hxxps://www[.]dropbox[.]com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

Analysis

max time kernel
1796s
max time network
1709s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exeOneDrive.exe

pid process

2608 OneDriveSetup.exe
4984 OneDriveSetup.exe
2340 FileSyncConfig.exe
1728 OneDrive.exe

pid	process
2608	OneDriveSetup.exe
4984	OneDriveSetup.exe
2340	FileSyncConfig.exe
1728	OneDrive.exe

Loads dropped DLL 41 IoCs

Processes:

FileSyncConfig.exeOneDrive.exe

pid	process
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
2340	FileSyncConfig.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

OneDriveSetup.exeOneDrive.exeOneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

OneDriveSetup.exeFileSyncConfig.exeOneDrive.exeOneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\WOW6432NODE\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuthLib.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\WOW6432NODE\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

23 dropbox.com
24 dropbox.com
25 dropbox.com

flow	ioc
23	dropbox.com
24	dropbox.com
25	dropbox.com

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDriveSetup.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Drops file in Windows directory 12 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDrive.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDrive.exebrowser_broker.exeMicrosoftEdgeCP.exeOneDriveSetup.exeOneDrive.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d00550053000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeOneDrive.exeOneDrive.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeFileSyncConfig.exeMicrosoftEdgeCP.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib\ = "{082D3FEC-D0D0-4DF6-A988-053FECE7B884}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\FileSyncClient.FileSyncClient.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\WOW6432NODE\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ = "IDeleteLibraryCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib\ = "{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\ProgID	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ = "ISyncEngineOcsi"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging.1	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ = "IGetLinkCallback"	OneDrive.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = eb9634f48280da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_CLASSES\WOW6432NODE\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID\ = "NucleusToastActivator.NucleusToastActivator.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ = "ISyncEngineBandwidthLimiter"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

4948 OneDrive.exe
1728 OneDrive.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

OneDrive.exeOneDriveSetup.exeOneDriveSetup.exeOneDrive.exe

pid	process
4948	OneDrive.exe
4948	OneDrive.exe
2608	OneDriveSetup.exe
2608	OneDriveSetup.exe
2608	OneDriveSetup.exe
2608	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
4984	OneDriveSetup.exe
1728	OneDrive.exe
1728	OneDrive.exe

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeOneDriveSetup.exeLogonUI.exeOneDriveSetup.exe

description	pid	process
Token: SeDebugPrivilege	4784	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4784	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4784	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4784	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4556	MicrosoftEdge.exe
Token: SeDebugPrivilege	4556	MicrosoftEdge.exe
Token: SeIncreaseQuotaPrivilege	2608	OneDriveSetup.exe
Token: SeShutdownPrivilege	2000	LogonUI.exe
Token: SeCreatePagefilePrivilege	2000	LogonUI.exe
Token: SeIncreaseQuotaPrivilege	4984	OneDriveSetup.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

4948 OneDrive.exe
4948 OneDrive.exe
4948 OneDrive.exe
4948 OneDrive.exe
1728 OneDrive.exe
1728 OneDrive.exe
1728 OneDrive.exe
1728 OneDrive.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

4948 OneDrive.exe
4948 OneDrive.exe
4948 OneDrive.exe
4948 OneDrive.exe
1728 OneDrive.exe
1728 OneDrive.exe
1728 OneDrive.exe
1728 OneDrive.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeOneDrive.exeLogonUI.exeOneDrive.exe

pid	process
4556	MicrosoftEdge.exe
1620	MicrosoftEdgeCP.exe
4784	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
212	MicrosoftEdgeCP.exe
212	MicrosoftEdgeCP.exe
4948	OneDrive.exe
2000	LogonUI.exe
1728	OneDrive.exe
1728	OneDrive.exe
1728	OneDrive.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

MicrosoftEdgeCP.exeOneDrive.exeOneDriveSetup.exe

description	pid	process	target process
PID 1620 wrote to memory of 2624	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2624	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2624	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2624	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 2964	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 3176	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 3176	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 3176	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 3176	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4548	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4548	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4548	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4548	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4944	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4944	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4944	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 4944	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 892	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4948 wrote to memory of 2608	4948	OneDrive.exe	OneDriveSetup.exe
PID 4948 wrote to memory of 2608	4948	OneDrive.exe	OneDriveSetup.exe
PID 4948 wrote to memory of 2608	4948	OneDrive.exe	OneDriveSetup.exe
PID 4984 wrote to memory of 2340	4984	OneDriveSetup.exe	FileSyncConfig.exe
PID 4984 wrote to memory of 2340	4984	OneDriveSetup.exe	FileSyncConfig.exe
PID 4984 wrote to memory of 2340	4984	OneDriveSetup.exe	FileSyncConfig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0"
1⤵
PID:2840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2964

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:3176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3852

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
3⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Checks system information in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2340

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks system information in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\System32\LockAppHost.exe
C:\Windows\System32\LockAppHost.exe -Embedding
1⤵
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
Filesize
2.3MB

MD5
c2938eb5ff932c2540a1514cc82c197c

SHA1
2d7da1c3bfa4755ba0efec5317260d239cbb51c3

SHA256
5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665

SHA512
5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
Filesize
2.9MB

MD5
9cdabfbf75fd35e615c9f85fedafce8a

SHA1
57b7fc9bf59cf09a9c19ad0ce0a159746554d682

SHA256
969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673

SHA512
348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
Filesize
13.4MB

MD5
171efcc8ad06261626eebaac7dbe7325

SHA1
b28d50d781553c7157fb2735b06b9477e71dbb65

SHA256
db6ce1e3bc81c1991a4cb66dfe80563c28d6544997de2121ce3467469b364782

SHA512
74ac9297a674cc50f47fe182d52a78d5b053159152c098dd82a5b43480d44f36c9385e553e30faf9365d8e821d5309583b9cab4849d1202a60a724a8466f969c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
Filesize
108B

MD5
a0cf8ce7a13eaf3f941f47fb9d8f9c54

SHA1
14351159973a1fa2c79bd21374f91141c1d52246

SHA256
1deb2a4a735c5ea23c91967def1152ee566d00112ed65ad5925e47a27b33ae58

SHA512
ef80a5a6a7d70da1da632933472df9f3eaa68c33d3d9f279bdf475f8dd26430f3f1296bd10ac5a8ec342e5a42793a8b30f18bc7fc06d11ff3c87267271555e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\63FU2WD6\update100[1].xml
Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GE6L6AN1\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\HP9W07NW\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JE6UDQJT\favicon[1].png
Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\T77L6KYT\favicon-vfl8lUR9B[1].ico
Filesize
4KB

MD5
f25511f4158c2dfab6aa11a07d026e4a

SHA1
99f63cf1694fa5e52f43eb967462ea0d9eef7513

SHA256
c0906d540d89dbe1f09b24f17b7f35b81350e8d381c1558b075c28ea913c450d

SHA512
0bfb19aec453a1c4d4b8f39602bf8bbf0a98182a98e29e1e1708eabfd99e3168855994a56061ed462c29b099137c226e25ddd274b46ed2f443c2c515a530b731

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFD2A4BC26B7AB07EC.TMP
Filesize
16KB

MD5
4cfa993ea54d121d6bf4cadbeaf722b5

SHA1
a642bca55a422a80d0b4fb566c1670f3aee55880

SHA256
46e2fc976e8fc97313baf12f07f87053605283e06e64d639edfb96255f8343e0

SHA512
4e7de461a42eaac3a45afca79738669983b43b7cdb4d2fc73a700fae316c06030f854b5a01fc7c3b8cd918e9b0b01b47a39b6fd1a9b8bd585c04ad88a830b651

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0050TZ8H\content-icons-vfleGw9Kf[1].css
Filesize
639B

MD5
786c3d29f58a8b1e7b97ab73a901f517

SHA1
fee0217616004a63bcad68e3c6eab9e634f8cf9a

SHA256
a4a4afb11e82f820d7e7782218fead256919e02cc97472afa5831d2caf09b43c

SHA512
e827ba901c0aa9bdcaa498c3fecff6e718823587063b4edde8bbb5776fb6679ba5afb36c99acb25148ac6ff99d9627c950519f2d24e36753e658807969327688

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0050TZ8H\maestro_header_without_nav-vflTJHA_7[1].css
Filesize
651B

MD5
4c91c0ffb19bf502663864a88536fcaa

SHA1
364df391f146d64205fd74285809cce5eca78fad

SHA256
58c3f5c1744f5693cb796dc16639aaa4612596932a1ea2848b36c36906e54f06

SHA512
186f0dc14b57dd4a0c8d0976f5af7b5907d5763a1f189e1612fde7840a8f1c2f877ec64509d9d25f2360fd2d405da416abdbdc734f611553eea288378dd4e164

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0050TZ8H\main-vfl16PDIJ[1].css
Filesize
101KB

MD5
d7a3c32094b126ea229d11df4960ed0c

SHA1
ab37565ff9eaaecb989d64ce99197486ffb28c67

SHA256
973219c3d63cd492a44ce0c43d9c792da4e82d4ee52d5884e0fe747d3dadc0ca

SHA512
5f9864740a0deb4df30bcc9d20711369e0fd5cefc24aee5c515af6b5f6698b964468c4b39da09daf32151122d138b73e4db6f204572506564fa722aa43c33040

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0050TZ8H\shared_link_password-vflAarIZy[1].css
Filesize
308B

MD5
01aac867222088f6914e1fd45ea96d16

SHA1
8fb9afc078147077c37f8f5743ee7139381f73c3

SHA256
d2c0f74ef7f39d94b041667aa5c8e27c440b75d3c673f7ec8ee25e7910931191

SHA512
0a57556f51d35afdd494db9f7a37a6d61194fdf90a1b9adbcb004d595be1bf1210a539b28048fcfe5e767d43f4e2e2432cbb9158494296166d39834564e0f506

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\components-vfl-0j1S_[1].css
Filesize
199KB

MD5
fb48f54bf3e0eaa08e10524cd8f80054

SHA1
419ffe2db2228e1f4b7b2e93bebd81037a026041

SHA256
89660b33ea8cc57eefca8dcb1fbae7bc9f3de52d02753b431a920285f18b2943

SHA512
d0961105c84be470d4d3ade5226f535294629f9f4e2b9c0e2f076179465fd8fe5c3cc35a806e5944ec4489f97a3fb3c8a79256475bd20872561000c88fd090d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\foundations-components-vflla-7Hl[1].css
Filesize
144KB

MD5
95afbb1e5121cf9597fe9683417eb548

SHA1
d79cfa15409d3cd8cc4beca9f8749c533542c0b5

SHA256
8df9df7c3b4093be6946677a8a85530023b2694cbf4b57bdbe528af6aaf0c763

SHA512
7d3df45a12251f7a166cbfce50d8e4c6e214136d6f040b45a70ba10de9cb3da475ad69734d0d7360e9c113520e44a2e654d08b67635abef1d97e178368c762ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\foundations-tokens-vflOggBEL[1].css
Filesize
30KB

MD5
3a080110bd2050ca23c0bbfe3f5ed9ca

SHA1
ed202a22bcaea7fc586dbd4a234325a5d84a863c

SHA256
e19da6f5732863f2807db37362a319d0cd3a597a32c0565f9d94fa8a1d58e4d3

SHA512
5a7d86c53cb2dbb26587dae79ca55eefac3ead17b70267a65a167f84dc767bff5f073c79f201e1fb4dc7361362afba4271b3a3831084fb3bb7a78c6ddb6768dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\icons-vfl9yBwLd[1].css
Filesize
374B

MD5
f720702dd8700a786ddcf4806413bb54

SHA1
beca85e84974607301ab98ded41f1b8bd42a612c

SHA256
dc934b1c526aa9591a10a41a8e1d6b643128ebeb1e116526fcf08946ebc77477

SHA512
bf24e88779bf9f2b90f63fe60900c068c2664782141feca8d5abf9bf85b8baf03935263562178be3ff1c0ca7f7386a921535760aae5fc4f07b0b5d4d246c006c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\layout-vflvc3veE[1].css
Filesize
454B

MD5
bdcdef784016e5670add0865f2aa471e

SHA1
2d35ae0e4d508f48c2798b192d71234e31176025

SHA256
87af97825dca3e62df3cdffda7cdaf81911e4cd10d23f9df37c6889fe5ab9a32

SHA512
41a8c9229796a687d906f2c1f0a0a6b137b42e391b33328172a449d946f13eb18f5ebdcd349a6003272ad18f11da2e64f5abc8eba6db8e2cdcf4539bdba3a92e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\legacy-token-migration-vfl1sMmEL[1].css
Filesize
4KB

MD5
d6c32610bc01d28d09392e8cae4869e6

SHA1
1a248754b2853d6ffa0381bba3c4ca65c1af19c5

SHA256
107f84edaf1294b3b3681d48fafe9de85165493d55ea9c361fa08ecbd7994148

SHA512
1f62f8fc1a3c6165019b7d736e04154d55c5135f83ae3a67e07fe55c00a2714297061c93a79dd5a9b710c6ac00f5286ec4e9992836802c223f5a4aecd518112d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\logos-vflS4tFqD[1].css
Filesize
719B

MD5
4b8b45a8328e05080a385fc853b5e1d4

SHA1
8c881000c937bb59e9749d049a750af8a2db3724

SHA256
381c5fc25378010ac1234abdd8a81b6443c1faa1947da7402e095c4f09a02a3f

SHA512
871f8a042d97949a067b8e17b89499e48a7afa7236d586d2c4e3ff9ff51d9db37e265d65dde2cb860cf25a8b6ade602bf1b39cfe93a57c4eeff9bff84eac220f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3JZROD1D\maestro-layout-vflvEmc2B[1].css
Filesize
11KB

MD5
bc499cd8152aab52a9fa67c399c44520

SHA1
f9f8d949360e899576df95c12bd3a6d52c04948c

SHA256
4ab8c06ec9373c830ae21a2af91932cfc0cc9778ac2cad9cf8af33b877bd0bac

SHA512
313809766ad55d8de01582af040b5c4afd7b1ac1bbc6b4b2ea51ba1979edb414daaa2af0d45951d4b5e7964165721afbba36579e5d96eafea59dcc48f6594d3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLAU27FL\AtlasGrotesk-LightItalic-Web-vflq-t642[1].woff2
Filesize
45KB

MD5
abeb7ae3662f41b9e3c31ed27b5fc4f5

SHA1
b3d101e2318df17e79bc270b6ad9cb31e15dad51

SHA256
c9ad6c9f410c3720b47cc294bd0b01936892f35cf2de765ef5d4a669f94ab1e6

SHA512
fda1d0bd738172d0277065a74bdf1f83bf3a433795e604d03ff59d29a8c664288e92fd6078a2b942e51ca5c234c79cfb0a441c501d1e8e2d47183670b72798d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLAU27FL\AtlasGrotesk-Medium-Web-vfl38XiTL[1].woff2
Filesize
45KB

MD5
dfc5e24cbc1b134e0c00c61e84ec999a

SHA1
d3b1a8ef1d0f6f9162986479252570525719f203

SHA256
b5db3e633ec765fc01a19c06b0955d56c2503285e59d8d348d08ec34abbfeaf3

SHA512
48726cb83bdd0eb6822a73734ae272286483e8aeb6e18f57e635ed9269ca3c6c62e2d900224138dafe32a79a94c3c7694307ff413505d695a77fe602681df27b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLAU27FL\alameda_bundle_ie_en-vflXFwp8G[1].js
Filesize
497KB

MD5
5c5c29f0668dbac101bb3fdd0a6bbab3

SHA1
ad8d1e29e8d20a14b40ea487d6e42eb6698a37c5

SHA256
afb3c23fd8f17feac34203d6009525dad53c54b5725e96bbb83fd1e063c3f77b

SHA512
0defcd3bc5825f242b5c9ae262e4386fa9a583d35839e64d3fea3fa4c94397c1ffc156dcddae4df8323304f49c199482b4ad88fbc297c43028ce4544fcff36e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLAU27FL\index.web-vflzskH5s[1].css
Filesize
661B

MD5
cec907e6c6ffc8a9ab17ef3b55594c09

SHA1
b7f3c53649a5d92519432131668b64ee9be4d6f7

SHA256
79c73ec9a3623dc520f67d84b0c33e59a9e570f8560088b0ab1ea9ca37bf27b1

SHA512
67bcefc4629fba58438917f56d13df1184a80b63ce6c4b3a878851bdfd3a8fd9fd24887ec85f08fbb8617eefd65744a1495e351867e2ec68850fe2d59d787881

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLAU27FL\notify-vfl4oJv2S[1].css
Filesize
685B

MD5
e2826fd92d6dcaf79021355095ec49d9

SHA1
1572da7f97839408214f18af79c69611040e2084

SHA256
2c456c7236ee6f3541118c38ae364cf303f38926ba99c7fd65794802b172acbd

SHA512
aae0ee51ef9775a745e1b4a4607829609a54c211ed1c96303875fe6465770cbb54e267833e48c43bb7723891ff3d774f33200d6d8f5368817b085f946315ef85

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLAU27FL\privacy_link_footer-vfl2owwAT[1].css
Filesize
323B

MD5
da8c3001331baa240c6f538a8cdd6a71

SHA1
b54febe9e1295192374c7612bf2b1d219dc5f203

SHA256
ee82d13b3a76b820fcf88322d04fc0a6ff70031b8cd151f3528e2f5c201db8ae

SHA512
ede80fab0e83843a2af43a93eb89775f2cc9a8607031d734682ce63f7ce692231392eb250960f7ac339bba5d1671b9e6dcc94bfc0b520a70279f3446477a8d36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O05GZYN0\css[1].css
Filesize
980B

MD5
faeacd7c4c4bcb2f4c7022c168a642ea

SHA1
93df54226df42b35933a75e6b337958eb11e087b

SHA256
fcc6cc46ceba4f03030cbb52ece0146b7b23dac49c24907538d8f51de4891552

SHA512
999cffc44769838d8cf73f4522b6079bd4d0f56b1b21797404df894806f9add5134dcbd9b8aade5e65acc5cdcca436bf13e53f66d8757e886754ebd5c645bfbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O05GZYN0\index-vflPKjvNC[1].css
Filesize
13KB

MD5
3ca8ef3429588f720db56cf0d04d9b8f

SHA1
a607f0897098a47b8ce5d345d701e0f9ae1c469d

SHA256
6dce94c58fff95911cc26ede71e241f3855abe2432aaacf95713c0e9f7f9ea0c

SHA512
cf1d10ece80b3058b652e2a8963cbcdd083cfb6f3597d9551c14f84eb7443908973afc5630a50ebfc87184df6c9771f047a7c60154a25a22bb3c24fdc895ccb0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O05GZYN0\receiver_flow-vfl4w6TrM[1].css
Filesize
6KB

MD5
e30e93acc38ef912f3d5f0e73b391350

SHA1
ed0389bbcc88c24e8ba242ff4368ddac5b9e72e3

SHA256
e59eb3206379152053c4760be664b329d4ec36495b7b20883e5cf23f8801f4ed

SHA512
a7698e2f15bce334adc28da45ae893049135c70f339564ad4fc63d07efbce222dc15a2df52b1f220512ec31db453a81e251e4c7d62bce9866867c985de0084eb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O05GZYN0\web_sprites-vflwRzO2P[1].css
Filesize
149KB

MD5
c11cced8f4585d6887d82ef1bc8880ec

SHA1
fc93d38e2e428d2ef6089b4f2bb8b9193666e029

SHA256
09347e91e95145505fbd5e5b1daa2a3b3d659c1c7ee28bde2fccde299d63021e

SHA512
10a17943d49643f634cea0830815bb0e4d21967edef54e6be968b123d21c756c5e28712ceae5bf08b0c3dfc029028d80dbca7b8f97a47a9f8738df7ea66857f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
9290f3198f8ddb5649898ab51009fe8f

SHA1
1fa75df5473164313bbfdf347f1e4fe4c919575e

SHA256
6f3d550fa4a27c135f3c74bb48e6a7a17738065c5663db31a65665406534edb4

SHA512
b31bc245a7ee20e970a071f9ad980a2966828cc7aeeda4af6c41809bbf072fc3c24b9e0e7039c45e0716bcc9b3ae5984ac4e3b37a0fcf7d56028b09a8d0457f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
b2655f790053cae9fbf1d5c722528cc5

SHA1
39ceda9cbbfada69f721442ea6f440ce9f239d86

SHA256
5aca3cadf943020669170b188814b106ba7f3faf08eae8687f37026aa3723dd8

SHA512
b8364eaca24ea8b55966e8d5ae1109e4f24d0eeaa69d6e51ca68f6bf20c775f0b2953123cf2d5ffaf8bd6d0cf80b9d03538d83109e704925ee698c5f5cdb3c8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751
Filesize
471B

MD5
d2900c23cac43b60f5d0970fb106570c

SHA1
f65fb2a586d9983f3671a7b03a9037f3a11ceca2

SHA256
d5d67a6d2ef80ffe114788abc1b9771eab42a06b286ff957e8685b3067425451

SHA512
397c1d65cfabf514d08120455b3cfbbf5ff6fea7d7f07e275d338b534caba4f857ead0822888db3d171355aa21f437de094bcd4f83ad5e45bbcf5046b408a6bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_C2A2361C3635E6A0E998F8D1C20C042C
Filesize
471B

MD5
93e4d74ff495cfda6d4411265aaab571

SHA1
1655ac63eb1b559582f175e8d31bc38d03767678

SHA256
b2ecf807725c3a7bbb7ae9a934fca7433520b9fec38b537666277fc4f8dac2fc

SHA512
d8387855f3eb30ad27d91043411cd360d95dabf0eea60bdc8a2cbb067d19f4475852b42fcbb0a25f4848e75310d943ed2104b7bc654f0ae38c064c673fbc4b8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
e8e042546753bdc239bd1082655be915

SHA1
221ff17430d2fd6e77d40eceaed8e162dc25b8f9

SHA256
c523659945dad632bda8508bcac2b4e8999a92ac24ff47e3789aa61aee9b0e8b

SHA512
38391893cf0f6ae8ce0e5bdbd65716363285d18c4cfb5d874cc1a75d80818abfaa138126a8e04f817ce0686ca7b548617aa16288b1d6443b94870f266721a9e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
4916b015973ba979e5cd72ed6960a774

SHA1
f435c44f76ddb703d51dd967ef4909443ff5fd58

SHA256
66647e7788ecaa66e964ab8862d507f387fbb69f434f62fb129cda3658eb4729

SHA512
1941e488cae143b2079059e54a5ce4fe7e9677f8b0be006153964aa2464fde12fd4c87b6265cf7158322246b628fa2d795bc562b3c600c517c9fd8f05a24617c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
b04003c748220ce3263e62bc324ccf05

SHA1
40cfc15ff4de27cbc2ef9575d80a71f074ce41a9

SHA256
2b3814d98e3ea586431fe053e9b547b709372ed7c18ea9da0978a936dc3f1961

SHA512
1e29ff2ae65464bde1114bef0d4ebc67b32dd52d093284cc3e2b8708f36645b5fed6219b60d10fe07f68a97c2f57646ee00bb432ec269c7dfe1dc3c283d8fb7f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751
Filesize
396B

MD5
63369024731f3cfaf095997a88bf72aa

SHA1
4787b1c240b5c40e8caa01e2a10b406b1a6b6b81

SHA256
c6c9c49c2ca0108c10226a20ab2fd058486367673c6ede5e440f5409f8aa5695

SHA512
3bd07bb3997b9ffb19d2bd900b21286674268b57a18f3f73a1b2221599baaec6f8f6bf1c65c9cf5637816bd12aa2bd79b2ddb13c8ca8bcc1f3a77198ea992bf8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_C2A2361C3635E6A0E998F8D1C20C042C
Filesize
404B

MD5
604d9b7dcf2ce92bfa6bc61647797918

SHA1
283debe36a9d877298a06b64b82fe8dc0ac4e8ad

SHA256
75989825b1b7b6c140913368b2aa8da5416ae995d62d9d3a5c0c12d729520379

SHA512
7dad3ceeaa2270c64f93c452df8cda58e1f960f0330f5116b66a70e75d97d6af351808215471faf9f5e8ccb721331e2a26cf740ae0c4ffedb190efd44011dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp
Filesize
35.9MB

MD5
5b16ef80abd2b4ace517c4e98f4ff551

SHA1
438806a0256e075239aa8bbec9ba3d3fb634af55

SHA256
bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009

SHA512
69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

Download Submit
C:\Users\Admin\Desktop\CompareConnect.mov
Filesize
414KB

MD5
adbc6e008b0d36b6cd6016c60c348c84

SHA1
cbc9f796a8607a59947ed2e69d88d84a66c50b10

SHA256
ac070ea789afc4f59c674aed2526be92a3e47444837ec3f080de8cb901a4bef8

SHA512
ef66d3b5c03eea768dff379a177a8d4ed0fc096691b21f3724fe50f12aae3baf4b0744309c59282a47e0f51a5e48d55541c5aa7490c7b41cc615816666791c4a

Download Submit
C:\Users\Admin\Desktop\CompressRestore.ps1
Filesize
153KB

MD5
83e4fa9fb04ca32990a7232836468d87

SHA1
652893b7885fda586c5e2a33485190295f811f79

SHA256
ef12959d4944e54b5d163a051f8f81e790dc02fb03b67802bf2be8346075fdff

SHA512
0d1c3ef86ee21b057d2b226a0f5ee19378e11a6b8aca2d5953dac141d1f29d9a175c7b40e40fdef2f05254865cc993153949b4bd95540dd2ba7370e9e8f60c74

Download Submit
C:\Users\Admin\Desktop\ExpandUninstall.vdw
Filesize
598KB

MD5
5e655c292b63d42495e4c60e88b588a2

SHA1
a9e70f49d62c70af1ecfd71edd6f80566b2052cd

SHA256
1c96396da2167060dafb2b86e5c849b6d44c0d60ce691bd5c10a3385ed408bf1

SHA512
fb91857757e2f08178b39e859dd1537575e7070020fc696ce20862b820d9e6049bc7ba40554f20586c01a952020efcd5d9618a52a75a49cbdeaa5d86f0d41c96

Download Submit
C:\Users\Admin\Desktop\GroupShow.asp
Filesize
291KB

MD5
1c19d5bc574c9d741ba0e3e09cbef8dd

SHA1
63fc7df54fe4a1801fabf5c0c9d791dad7067959

SHA256
879e18c2fff460072683a44d2265e4ed504460715f3e8d10df6b7a2189eb9cb5

SHA512
01148c9a308dd722c3c959b2bbdea18ae8bbaa5ae8fb465998374b9ffaaa3b144f3b2029b6c31e30559c50e202b596b7d85f3bb9772f821c9a6071882a6a64b8

Download Submit
C:\Users\Admin\Desktop\MeasureExpand.vdx
Filesize
384KB

MD5
8aff33445af788df2462f2bbf1ce8a35

SHA1
7197f86272c206ea5e310f5df12de51cf3a82cb2

SHA256
2cbd5b570b53e2797162edb0fb8ac2d2a9e5d45ad98e22edeab5e41e37ad88a7

SHA512
8181186bd5cb8073316d225efac42237e0106c39759f2bde85f1032975fbd7f21feb55be531f7aef8b51a29cb6059871902a0cd0244ab956c1ffb43480961dcc

Download Submit
C:\Users\Admin\Desktop\NewLock.sql
Filesize
322KB

MD5
2b9dbccaed7ae3861de5195ab65f0db0

SHA1
f0dd405b35d7cd7ff976e3336a700747d2061618

SHA256
b2bbbc11acba20d7f51392a6d71a428f4b24b60dce2891414ee751d56c879886

SHA512
43d5a993a8ce5cdadf719a9382e593b328caf74deab7041bfea4b9b88cf25fd6b13eadec4c0b07b07aa262841c1f29d876d6c35368ce3e54d1a5395548cd3ae2

Download Submit
C:\Users\Admin\Desktop\OptimizeCompare.dwg
Filesize
230KB

MD5
0202a41093c22fd56e46ea9453dbe2d0

SHA1
4e9567b770e86090a56182d423eaa89a61a3e781

SHA256
1d920ca7e5a00fe9da3fdad13453e633c72b8288fd23c8e4fb2d67a4b66692e0

SHA512
e2fb9df8b0a8faafd6c1472c1229c41d67003a68d5ff9993a096a0f296f33af25655af0ec24edb19f1821fc9898a8307ebdd430ad5d469c1d0c4a869b61aee9c

Download Submit
C:\Users\Admin\Desktop\Pictures
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\RemoveResize.clr
Filesize
430KB

MD5
e8180cdec547df4cba110c68ae0b589c

SHA1
9529a3c39edb8e8e0fdaf7f8c296a3d1c913e1fb

SHA256
1cc92c1ba38d24aa83804816e5a26880267776b451df82df0955922ae1982efe

SHA512
ae715ad77d466973fb4affcd5b227796028aa6657e814988c6455ae19215052499b38492fafab43c41f9f28007889d7cd8253691470a8a2df6690d05b8f91881

Download Submit
C:\Users\Admin\Desktop\RepairFind.ocx
Filesize
353KB

MD5
077d854b94095f6e4f0fbe510de8abd4

SHA1
9f868ea1bf7fbb4e4a8b4a3a31b5d616aa65c4d9

SHA256
9d03eb8ae62b3119f1ae5ba3be990214fb4de7eb279a83f7638a51ceb24c2bea

SHA512
cd51d6f7a96dad35f89770bcc9c8a6b7fb070901dbef9a424a0fb25df1172a91cd1ad771d4a2d7ba7381005d5b1ced348fa22fc0bf2180d606dba7d9a5daf1bb

Download Submit
C:\Users\Admin\Desktop\ResetGroup.xml
Filesize
261KB

MD5
c26c887f757f26f1183ae643505d85a7

SHA1
edde5018626156355ac5ff7241e8ee65f128a1fb

SHA256
dc0e038b54a3f1cc5cd7463b9e1e88a71916f3ad053ac397d969db98da3f74c5

SHA512
30e2fb032592f45058cfad455bb6776157f31715772337440658cc3126239b249eed96ec0ff029cc122d50777fc88c78e07f0e715115a2b8365f7d2a22549acc

Download Submit
C:\Users\Admin\Desktop\ResizeSend.wmf
Filesize
184KB

MD5
1f41103602581b8ce5d0f52b3792e167

SHA1
15f2927bf707fc5b48090bd809203480aeb5fb4d

SHA256
d1edc6a42663ff5a2b5173253a07ecd4025d10a228aa447f029bc67b7918acd2

SHA512
dff3cd264cdc8f804ef6398d205f9cd960bda1ca81450e5dfa27a2779b6333cf85a8eb13e9cb3b0218fa395fdd0b250ef1bc3c7178ed6a43baee2765e65521a5

Download Submit
C:\Users\Admin\Desktop\ResumeClear.vsdm
Filesize
168KB

MD5
0ab3cba392c3540267812d168e22dd7a

SHA1
cd5c1abc1a8145ef3d9163ba308ba65c7875a684

SHA256
50f1086520edb564137e239b54ccc93e8b0b1ee2f5d7bc7ecf75a9f285546d9c

SHA512
def36d69a86732e5398b61783ee2b323071580157f6fe04ec098f10a178c910f5fadc9b4a82e8ac9ff378d7bbafab36fae5ee0a35400ba9a30c271f892cd9a7f

Download Submit
C:\Users\Admin\Desktop\ShowEnable.vbs
Filesize
245KB

MD5
547306e45cb3ee7dd96156a9b406317e

SHA1
48b8c29463d11192e195ed3a67c21ea29122492b

SHA256
66e667e738f4e689c178bcbf325f5332414e43625cc8d55b63cf1138f342a99a

SHA512
e430bf36db5dc46369d410d7f0cfd97db39e70471fc27ba0da1e61ca80d2e48d5bd6dd7d5f4fd9c9816bf69d4e4cedf3f7a0ae9ef233fc7712a1655a4e5cfe41

Download Submit
C:\Users\Admin\Desktop\SyncMerge.wdp
Filesize
337KB

MD5
1763737139ebe4eb471543616a04c919

SHA1
8941059dc921ec24b5d796eb3415fb9bc90d5817

SHA256
a0433caf53a926b32f1d8daa600c4905fb0ecc9f9d3b21b0cae5e96b0fa6625d

SHA512
b8bbf55a6789e713b31cf801902f6c33e2b5d51b60be054e4c2b2dd0ba2f6648c791f7fbea6ccfa14a8947ac8c2d21ad3ddaec955ed4a281fd15c817792e04b6

Download Submit
C:\Users\Admin\Desktop\UnblockMerge.midi
Filesize
307KB

MD5
d88faaa4667e735caac4fe908a2d2289

SHA1
bec57a88684238ec6fb087341a6e748163519fda

SHA256
c3814a97e34abbca5bfc17e546a188587c3091af9bac484223ad8b3164d26ad7

SHA512
ae2ede3db504197a5e5c1421f288ed2200d1128426142b6341750bcc8e4042936abe871533ac5ed095ba5230d40eeec6fc15c7002bb31552851acfc6d58ec7f6

Download Submit
C:\Users\Admin\Desktop\UnlockResume.zip
Filesize
368KB

MD5
64edc7a648fbc34790b9a452ccbba888

SHA1
561bdf79289179b4e856095e04b62cdde5220635

SHA256
4fc72f7c5e6c5e443b68c3c340f05b46d2c878c3a7d0f429505103be297d8adf

SHA512
a1eff836bc769028ce9e56ab776e01b1d9e89120e8f9ea599dba4c73db077837fe9cae8d5c7df1e8eef9465bb1ce52344560397e34232e360566f4ee015ec23b

Download Submit
C:\Users\Admin\Desktop\UnpublishClose.txt
Filesize
276KB

MD5
c9a454d541203c2d0216955eea95212b

SHA1
aacce1b563e3e2ecd77edf0fbb00930c3ed0034d

SHA256
8967b41bd159f461c30ec2ca751fe1ef060ca1722a50ba7d5370c92ae0ada664

SHA512
a9f883cfacee5e46ccd15cc998573ca1ea062b43840de31a3a4dd2ff23d29368e149855d1975b1da4f4c7127590446f4d354625fc483a4eeab53ad1d2332b832

Download Submit
C:\Users\Admin\Desktop\UnpublishCompress.dwfx
Filesize
215KB

MD5
4ccbc834e86e0e4187ef3195f22283fb

SHA1
bf51b3d9b02db363f45b0fe4739a268b24c710c0

SHA256
69d884a64590b33dde5f7da8a62bfad26b3ccbeb4b6d006d04d9cb97ef0c0e65

SHA512
20c637e9a35a9a56edc5562ee12303ad8711f2062a51e23be80d614067e9fb4dd2afbecf23af60936cb895ebf3fda81116b9cd5e1f2625fd2cc70ef27f9dc54f

Download Submit
C:\Users\Admin\Desktop\Videos - Shortcut.lnk
Filesize
740B

MD5
d67184ac545632cc0ae2070aa162bd3e

SHA1
7fcb365c26a391a6d8bed6628a0e4b4e2a422261

SHA256
2d8b3fc35e13eebb19ba3eb9dab31d715935e680cf2e0d88945399b5f0cc2002

SHA512
b072ab511420807c578a9a5f40c3a5bbf72e752d29c83c508ced311be5c3fb02c031dd6e8a51d0520b2064d3cc11807b3ac7a6c7bcdce6b25c303b9277fd2855

Download Submit
C:\Users\Admin\Desktop\WatchClear.pcx
Filesize
199KB

MD5
8f02c8f561a8d0e6a2628488e35b3e4b

SHA1
bf23a8a3c537cd52614d33123ccada5e5eb32190

SHA256
b4c92d2ff501fb7f3e6a2ffdddc30f6eecdbd5f2d1c969e6041f624721cd85fb

SHA512
2b715778cd5db64e04d7e7ea0fe9d0cfc1217e6a99c85c204b0c0bfd25dd0b63669deb802974f98c40dcba2b8eb82a5373031fb9c45dbab84c2a2135b25e01e8

Download Submit
C:\Users\Admin\Desktop\WatchStep.ps1xml
Filesize
399KB

MD5
fa3baae59ca866079d70ddfe506456be

SHA1
d4c779f4ab235ff0b9c2a35741624486192f497b

SHA256
54cc0180c5c8b7622ed17a4350566944d641ad63e0c783ca1cb0d4720695a486

SHA512
c82d1aff6cea207994fcc065c32632a5d925a4880ba78b59177c60be425afff0c79dd91f54d5fad22e86161f8fc9099db8ee4158031db703b69e2440e8615446

Download Submit
C:\Users\Admin\Pictures\RestoreSet.svg
Filesize
988KB

MD5
0c66b7a18e773028ffc36605394d7d00

SHA1
e497a94bdb9d137ce6fd561f76def1cc8549049a

SHA256
ac7cff99ca80ba81c86e5637c7a90a4f3bc13ff72e1029f66c1e0170d0b28605

SHA512
68bef5584375da78da6c3e75ee75231a2b8b160ba84552d4a969e8dd101cf4ad4ed15e44a4ea33de36fcc43ed7ee2c566e1d8aac015a0ef3fdbc94f2470b505f

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
af721c3e04f62697c2996f670c6cae32

SHA1
f053ed84baf98c30324a04ad935d5dca7b312086

SHA256
ce5671e02493187cc54954e057837fa009d95975a24cfd817928869daa651db6

SHA512
71aee3e4c990ce1b3b819837624a7e4fa297149429a56f7b767c9875cf4ba161e001602bc22322eafb296e44d67d9fe65d9c10e6fbcbe0e6161dcf16b57287f2

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
f8f6c2f64f31b6948e164262f1b303c6

SHA1
325b53666c51669e4395a90c3e319a8b09832e40

SHA256
edd4c92db03659380c8053eb60c7ef5636f02c74ebae41c27486105fcbc2d20e

SHA512
1528b8f1312957947da1d6125d5b03da408a2088652795575374d92d5aef7b9c08764a22847545ec86660f84b630f0573cc3a913bed9eb439b409510aeda0acb

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
ae1e48d9783f51114eac96e80d92dcb4

SHA1
c54f9e27424072dc28dc6ed57dcea71245b5e240

SHA256
d6280f0270a38a793972747b8a6049931e635ae904f153fcbdd3faaabc9d5646

SHA512
db1d21531382f447b8a2d16b7ba7eac93efc8ae0816bba0d61b4ea43298e0bfe4bcfb503502766a5fa7fc4ac848a3f656b517092545a27d290ae786782193fcd

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
57b4ed4aeef8dac53ebd0c53624768c5

SHA1
a83043b156edb42de4750b0157f3fb2b02ba8672

SHA256
d937e19cbd6c472bcaf77059d9d2623b388e15d741d2def6f1a23d6b4a371485

SHA512
329222a5171f119c43455ae8e943862a98d5dda5b1debd954489dc0b92003563330fbb2bac2ac6c38d63641597871ed1cd8c69747099d9345de8a84bed2edf34

Download Submit
memory/212-427-0x000001E9869E0000-0x000001E986A00000-memory.dmp

Filesize
128KB

Download
memory/212-441-0x000001E9972A0000-0x000001E9972C0000-memory.dmp

Filesize
128KB

Download
memory/892-306-0x0000019271840000-0x0000019271842000-memory.dmp

Filesize
8KB

Download
memory/892-287-0x00000192715E0000-0x00000192715E2000-memory.dmp

Filesize
8KB

Download
memory/892-304-0x0000019271830000-0x0000019271832000-memory.dmp

Filesize
8KB

Download
memory/1728-1560-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/1728-1527-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2624-191-0x0000021E00160000-0x0000021E00162000-memory.dmp

Filesize
8KB

Download
memory/2624-197-0x0000021E00240000-0x0000021E00242000-memory.dmp

Filesize
8KB

Download
memory/2624-195-0x0000021E00220000-0x0000021E00222000-memory.dmp

Filesize
8KB

Download
memory/2624-188-0x0000021E00140000-0x0000021E00142000-memory.dmp

Filesize
8KB

Download
memory/2964-223-0x0000029690870000-0x0000029690872000-memory.dmp

Filesize
8KB

Download
memory/2964-226-0x00000296908D0000-0x00000296908D2000-memory.dmp

Filesize
8KB

Download
memory/4556-0-0x000002BCC3C20000-0x000002BCC3C30000-memory.dmp

Filesize
64KB

Download
memory/4556-35-0x000002BCC2EA0000-0x000002BCC2EA2000-memory.dmp

Filesize
8KB

Download
memory/4556-165-0x000002BCCAAE0000-0x000002BCCAAE1000-memory.dmp

Filesize
4KB

Download
memory/4556-16-0x000002BCC3E20000-0x000002BCC3E30000-memory.dmp

Filesize
64KB

Download
memory/4556-166-0x000002BCCAAF0000-0x000002BCCAAF1000-memory.dmp

Filesize
4KB

Download
memory/4952-136-0x000002B0007A0000-0x000002B0007C0000-memory.dmp

Filesize
128KB

Download