff99dd9 |
| SHA256 | 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89 |
| SHA512 | 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
| MD5 | 5ae2d05d894d1a55d9a1e4f593c68969 |
| SHA1 | a983584f58d68552e639601538af960a34fa1da7 |
| SHA256 | d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c |
| SHA512 | 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
| MD5 | 7473be9c7899f2a2da99d09c596b2d6d |
| SHA1 | 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac |
| SHA256 | e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3 |
| SHA512 | a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
| MD5 | ed306d8b1c42995188866a80d6b761de |
| SHA1 | eadc119bec9fad65019909e8229584cd6b7e0a2b |
| SHA256 | 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301 |
| SHA512 | 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
| MD5 | 09f3f8485e79f57f0a34abd5a67898ca |
| SHA1 | e68ae5685d5442c1b7acc567dc0b1939cad5f41a |
| SHA256 | 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3 |
| SHA512 | 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
| MD5 | d602e3ddb3ae5cb38fc04c545a1ae245 |
| SHA1 | 1eb5f8e50ac2992bb7528319ca0b6adfe44ff9fc |
| SHA256 | d4573be48a62dd28419c19d8dacd598047f253307041f4c21bd3114492500de8 |
| SHA512 | af4e6edcbbf8f8b8c736b040b4ba72b2e82bcfca47c3a6bdd63dd9dff311181db6f2050c1b012b8c0c6a410c15243002cbefb704915f661bd8143af4747613dc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
| MD5 | 1f156044d43913efd88cad6aa6474d73 |
| SHA1 | 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26 |
| SHA256 | 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816 |
| SHA512 | df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
| MD5 | 3c29933ab3beda6803c4b704fba48c53 |
| SHA1 | 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c |
| SHA256 | 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633 |
| SHA512 | 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
| MD5 | f4e9f958ed6436aef6d16ee6868fa657 |
| SHA1 | b14bc7aaca388f29570825010ebc17ca577b292f |
| SHA256 | 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b |
| SHA512 | cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
| MD5 | 57bd9bd545af2b0f2ce14a33ca57ece9 |
| SHA1 | 15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1 |
| SHA256 | a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf |
| SHA512 | d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\VCRUNTIME140.dll
| MD5 | cefcd5d1f068c4265c3976a4621543d4 |
| SHA1 | 4d874d6d6fa19e0476a229917c01e7c1dd5ceacd |
| SHA256 | c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817 |
| SHA512 | d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
| MD5 | 50ea1cd5e09e3e2002fadb02d67d8ce6 |
| SHA1 | c4515f089a4615d920971b28833ec739e3c329f3 |
| SHA256 | 414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902 |
| SHA512 | 440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll
| MD5 | ce8a66d40621f89c5a639691db3b96b4 |
| SHA1 | b5f26f17ddd08e1ba73c57635c20c56aaa46b435 |
| SHA256 | 545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7 |
| SHA512 | 85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
| MD5 | 037df27be847ef8ab259be13e98cdd59 |
| SHA1 | d5541dfa2454a5d05c835ec5303c84628f48e7b2 |
| SHA256 | 9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec |
| SHA512 | 7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll
| MD5 | 4ffef06099812f4f86d1280d69151a3f |
| SHA1 | e5da93b4e0cf14300701a0efbd7caf80b86621c3 |
| SHA256 | d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3 |
| SHA512 | d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll
| MD5 | 7a333d415adead06a1e1ce5f9b2d5877 |
| SHA1 | 9bd49c3b960b707eb5fc3ed4db1e2041062c59c7 |
| SHA256 | 5ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46 |
| SHA512 | d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a |
C:\Users\Admin\AppData\Local\Temp\aria-debug-3708.log
| MD5 | 4ed34ea2ae23dd342f66faca13fc866e |
| SHA1 | f64c58e0a2d88733b2b7396902eff009f41a688e |
| SHA256 | cdbbd91cbc4b0f0bd0ffe9e67e792e481e6910729d9c561a4fe8b7ce61061710 |
| SHA512 | 4fe06a6f836703f9a280727447ec37181a9832de1ebfa9c1d28929ddf39fb7a494b0d710dadc70f6ac52a923cd3c3c6c7543c379670a7baf0e25704b4363310b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncTelemetryExtensions.dll
| MD5 | 51b6038293549c2858b4395ca5c0376e |
| SHA1 | 93bf452a6a750b52653812201a909c6bc1f19fa3 |
| SHA256 | a742c9e35d824b592b3d9daf15efb3d4a28b420533ddf35a1669a5b77a00bb75 |
| SHA512 | b8cfdab124ee424b1b099ff73d0a6c6f4fd0bf56c8715f7f26dbe39628a2453cd63d5e346dbf901fcbfb951dfbd726b288466ff32297498e63dea53289388c0c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll
| MD5 | 6e8ae346e8e0e35c32b6fa7ae1fc48c3 |
| SHA1 | ca0668ddb59e5aa98d9a90eceba90a0ee2fb7869 |
| SHA256 | 146811735589450058048408f05644a93786a293c09ccb8d74420fb87c0a4d56 |
| SHA512 | aa65ef969b1868a54d78a4f697e6edbded31b118f053bbe8a19a599baaf63821dc05f75b2ac87452cb414ab6572b8d9b349093931e64601c47f8ebbb49c431cd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll
| MD5 | d44fd65a7d5aaf7a6a321fe8d153a273 |
| SHA1 | ef3907ddd295dfc209883b647008319d1b55d700 |
| SHA256 | e76f752f10c67e04306be4a13c4a3e72d70c1597e319939d67c97318fc75538e |
| SHA512 | 8146351da897711aa019759049e7ed788457eafa0b39435b0ecb384290a1213e141725174cf61be0709a4f04862efefbee41b4fab4e3ac7f0fe73aebfe227dbe |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll
| MD5 | 33fa7e37e065bba4c85c0dbe45113946 |
| SHA1 | bdf96b555cc267eb196c2d5b6721b721171ce248 |
| SHA256 | ce1726148e852d5ad2416a94e88bff80b538af6745a37811e13981e8883e92c3 |
| SHA512 | 862f233dda1f5c6eca5e052f0b96e238cb0b486cc757700360407e47dd416547aaa4c1332bf25fe4104f6042d3565f2647d7cf0cb0365afa06191683c9a7d3bb |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll
| MD5 | 34755d57422f1f8013822face6bf20e0 |
| SHA1 | 9f0dfa7ad23a195310cf0c615c8430d6af10a1ce |
| SHA256 | 60fb3589598e0b39bb3786b2e402b2ed00b657a1b49eb464d688ddf4ea899a85 |
| SHA512 | ef51eecc86a530e7138c7a8e16d08a0ff127cd332a1cf27b457f493f7a5941e63313398a933890cef80752bf67e7a0a72f2fa24c5ae989326500c33478416838 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogUploader.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Gui.dll
| MD5 | d4b5f8b48cbf44333db03088f67468f4 |
| SHA1 | a9fd932285df006c97dde19d40b7109cc3c32388 |
| SHA256 | a9c43c3c242c6e537e78d70196366e08885021b87c0ad428e8d906af77e5649b |
| SHA512 | f9ae4e7d5ddc389f6601732250e5248c522fa3be7a1efd3875e2e55f367bf8adf49997147c2abf1fe29bf7e197b8e953fc313650b0bab113d1ef552920929e80 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Widgets.dll
| MD5 | 7d3abce5f93e325008373bbcdc575f87 |
| SHA1 | d9f5d01358a149093727f7c558fa7186295ff730 |
| SHA256 | 6dc516681b779b8d559a7def14e081a5b06da9dc5160c4f3ccc16d857675a8ee |
| SHA512 | 1a20def0bdf80b58c5425fc0880e2857154e70637e25ea422f4f672083f740ae72c4933fe4fdba59a95c24d446ebd6f408d91e3d7f95843c198488bfc3e8d6c8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Quick.dll
| MD5 | 19b9e4dc7f1a6b5acc387aed0c214d35 |
| SHA1 | 0620617223e992543cbc31e3ad2699287e30813b |
| SHA256 | d33c0af6dd5bf88560267b4fdcc4e74c9d7b073af21a40c20bbec484dbb7e0d8 |
| SHA512 | ed7e7c95333644e0445b72c7b235d4183260d9b3266bfbbda0171fc0a0bde5863cd0642dadc394e1fd5a1b98268cf986b830f88f6b63db9dd3cd9dc590a29e04 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Quick.dll
| MD5 | 9145f94e5b5a09e72dfb54c5c6411b68 |
| SHA1 | b6ac9dfbbc8c125665e0c25411b7ec911ab5da44 |
| SHA256 | a4abf6ef69cdd750bd453888d98c414bc30058cc23b1c5c56081888e99709f19 |
| SHA512 | 8c2e7fc680bf2d44e5c2f8d65a339017050e822cc2283304b58b5ad68735d27b9a3c5cb99458216e4f5b71f7da7d81097d82761d4d8091a6375eb3fd26357025 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Qml.dll
| MD5 | 729b0cd291d3ceeb09ac28c46d476ba5 |
| SHA1 | 8f9a676d5924fc1d4fe4dcf48f15fc830576cf64 |
| SHA256 | 3a595415e20d9d52856e6a1439a10c0367b6e69df8e6fe2fac9dd722c03576eb |
| SHA512 | dc93e95fdbf74a27bd23e554a47418a0c6811157f3eed38602bc1f6ea0be76291a2a18ab45c518f022aafa74f3ed43fcc160a587ee94e7a2a65636fc9a98d35a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Core.dll
| MD5 | 52a4961cd60694aa923a459a609f6327 |
| SHA1 | 712bdfe3e12c078e6a30b6fc1dd28016ac5b8e29 |
| SHA256 | 700b39c0b67bc90d9ecaa9319d1e7c3cfd9bf5f5809234ab15eeb43bc335e137 |
| SHA512 | 6570419d62791496a88873908e5a2e05bbcc2c0d5ac65ebb0a7f5f3873d2fc5a754577d3390048b59871eb082dd39fff68956fb57d55f5338f6cf0737c8f4010 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Qml.dll
| MD5 | e9c253606064f8d37d37e300a95b6a25 |
| SHA1 | a406f75973c943467a1ba3ad587e4337d91f0628 |
| SHA256 | 156163db6a702083cc21b49283ad3291b61e7db8c6d7ef5ad305ea16af1fe233 |
| SHA512 | eacdb3ceb34a8378f41de6683835b137568cbd451ba0a259e1609efd7942f8055a5966f40835cb6a527f8593a7f731341d5c9309e438392cba8768f775f0fa0e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\adal.dll
| MD5 | 031d7556c2377e145d5fa7ce440f1161 |
| SHA1 | b8e9c5a861f317bc74b783f4b220bde182f8754a |
| SHA256 | ba58e5e63746acae544702ee45ec7aea829e65516943ace60646625cd999f9ca |
| SHA512 | 287a1fec446fdf241d3c2c90cb69b76f0afe5053b0f2636b2a1a972a91207360474ff6d6bbf3ddad03776adc691dd6c1346c17b21a81e6ddd2aac89c3477e30b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Core.dll
| MD5 | bc0c2e73651467d16c75e01e568e5b54 |
| SHA1 | 2134373050be12949fd6729c401aa84078eaebb8 |
| SHA256 | f01d43fba3658bebab55dc88ce9eaa63b7a200147500eaa6a2f2dbe819fb1e76 |
| SHA512 | 46635c3a21ebb006e6a60902310fffb0cd186990d7a18300879759193031caabbdf7b7023e29bf704132f15f19caf0c825dccdc93f1e1c65051c133a156d7a12 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\adal.dll
| MD5 | fe837e65648bf84a3b19c08bbc79351f |
| SHA1 | b1ad96bcb627565dd02d823b1df3316bba3dac42 |
| SHA256 | 55234df27deb004b09c18dc15ca46327e48b26b36dfb43a92741f86300bd8e9e |
| SHA512 | 64ce9573485341439a1d80d1bdc76b44d63c79fb7ec3de6fb084a86183c13c383ec63516407d82fbc86854568c717764efdec26eaf1f4ed05cdb9f974804d263 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncViews.dll
| MD5 | 948278aa5e6a03c0618ec27b70f5b62a |
| SHA1 | f408e639d8f73f66ff125cfe7029384ff093aa50 |
| SHA256 | 3a573da65b2c760b0e732115e7b6534cbe99ad02f580d0e565caaca0e9912740 |
| SHA512 | e5617ae5ccf5073f4d16e09c4600e912cf40c659a2ad89152ac71d21f8b4934338b383e41ecbe37c97dbf13d37f04e843e18f20bf3a56fb6a08aa9d6b832d12b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\WebView2Loader.dll
| MD5 | 925531f12a2f4a687598e7a4643d2faa |
| SHA1 | 26ca3ee178a50d23a09754adf362e02739bc1c39 |
| SHA256 | 41a13ba97534c7f321f3f29ef1650bd445bd3490153a2bb2d57e0fbc70d339c1 |
| SHA512 | 221934308658f0270e8a6ed89c9b164efb3516b2cc877216adb3fbd1dd5b793a3189afe1f6e2a7ef4b6106e988210eeb325b6aa78685e68964202e049516c984 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogUploader.dll
| MD5 | 03f13c5ec1922f3a0ec641ad4df4a261 |
| SHA1 | b23c1c6f23e401dc09bfbf6ce009ce4281216d7e |
| SHA256 | fe49f22bb132fedf1412e99169d307fa715dbdd84fe71c3e3ff12300d30d4987 |
| SHA512 | b47dbd9fad9467f72d4d0d5ca9df508247176f9e11b537c750837e8b3782a2d20f31fad361153d816ddf7f5e8109a614f3c6e4e2307af69cd3e2506cc0515d81 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncViews.dll
| MD5 | f4f5fd70388fa14714aad082537a4691 |
| SHA1 | c305861325dcb9f1a755797e1e0319b4f9c82302 |
| SHA256 | e8106c52ac17b54de0bc2b3df1addf1d8aefc11ced52cbf77f45ea4b93701835 |
| SHA512 | fc8c29740c2315bc34956154e3d734e9ece371414710e49e2b1a4f3d3902178a6da128dfeb17806048418363809bec2b49fae38d050ed9c6f3e24a7097835ef8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\SyncEngine.DLL
| MD5 | 172388add55876b04e3f4ee2e651c99a |
| SHA1 | deb6c2cb99132b46796c633028d64c8caa6d9cab |
| SHA256 | 0192c96b288718906e2b76538cccbc5792660af80eb051e9683ba13295edb56a |
| SHA512 | acb21410262c1d7810fc5a20d5295035ded4d80d7f7c352b2303d896adb8a72eac0bacc30131445ee6380be26f13eea927109bc31bff436ab97736c2521406a5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll
| MD5 | 846ff40e633df4ce6fc2d307d248db48 |
| SHA1 | 8b54ac17160581f988ee2a8dc1dd2068d959fc72 |
| SHA256 | 6a003c4ea3c57a89597f1a3fda0ac59c2ff506bfabd3059dc2d919eb2f4072c2 |
| SHA512 | ca2b68d5e45074eabda823bdb91161e10777917b176cccf3b40e8004db94a7c95d9e7c2d221870dcba2febfa4d8e43c44ace1e57c12a49ebb7fc82b1e64bb99b |
memory/2780-2811-0x00000000038B0000-0x00000000038C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | 41fb653bf08f1ac45355b50cbb28eb74 |
| SHA1 | 86248f8c7520592354feef357eb3ed3b4db84cb4 |
| SHA256 | 7329e51040f72b63b6cf4bb62a5a93ebb21870f37d43f1278084efb7bb4dbe44 |
| SHA512 | de9f50d9eb04341da2fcf641483e37d4fa85cfa02c8c0a20d7cabf4fec218751c1fb2479108c9cb5e5b1d7f9e3ff6867f63e08b66b2ef2c09da81cb54196745a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-23 12:49
Reported
2024-02-23 12:53
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2832 wrote to memory of 2948 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2832 wrote to memory of 2948 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2832 wrote to memory of 2948 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2948 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2948 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2948 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2948 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 742a0592b65ebfa368b9b85c8e716a41 |
| SHA1 | f6aba211cc6a8522111b93d451544bed4ab50906 |
| SHA256 | d16c699e94b19da0392e14df75fcde33a31e8890b68e20ed83b3ca042500c484 |
| SHA512 | 9fa0f385e573d188ed427a584a15d2671b6c54ad121b7959f9e913abc8258606e8deda7d7f3d0a0eb5859f9045545ed877672e9dd8357323a1f6ee294c30f74c |