b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd

max time kernel
144s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneDriveSetup.exe
Size

48.0MB
MD5

1382660b084b8791b400739542442783
SHA1

3ecbe73642812498f3e4fad5dc47f8a9573fd4fb
SHA256

48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c
SHA512

8d49071449384678794a0188bad7b3cdfb2c90e11b36b5923b38362dbf21fb98188f5eafc5d5b41f6dfc8ed5d88335600a17c044af05f1afa8a989d86c7463f2
SSDEEP

786432:2QAM/bg9LA622CSAqL7Xis205pR40RKBVLiRIBqVbCj1/IwInTVk0:26D2NlbF5pHKQXbCJ/IA0

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 23 IoCs

pid	Process
2140	FileSyncConfig.exe
1872	OneDrive.exe
2884	OneDriveSetup.exe
4404	OneDriveSetup.exe
4800	FileSyncConfig.exe
1916	OneDriveStandaloneUpdater.exe
4024	OneDrive.exe
3036	Microsoft.SharePoint.exe
5020	MicrosoftEdgeWebview2Setup.exe
4100	MicrosoftEdgeUpdate.exe
1884	MicrosoftEdgeUpdate.exe
2140	MicrosoftEdgeUpdate.exe
1596	MicrosoftEdgeUpdateComRegisterShell64.exe
4416	MicrosoftEdgeUpdateComRegisterShell64.exe
1280	MicrosoftEdgeUpdateComRegisterShell64.exe
1048	MicrosoftEdgeUpdate.exe
2312	MicrosoftEdgeUpdate.exe
3384	MicrosoftEdgeUpdate.exe
4780	MicrosoftEdgeUpdate.exe
4400	MicrosoftEdge_X64_128.0.2739.42.exe
4764	setup.exe
1536	setup.exe
2140	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2140	FileSyncConfig.exe
2140	FileSyncConfig.exe
2140	FileSyncConfig.exe
2140	FileSyncConfig.exe
2140	FileSyncConfig.exe
2140	FileSyncConfig.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4800	FileSyncConfig.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 26 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\fi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\elevation_service.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\msedge.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\msedgewebview2.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\edge_feedback\mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\128.0.2739.42.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\msedgeupdateres_eu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\ga.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\bn-IN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Trust Protection Lists\Mu\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\psuser_arm64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\edge_game_assist\EdgeGameAssist_1.0.2729.0_x64.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\sr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\msedgeupdateres_fr-CA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\psuser.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.42\Locales\sl.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1048	MicrosoftEdgeUpdate.exe
4780	MicrosoftEdgeUpdate.exe
2140	MicrosoftEdgeUpdate.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Colors	OneDrive.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\PROGID	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{886DFE8E-D1BB-4062-B7C6-57DA328A37F8}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\NUCLEUSTOASTACTIVATOR.NUCLEUSTOASTACTIVATOR.1\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0\CLSID\ = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{B5CDC0E5-9558-4899-A58B-5D894F493C1D}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\PROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\FileSyncClient.AutoPlayHandler\CurVer	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.15\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\NucleusToastActivator.NucleusToastActivator\CurVer\ = "NucleusToastActivator.NucleusToastActivator.1"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ = "IOneDriveAsync"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{AB0CD980-906C-4FBB-9A5D-9E32A3C0CB37}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\ = "ReadOnlyOverlayHandler Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{7AE67172-9863-42B1-8750-2B85084FD8E8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\24.156.0804.0002\\FileCoAuth.exe\""	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\SYNCENGINEFILEINFOPROVIDER.SYNCENGINEFILEINFOPROVIDER\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\FileSyncClient.FileSyncClient.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\Programmable\	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\24.156.0804.0002\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{e40cef71-c060-48bf-832d-3adc3e5985a6}\ = " IFileCoAuthNotify"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\NucleusToastActivator.NucleusToastActivator	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ = "ISyncEngineBandwidthLimiter"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\PROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\24.156.0804.0002"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32	OneDriveSetup.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1872	OneDrive.exe
4024	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	OneDriveSetup.exe
2652	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
2036	OneDriveSetup.exe
1872	OneDrive.exe
1872	OneDrive.exe
2884	OneDriveSetup.exe
2884	OneDriveSetup.exe
2884	OneDriveSetup.exe
2884	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe
4404	OneDriveSetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2652	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	2036	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	2884	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4404	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4404	OneDriveSetup.exe
Token: SeDebugPrivilege	4100	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4100	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
1872	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1872	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe
4024	OneDrive.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3984	2652	OneDriveSetup.exe	93
PID 2652 wrote to memory of 3984	2652	OneDriveSetup.exe	93
PID 2036 wrote to memory of 2140	2036	OneDriveSetup.exe	98
PID 2036 wrote to memory of 2140	2036	OneDriveSetup.exe	98
PID 1872 wrote to memory of 2884	1872	OneDrive.exe	102
PID 1872 wrote to memory of 2884	1872	OneDrive.exe	102
PID 4404 wrote to memory of 4800	4404	OneDriveSetup.exe	107
PID 4404 wrote to memory of 4800	4404	OneDriveSetup.exe	107
PID 4404 wrote to memory of 1916	4404	OneDriveSetup.exe	108
PID 4404 wrote to memory of 1916	4404	OneDriveSetup.exe	108
PID 1916 wrote to memory of 5020	1916	OneDriveStandaloneUpdater.exe	112
PID 1916 wrote to memory of 5020	1916	OneDriveStandaloneUpdater.exe	112
PID 1916 wrote to memory of 5020	1916	OneDriveStandaloneUpdater.exe	112
PID 5020 wrote to memory of 4100	5020	MicrosoftEdgeWebview2Setup.exe	113
PID 5020 wrote to memory of 4100	5020	MicrosoftEdgeWebview2Setup.exe	113
PID 5020 wrote to memory of 4100	5020	MicrosoftEdgeWebview2Setup.exe	113
PID 4100 wrote to memory of 1884	4100	MicrosoftEdgeUpdate.exe	114
PID 4100 wrote to memory of 1884	4100	MicrosoftEdgeUpdate.exe	114
PID 4100 wrote to memory of 1884	4100	MicrosoftEdgeUpdate.exe	114
PID 4100 wrote to memory of 2140	4100	MicrosoftEdgeUpdate.exe	115
PID 4100 wrote to memory of 2140	4100	MicrosoftEdgeUpdate.exe	115
PID 4100 wrote to memory of 2140	4100	MicrosoftEdgeUpdate.exe	115
PID 2140 wrote to memory of 1596	2140	MicrosoftEdgeUpdate.exe	116
PID 2140 wrote to memory of 1596	2140	MicrosoftEdgeUpdate.exe	116
PID 2140 wrote to memory of 4416	2140	MicrosoftEdgeUpdate.exe	117
PID 2140 wrote to memory of 4416	2140	MicrosoftEdgeUpdate.exe	117
PID 2140 wrote to memory of 1280	2140	MicrosoftEdgeUpdate.exe	119
PID 2140 wrote to memory of 1280	2140	MicrosoftEdgeUpdate.exe	119
PID 4100 wrote to memory of 1048	4100	MicrosoftEdgeUpdate.exe	120
PID 4100 wrote to memory of 1048	4100	MicrosoftEdgeUpdate.exe	120
PID 4100 wrote to memory of 1048	4100	MicrosoftEdgeUpdate.exe	120
PID 4100 wrote to memory of 2312	4100	MicrosoftEdgeUpdate.exe	121
PID 4100 wrote to memory of 2312	4100	MicrosoftEdgeUpdate.exe	121
PID 4100 wrote to memory of 2312	4100	MicrosoftEdgeUpdate.exe	121
PID 3384 wrote to memory of 4780	3384	MicrosoftEdgeUpdate.exe	123
PID 3384 wrote to memory of 4780	3384	MicrosoftEdgeUpdate.exe	123
PID 3384 wrote to memory of 4780	3384	MicrosoftEdgeUpdate.exe	123
PID 3384 wrote to memory of 4400	3384	MicrosoftEdgeUpdate.exe	125
PID 3384 wrote to memory of 4400	3384	MicrosoftEdgeUpdate.exe	125
PID 4400 wrote to memory of 4764	4400	MicrosoftEdge_X64_128.0.2739.42.exe	126
PID 4400 wrote to memory of 4764	4400	MicrosoftEdge_X64_128.0.2739.42.exe	126
PID 4764 wrote to memory of 1536	4764	setup.exe	127
PID 4764 wrote to memory of 1536	4764	setup.exe	127
PID 3384 wrote to memory of 2140	3384	MicrosoftEdgeUpdate.exe	131
PID 3384 wrote to memory of 2140	3384	MicrosoftEdgeUpdate.exe	131
PID 3384 wrote to memory of 2140	3384	MicrosoftEdgeUpdate.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe" C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /cusid:S-1-5-21-4182098368-2521458979-3782681353-1000
  2⤵
  - Checks system information in the registry
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
  2⤵
  - Checks computer location settings
  - Modifies system executable filetype association
  - Checks system information in the registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2140
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    /updateInstalled /background
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Checks system information in the registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart /updateSource:ODU
      4⤵
      Executes dropped EXE
      Checks system information in the registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks system information in the registry
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncConfig.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        8⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        10⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDEzNjhBMEUtN0Q1OC00Mjk2LTlDRUMtMUIwNkRDMDNFM0EzfSIgdXNlcmlkPSJ7NTc4OEUxMjItNzYyOS00Nzc3LUI1NUUtQ0NGRkJFRUYxRUU1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDQjNCOTgwNi05NEZCLTRENzQtQTA3My1EQjIxNjg1ODVEODF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4xNSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyMzcyNTM0NTIiIGluc3RhbGxfdGltZV9tcz0iNTE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        9⤵
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1048
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{41368A0E-7D58-4296-9CEC-1B06DC03E3A3}" /silent
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        
        /updateInstalled /background
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Checks system information in the registry
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\Microsoft.SharePoint.exe
        
        /silentConfig
        6⤵
        Executes dropped EXE
        Checks system information in the registry
        
        PID:3036

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDEzNjhBMEUtN0Q1OC00Mjk2LTlDRUMtMUIwNkRDMDNFM0EzfSIgdXNlcmlkPSJ7NTc4OEUxMjItNzYyOS00Nzc3LUI1NUUtQ0NGRkJFRUYxRUU1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkQwNTIxRkYtRDA2NC00OUNFLUEyNDktOTQzNDkzQjRCMEIwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyNjAyNjQ3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjcwNzUyODUzMzQzODU3Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI0MTc4NDk4OCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4780
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\MicrosoftEdge_X64_128.0.2739.42.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\EDGEMITMP_0DDC1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\EDGEMITMP_0DDC1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\EDGEMITMP_0DDC1.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\EDGEMITMP_0DDC1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C477264-E65C-4E51-92B6-4397FE1B4E29}\EDGEMITMP_0DDC1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7f01706d8,0x7ff7f01706e4,0x7ff7f01706f0
      4⤵
      Executes dropped EXE
      PID:1536
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDEzNjhBMEUtN0Q1OC00Mjk2LTlDRUMtMUIwNkRDMDNFM0EzfSIgdXNlcmlkPSJ7NTc4OEUxMjItNzYyOS00Nzc3LUI1NUUtQ0NGRkJFRUYxRUU1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBRTdGNzE5RS1BMzRCLTRBNjktODNEMy1DRTU3M0Y1OUM3OUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI4LjAuMjczOS40MiIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI1NDQ0MTE0MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyNTQ1OTcyODciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDE4MzQ3MDg1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iMGY3MzFjZS1mNzA2LTRjODEtOTA2ZS1hMDVhYTAzNDc1N2Q_UDE9MTcyNTAzMTczNyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1hcXg3VVpFTzNhRjAxVXV0SU1zY29NcFNRWHQ1NnklMmZ2NG82am5zQzdUWEtid1ZwV09kb1JPRmt2eWZKWmZOTUklMmJNQnYyMXU1MUV1WjRYZiUyZkxoSUtGUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3Mzc1MDM0NCIgdG90YWw9IjE3Mzc1MDM0NCIgZG93bmxvYWRfdGltZV9tcz0iMTM0NjkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDE4NTAzNDI2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQzNDI4NDc5MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTg2Nzg3ODQzNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijg0MyIgZG93bmxvYWRfdGltZV9tcz0iMTYzOTAiIGRvd25sb2FkZWQ9IjE3Mzc1MDM0NCIgdG90YWw9IjE3Mzc1MDM0NCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDMzNDQiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Installer\setup.exe

Filesize
6.6MB

MD5
11a19165aa72e46ad47200ca46760c87

SHA1
2fe4616eadaf543846571564ca325e772ea5375c

SHA256
eaac114b05373d005f91c2824c3b907d01842056468018b95a688e82ffcc95b1

SHA512
5b4074ba1598c7441fd3dffed54cf0cea540a8e58ace339254b9a29bd6709a8e64458c10e9797a75ba8e0e84566e8c5935bf4891b0115dc02017396d70f47b27

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
136e8226d68856da40a4f60e70581b72

SHA1
6c1a09e12e3e07740feef7b209f673b06542ab62

SHA256
b4b8a2f87ee9c5f731189fe9f622cb9cd18fa3d55b0e8e0ae3c3a44a0833709f

SHA512
9a0215830e3f3a97e8b2cdcf1b98053ce266f0c6cb537942aec1f40e22627b60cb5bb499faece768481c41f7d851fcd5e10baa9534df25c419664407c6e5a399

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU4C08.tmp\MicrosoftEdgeUpdateSetup.exe

Filesize
1.6MB

MD5
45e5ca74b9ae3c3fc6f6a63c609783b6

SHA1
f36715bea96d69bb18075fac30b90502c6d2464b

SHA256
b4afd37b9087df7e041ae749fd0fa342926d9cce533bde9cdc4283132c3820a9

SHA512
014fd398d456fcb118dfd6b038b6f96008ca209d44d9707e175e85e7f14cfb3f2886deaed0d8ed25971813035e8dd7f88142c06972f3e2c9b4a534d84bec661a

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
de1deb6512056b9b81dad6ed6a7b67d7

SHA1
41c8e3e062c19777a8f9e8c151d1824d529509e7

SHA256
e445fc67f14a0a98789709648355c5c6b5489f2fb4b0ef74b542acccf69bbe61

SHA512
a30452f698df55e22fd596fa3e80829eb6a52d1e3580256447976c1fd1e912d47467910e1fc53c12eda63a100616ae26f3cb41a9dfef10a0036a0d24dbb408a8

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
185KB

MD5
71950640d02f210fb7b6a8bb0eaa4990

SHA1
62d60deb37e2a5be3ce691f95808150a188d892b

SHA256
b06ccd8a4e22e9533481441e1a3aeccb776e054691067cf115fed9954506689b

SHA512
62bfe4078a19f3fa6dc80288182bf3fd254cfa396944cdead0607a71446dc3dd63715e1701988c44e0704cd8eb9fe80db5ce9f6b564636d955a9266f9fdb0c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncClient.dll

Filesize
6.5MB

MD5
819876e88f06e76a422d12451369582a

SHA1
3f8457f8c13472923914f18da47bbbdc07dbb348

SHA256
5d205ce921568b88d6087a1eb316c5af1754ec91189218243bfea72771b3058d

SHA512
f505f78460040d784a4157d6355a930339f66e505eef377f8f13ce8d517bb9bbe83b5a8bab406fe1df9e2652829fe68db7ec2fd28d8e2c3968eb2a3a7b523b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncConfig.exe

Filesize
692KB

MD5
e226d0b9aff908effd85213b2f299627

SHA1
8e9365429ef5dcd625d1bdc0124bc7aa8a5ad4a9

SHA256
cf64655d586435917f186aca7ae1b6ddaae337fc9ae7a00f03974f16bb113fd4

SHA512
77ff182434a4e1b724f6056c0a3424a815d4659127aa210218770b4f9ffbb74e6b9eb317007a3181db05d0e674aa7fa06f13d15760d69e9014366320bab12508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSessions.dll

Filesize
4.9MB

MD5
567b15b4c1386dd3d6c964d34418f8f2

SHA1
0443f973494c7147d7374f7991fd0f237d5283aa

SHA256
0e4f32b8424825fc52a345a280d79db135f4dc9a39a9a5e9ffea7ab90238a8e2

SHA512
095f5537ae5f6d120669c9f8e8a29691d039f7d23ce6d2ed1d91e165e81fc734ea0266b21693c26720bd76db5613804b99ef4ff1ed04e22203b02d5af548dde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncSqlite3.dll

Filesize
624KB

MD5
50747036456402d22fc213885e467e99

SHA1
14247fe812bcf2d525c2ea2aa4aa316783bde433

SHA256
f8f2f57848b917f1566609cc2620277a4ce858024caaad2807cf0ff5fdfc48f1

SHA512
c6cf29d028374eb76ac646f86237549c01a7c2fb768ef3df7ee385a25ef295401e00236b51542aa4351e56376f6a184b42dc9b2de88ed68c19715443f08e9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncTelemetryExtensions.dll

Filesize
73KB

MD5
4b3f451a6afc4d193a747e15aee306fb

SHA1
25581d7943626c8f46c76a7c5afe23e6b16ef544

SHA256
348d43a110af819bd72ab7b22cb5223d9306d162dc5af8e04b666c2cf9674d9a

SHA512
ed540f13f30d741ce15bfc94ec474c9ba8f72d36d7c4aa1125aa1e4bd62204dd4da56ba2d369bf689b0843a363af563b29277584d8bdefcaf53d085cf4fb4749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\FileSyncViews.dll

Filesize
3.0MB

MD5
8253c76c9c686e672f856a27d6abbf0f

SHA1
55674aff6e0acf7655723e1f9fff7389ed846017

SHA256
9229393db3193e90f957c9e175ad9cd53ece38ae9db46c11e9334fd03ec6f447

SHA512
4a18e813c0344f76e3a8cb2acd688e7001d7e5529f530b5bcfc443c12af07de64b488baec82548d7d5b38da4e2705f92a2e4c10e5ecc72d14b5bd306859ad684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogUploader.dll

Filesize
938KB

MD5
72c0436bc6d01a0abea65e398f21c5f9

SHA1
ee82b9d9a6d77502bae08faa9a983292c3dcddeb

SHA256
fc19cd61c312b0626c11b8fca9c05057863285bcfe13c720290dca935a3fe975

SHA512
b16846c6f841fb501d807387d33111ed44d45099d4e13c86c54f16cc0a2edc3abaadaa4e44bae7f9f3f473d89867145498a4681a17f702e91bdd5cb147f622e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LoggingPlatform.DLL

Filesize
695KB

MD5
801dfa267cea4feba3ddcf8449608671

SHA1
1f6427f1ed3b9b295a0c87616fe6852eb113e099

SHA256
859b837904b5563a07381fbd38f7b90b6bfe389882d47cece5107d245310c674

SHA512
5af96b74ce92d3364bd3002bc31b32ff94d011c2b7a91994ad16f95fbbffe24db983895e2a0bc675e89126e8135583124c70d16cfe1371e6fbfaf3d1254215ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\LogoImages\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDrive.exe

Filesize
2.5MB

MD5
aeb6a72b43e784f863ef9190a270e177

SHA1
c5c8fb906d4608f382a73bcc22fb078248e20cc0

SHA256
16bba9107e3ab6b5bebe947ca51d0fbfb8cabfc3fb26f703f2260ea136049f66

SHA512
877bebb7545218d0d4f63d3dadb3c5da60ce8ec4114fe49d2879deea8f673b7c826c1729141591cd64990571ef82c1dcc568d15f42f6c3b2d73abc614be18c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDriveStandaloneUpdater.exe

Filesize
3.9MB

MD5
2010557646d177990cfe738608860dd3

SHA1
433f7912ae9a84324242ad5b08a83344c2f0f58b

SHA256
e87bba2de914fb1dd8c040cb72f2f7d9ed7a4a78b9584756bb3a722105de8a26

SHA512
55b87f1150d20045de932de804f470bf71e29eaf79a5a06183c0e332650a3b3eed5f12cc15aba5d5dddbba2100cbe0643819728eb9c6ebc28559ca32544fb8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\OneDriveTelemetryStable.dll

Filesize
2.2MB

MD5
d7251296a8e72e9e6ef4828a4ac5c869

SHA1
91acba7ec540c50c42eff76e47dec543ef41d18a

SHA256
1cb9ed2cc196da79ea70f5de9c2a46f668db36d8c476c75f38f1161316dbbc74

SHA512
f1f58ca0d71217733604e7f120e1f5224f486a0730b76a2694fcfc21896c44bf148f6523803604ed15cbe73f048236d213e223c4d5a2ffc14b3adb061a40165f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Core.dll

Filesize
5.8MB

MD5
7e9131b0037a5d87fb8b3659579914d6

SHA1
03bd6961ed8e6a5215bf69ff51bb1022752a9c87

SHA256
7cc66ef8c001089d71a22e58da0486b4aa92f00d2685deeff95b37f8e3c433a6

SHA512
c60ef029a0c58e181f0da2ccfc02acd47e32efd6a674172ed88e8500fa706c369e3d5981504d068e8facfdd0494f1f9a58f3dad39ad34b1b82daa21372596278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Gui.dll

Filesize
6.5MB

MD5
073a77313c9ae2cff823cbf3a18f99a4

SHA1
b0b8c182bb28fbd4bd2bade39e0faa0803e4f110

SHA256
858e4c8670e016d51fec94aebb38e22bcad57d28a673717a060c4ab734fda49a

SHA512
124814bd964ea775bd9d62c37bb553b6784d8d2f69962552a7a95317b5e66125f6faec82fe084f5a4cbc6260b97aa8a241b05b40feaf624e26acd8f39dd603d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Network.dll

Filesize
1.3MB

MD5
6ecbe8e9ede7a276862f4fc4bb02238d

SHA1
7587a2fcbaa00ce0b473c9b13aad3959097741b4

SHA256
c073eb1585f5ecfe2da1fd34a998978f217a7fd66a053a4b8d714459a45697a4

SHA512
4aae676c8900efff00525cb907bbc75e1e6b6ad184c7dab4772b88ce05ba1a753a2c2e5f1411af4a60f24a020f38bbef270f59c5f890f431a1846d573d57636a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Qml.dll

Filesize
3.4MB

MD5
f1b24e2e9274a6150e209995a1eb13e7

SHA1
a488ac298eb88f84dc9024a285205c9a0296479a

SHA256
665cdc49bb3a7b8e06d682648442a6c4865074b83c29564291322e2f2c13373a

SHA512
4cb004d61e54b4686122f69adcc9c71e18dcde1c25c9a331027b33c9100b13ea2d99db48c1940341944b8a4c4244c03de05f7b2cb71ac1b8b6d212d5c3d02004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5QmlModels.dll

Filesize
435KB

MD5
5d16df0ee2c6ac7428dbeed86567a8bc

SHA1
405ddbfcdeb369ac34bacf436570c6ab8bd9a318

SHA256
1e6d490682022a77624d0d4926c348b3b694f386c18158c6cea58ceadc96aefc

SHA512
eaa2f044873fb403263b76ef86455a3fb79af8e94ef476e70ec350d23d71b0ba0cc87d58fda2857d9a70d9aaff19014e4b4b3eb244761e4e37255ff93a6f4362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Quick.dll

Filesize
4.0MB

MD5
c98b47d6a836d2dd42b56bb1145facd6

SHA1
053cbbd038a8382cc7fb11f59f0076efcfb2aa01

SHA256
f80fad1ac7005c6992ddecfd996073c3c13a29d81d4b3c09860d216b79185f0d

SHA512
74d549674fa53a991ae1cbbc259854da5d26b8e63332343494a7dfe2fc88a7e675217d615419f9dfa9bc9436e4bc3a1b807ed90086becb3d1b5699b855db2b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5Widgets.dll

Filesize
5.3MB

MD5
6a7e7ec50d8fae720190d8553359661a

SHA1
feef20be20e66f1043074a5d3790bbe74a6a84b8

SHA256
3e4601ecf2a40cec173765394f8e0291613c01d6779832053179d799bc4b9167

SHA512
ed0a993be31eddb6d29d07e34fff4e5ec83bd0a34db0e5214f6ada602f4310fb49ac597579043909df6f4b0f5fd9a048ea94fefb5796a90d128c37b83fdd3eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Qt5WinExtras.dll

Filesize
233KB

MD5
553a8431e63ecb2ed11e6d366b7d3c5a

SHA1
51c021966e428f51c59edd9b179fe2f5de691ebe

SHA256
50b41c8827ce6a02b89ee137f5523032dd0575d96c52b7c5f104f14a739fb9bb

SHA512
dc7dc6edd2f66f9eea0df855b60482ceeaf4845c01dd82efa0208289aadee8f3a02816cbfec79abd8e6bd5789297e68b1aca468e7e228726a46989669b40de72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\SyncEngine.dll

Filesize
10.1MB

MD5
4d9af6541b7fd436cdbe962282ec9964

SHA1
96b7e381d7a62823991c316585544703d66061de

SHA256
56992652c045768661c0c7ce310d8625342799bb898ae044164b986ea21c0034

SHA512
54f104bae7c359d91b821ab0d7f8fc042d1eb5cc1bdcc17a867a67797a5636836167f30eda55b5216373b4538bfbad250afe5267cc527ae4bf206f8cdbabe572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\Telemetry.dll

Filesize
587KB

MD5
5eede8af329973ae9f0235db504d3105

SHA1
ea685085b7da012ed10e60b6c7ffd5d28616b7a1

SHA256
ef0de1b99c0dc3a2ce93bebbff9870cfdc177a1afe3bbeb7fb975899796bd1e9

SHA512
1fee9292cdd1c0071e825fee71fa19add7cb57a981bc2f576a78a314e6ced670e1a0177608df15b5c16012b22c1324d926357c02cad1c870ff2c16b714a4f13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\UpdateRingSettings.dll

Filesize
570KB

MD5
b1ee1f0ea6b493e6eb5316ec60275909

SHA1
4ec2c37964e380fbd99ef6424f06a73833e1d94b

SHA256
ec8292b445d297ec8c120033ffb2a1073ad18fadea274b1e9629cb5687b24ef3

SHA512
4b204375e1674b8c30070cf10e5cc331d6fc41cae1db9c6e13c61a04db20307603794b44b941f1c54456bcfb888d059fe81594f1430ad2d44c368260bed60df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WebView2Loader.dll

Filesize
133KB

MD5
7ae83c027d9ae3f88220dbdaa7ddd3a9

SHA1
e01cdf470ba5265ed07268a8b08f71382e12df24

SHA256
1420a8dd17d80839829f668ba8a1334c752501c184e1f76d2a062cbd4a228093

SHA512
b17c7026495965ced7fd3992c501626717dfc66f9c2c821565ade289c4a46afa20c903931968a4814b9c731045e53c759057b1a23ffd04d4c1bba63d91cbc040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\WnsClientApi.dll

Filesize
820KB

MD5
e4e2d0dc0ac1fbc20f8831dbd81f6394

SHA1
4b1b3b8c7a7bd6d3933d7fa47cc142ac8f6db0c6

SHA256
1584d9e53977cb6e409230e127dff2a3464b1c00d086150f9c7ce3eda979fedf

SHA512
cd0d73a7e03eca4a6261b7d1ad6f8b980a575e5c29119d84b458a1111ca62b19ebd020c3839c0db485891efb369c1f6fea229c469aebad2752f81b50877569aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\adal.dll

Filesize
1.4MB

MD5
eeb28467b75e17a081b168426149dc15

SHA1
a9d689fac6486322cfaab5b0169c64fc91e5327c

SHA256
6281f269b808f5149227528ad1a9cfcd69883d0ae30e44e0065e2be418c824cc

SHA512
c159ad94702d78414bfc18521bca9b196148ea66f878e462e77e96103022eccad4a446f68755f4372969e2c1ba74185c3484d67392519c6fe71c51fa703d82f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
8ed54a1944adeab7042da380993ef220

SHA1
ccf7cea6da91ecd58751a751c8b00dd3fd966b16

SHA256
fe118b38c8c52c44f78b73693a6e4bcee94f07a5c1d049597c7238eb890cf26d

SHA512
167439179c3995392db5606a0abd1080c8463bff704ef23207288c8acdd027619d84cb1332509a6e9958dd29eb7a62cf35554669fb598288a1896503dca3f49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\msvcp140.dll

Filesize
551KB

MD5
4d4eacde06f038fa1f2b8ff80fa5d86e

SHA1
27cf841fc5e1c87251aa66decac6c2043661e3ee

SHA256
e78ecb8b5c81a3824b7e8845dba3125cbf93d60bc8ade9205ff2f6bd655bc6c7

SHA512
cfb187ec44de798a697e55435d96c183194f8caa4524484e0ebf49c509cbf646603b5e018838d143fabfef401d78b4907fc19a08c37dda7bc3e2e796f8a361bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\ucrtbase.dll

Filesize
1.1MB

MD5
9509d09c13ad7b657fe1244476369712

SHA1
6e78064aac68dd11b8f9176989dd72c7f9d99eed

SHA256
549f78818055aac3df92d0011edd18d5f2f3027533d34f69c382669872390810

SHA512
883ace895b82ac6349a1625dda2428dda198802c44f67c971acbf1db159a3fabbc37b4e862804778591cb9b6941a5593c81271b3beb5f5276402cb9be6098676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140.dll

Filesize
94KB

MD5
ee4472a159fd7c893acc2f6e2c212e05

SHA1
fa686e61152050d3bbee53fd096b939f658e7cb2

SHA256
bddccbfc4936e5be13984b4cc9418f8a9d10976d7b60b815e216f1c83d3871d4

SHA512
fcc1a995cdb8ca3ee36e3e99b54b6891703628196fad2bca8b6177a3e0d65f69da8ef6d4a2bf978d9f3ff336c31d6e7292da45f81ef3a37fb741a2b7a196ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\22.012.0117.0003\vcruntime140_1.dll

Filesize
36KB

MD5
778d9982d200323302bf8f17e38e17ce

SHA1
192de4085408f72856f3ee929f54661d4e1694bb

SHA256
c9c3275516ea786d7d5340cd2fa2d9c89f3b34c5229467875d458666719d4af5

SHA512
bb384c5ec7a9cf8e13fb11728e90f972b3af855128dbf35605e3d6bea32397328bdac5503235588dcd6aa0cccaf779c400d1313528f8fbef94a4f5bf0351ea7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncConfig.exe

Filesize
731KB

MD5
e3d8567c85aeb747b4e24ccf68e5e948

SHA1
07754ff1e9176a1da756ba9f52c476e9eac2bc05

SHA256
313e688601a44213a1262bd5fd841f02433bb41ca86db904aefcbcba515b4642

SHA512
ec53ab9cac821bccd2bf1ad4792614def5f5335e1250116273cd167c95c20ad11d9b3ed39b2f9ab0a98b5b42d3ef7a836c60cd55f20a48c6c63c1f8ced9af8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\Resources.pri

Filesize
18.1MB

MD5
4fbd1578d8beef2787c69a650c6e18a9

SHA1
51c7bfd3d23b7aaef7f6f9fa16f816714900c7e9

SHA256
2d9961faa1b5b8018f803a74c8e83c0036eed830fbe70fc9c57320bd8cddf1cf

SHA512
ab82c867dad53c2c839c16f031d97ebe9ba691be9ae0d9aed6370d34cd43594330f8167bc1e1a2dbfc99848a30aea5f6d3532590a263d4248db72319a26a3f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\OneDrive.exe

Filesize
4.7MB

MD5
e4b519928f7ffd2b8615dca68511ec1b

SHA1
c70edc2e34114bb98e687b835f4e8fc1b7e3355a

SHA256
9302f01d85efe4d6efe5892ad561a91bbe7e40359fa33b716a53e984b44ece4f

SHA512
e1405d302d0b040a8eca40999ba6781821b8e7fb1df318370c95eb96047bf797ca0a5b9368358a94e5256464d456ac9592b710500bb1137330c533acbf404e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\OneDriveStandaloneUpdater.exe

Filesize
4.0MB

MD5
f263c927e8d5ffee42ab2d1506dc70cb

SHA1
c728b80bf32dcce81b17308fbc180c557fea4c6f

SHA256
df87a151a90559b16057707f85a7dbc17347042929ca07cbb7ede0f757020801

SHA512
9e746e781b9b816a0cfd18959f28e77a070a29829c8984737bd9bd1869ab21ea0955a5d039ea3af96cbecf518465a3d6796189419afb6fb8b35803cfe656f2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\pa-Arab-PK\localizable.json

Filesize
4B

MD5
c443b04d0fc26b0a5a4573a78e0082a1

SHA1
3c957535345645dce7190b85eb10b39da96b2518

SHA256
e3566b3a06430868d71e9287dfd6c6c520a3da027aabea01951d407ee131dc2f

SHA512
7bbf6dac485c9e59d02edabc91ff5b15bc1319cef6905c0077ee16e3b1f572b61bff85f2400bc0f5b4aeab0260bd5d68787d72c7a688d79192952f7957a44de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
015d843becd2b1802fc1ab0b1d500129

SHA1
fc303c297f53e9ddba4c1d96111fdfeb9d366cc9

SHA256
da9e1e0c2942a31d06427de99cd1918305fb410410e0b13936d4f44841d3bfb3

SHA512
4bca454163a1e0fcfc751f1bad1d2386c47fa39c9ac908c94b2fe0485d39eff53993e5a7d5768351db1a33f73fea4a6d3896107036ed7b47ffc413f929e7ae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
4d46eabb8773d4c97b4745c0e597c0f3

SHA1
e1cc8924779b6f69eb0c2c2718e41ca5e0635203

SHA256
a58d45014152cfc43b0631c6622d26448c0a882cce36ec75deaa32be7e2dd3bb

SHA512
8256a9be2ec61529b7562a020b168794b900814f8542f57331fd5a30733abe750cdebdd8f3ea989a9d4b6d61bfc81eb6d9f8eb729c2cf1fd419013d66c4a80ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
ed2774a4e6d6b8bbc321c02778ae4816

SHA1
c735e90b7d0ae2e40eb8c3067c565739cd2f4af6

SHA256
8e0ace90f30ea432914ceef93e63bb27d14d0abc91129ccdf598f580a0d81019

SHA512
d9c076d936b3084ee86ec7fc5e3dcdbea72d935c6d56de90768731c3625991f6e75236f3cd7a5724e8b2fa424780d7ad2ca09822035bbbfcf98fc9f6fff6d895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BOIFDBOU\1d2b3fa10030444df05a5b7f1570928b2cc73c78[1].xml

Filesize
1KB

MD5
5ff7f326c85d379b200010677eb81923

SHA1
724e68d9b03314211f394cf345db5ed44e08b150

SHA256
c09351cb0b876f526ebcfa91252caeda61ebd2cbec0529d847da1caba711ce1d

SHA512
192b661893094e274fa9f97dc1334e2cd23f98207e3833838f428b466e9f01dc9c133d185b6c4ca14bfe5429f8cb64b8976f72e9bb7259fdb29277efbf8545e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDDD.tmp

Filesize
42.6MB

MD5
a431ae009ed3d0f331972c12135271f8

SHA1
b9c3b3bb6d96bec077d45b65ae4d6847cc687eb7

SHA256
5f0ec9bfee41d11d4c98b12ae11403491ad14204c89ea14d10c2633c8ad66763

SHA512
34d93bffa191ed4cd7407227498382d9bfdc6eaf13edcb95568a410a62769863a0735c14160f3b2d704c01294bf77bbbd1a25fac2d0073b631b3f90f513c8f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct49B6.tmp

Filesize
475B

MD5
aabef695c2194b63bf0f2edb9dbd73a9

SHA1
2d53dc46d58bf8096e0506bacac39ba0b121711f

SHA256
7a8cc15c4caf3bfe466ca4204767c08b2c176effe588b4cbb62ba13cfe473690

SHA512
8cd15af3234620f6a8ee9d6cbd611117ba9527d1a3fd3138cd4abd4cc0e57f9b82ccd24e0a357c3115365aa3a81e9bfb70a9813a8b639bd507f51e1cbf593581

Download Submit
memory/4024-2454-0x0000026A561C0000-0x0000026A56290000-memory.dmp

Filesize
832KB

Download
memory/4100-2471-0x0000000000B60000-0x0000000000B95000-memory.dmp

Filesize
212KB

Download
memory/4100-2472-0x00000000750F0000-0x0000000075315000-memory.dmp

Filesize
2.1MB

Download
memory/4100-2517-0x00000000750F0000-0x0000000075315000-memory.dmp

Filesize
2.1MB

Download
memory/4100-2531-0x0000000000B60000-0x0000000000B95000-memory.dmp

Filesize
212KB

Download