d0ee124e519a55039da6958f7e0fd7dc812e975911932dd8cd123cde1fda64c3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Size

60.2MB
MD5

ab86f641aa302fc302970ac48dd22eea
SHA1

47c3772cc607ecb5cdf90d2f37d31255383d2fd8
SHA256

d0ee124e519a55039da6958f7e0fd7dc812e975911932dd8cd123cde1fda64c3
SHA512

225f6b5da799861bf45dd162ec867216c8be6b878242714917101abcd5d17897c2e4c99cdc4fdc36a4f5ec0d8447dc7e684de11db66d9f62a0bcccac4210801e
SSDEEP

1572864:IDLZfQUWdMGnyvJVoZW9Vb3a3vRN/EPGl1wyErmLmH0ft3q:cOUKnyBSoTa3z/E7bv0fpq

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 26 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Microsoft.SharePoint.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Microsoft.SharePoint.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ur.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_az.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_fr-CA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_lo.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\EdgeUpdate.dat	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_cs.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_it.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ru.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_kk.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ja.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_bs.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_de.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_en.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_as.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_gl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_kok.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_is.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\psmachine_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\psuser.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\psmachine_arm64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_id.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_nb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\psmachine.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ar.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_af.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_fr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_th.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_nn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_sv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ug.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdate.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_mr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_pt-BR.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_sl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_tt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdate.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_te.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ca.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ta.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_ka.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_fa.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\msedgeupdateres_pa.dll	MicrosoftEdgeWebview2Setup.exe

Executes dropped EXE 20 IoCs

pid	Process
2384	FileSyncConfig.exe
3984	OneDriveStandaloneUpdater.exe
2316	OneDrive.exe
2280	Microsoft.SharePoint.exe
2388	MicrosoftEdgeWebview2Setup.exe
4800	MicrosoftEdgeUpdate.exe
1660	MicrosoftEdgeUpdate.exe
4348	MicrosoftEdgeUpdate.exe
4292	MicrosoftEdgeUpdateComRegisterShell64.exe
2856	MicrosoftEdgeUpdateComRegisterShell64.exe
3772	MicrosoftEdgeUpdateComRegisterShell64.exe
2304	MicrosoftEdgeUpdate.exe
4624	MicrosoftEdgeUpdate.exe
3352	MicrosoftEdgeUpdate.exe
2736	MicrosoftEdgeUpdate.exe
3764	OneDriveSetup.exe
3156	OneDriveSetup.exe
5392	FileSyncConfig.exe
5460	OneDrive.exe
5888	Microsoft.SharePoint.exe

Loads dropped DLL 64 IoCs

pid	Process
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2384	FileSyncConfig.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveStandaloneUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft.SharePoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2736	MicrosoftEdgeUpdate.exe
2304	MicrosoftEdgeUpdate.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Colors	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Colors	OneDrive.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\ = "FileCoAuth KFMStatusFactory Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\INTERFACE\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\MSSHAREPOINTCLIENT\SHELL\OPEN\COMMAND	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{3A308EFE-656D-46BB-9963-0A41C0D6BCA2}\VersionIndependentProgID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\PROXYSTUBCLSID32	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\SyncEngineEnumeratorProvider.SyncEngineEnumeratorProvider\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\PROXYSTUBCLSID32	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\ = "ShareHandler Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{EB3EED27-BCC1-4E91-A65B-9C2AFB189F4F}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\24.161.0811.0001\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ = "IClientPolicySettingsEvents"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\PROXYSTUBCLSID32	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\NucleusToastActivator.NucleusToastActivator\CurVer	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\PROXYSTUBCLSID32	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CurVer\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VersionIndependentProgID\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy"	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0"	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\SyncEngineEnumeratorProvider.SyncEngineEnumeratorProvider.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\24.156.0804.0002\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class"	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ = "IGetLinkCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ContextMenuOptIn	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Interface\{1F80F4F0-5D28-40D3-A252-4D3662D5E4BA}\ProxyStubClsid32	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\Interface\{13987a48-a837-465d-b6be-8302db0e4ce6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2316	OneDrive.exe
5460	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4712	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
4712	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
2316	OneDrive.exe
2316	OneDrive.exe
4800	MicrosoftEdgeUpdate.exe
4800	MicrosoftEdgeUpdate.exe
3764	OneDriveSetup.exe
3764	OneDriveSetup.exe
3764	OneDriveSetup.exe
3764	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe
3156	OneDriveSetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4712	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Token: SeIncreaseQuotaPrivilege	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Token: SeIncreaseQuotaPrivilege	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
Token: SeDebugPrivilege	4800	MicrosoftEdgeUpdate.exe
Token: SeIncreaseQuotaPrivilege	3764	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	3156	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	3156	OneDriveSetup.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
5460	OneDrive.exe
5460	OneDrive.exe
5460	OneDrive.exe
5460	OneDrive.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
2316	OneDrive.exe
5460	OneDrive.exe
5460	OneDrive.exe
5460	OneDrive.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2316	OneDrive.exe
2316	OneDrive.exe
5460	OneDrive.exe
5460	OneDrive.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2584	4712	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	93
PID 4712 wrote to memory of 2584	4712	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	93
PID 4712 wrote to memory of 2584	4712	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	93
PID 1720 wrote to memory of 2384	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	100
PID 1720 wrote to memory of 2384	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	100
PID 1720 wrote to memory of 2384	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	100
PID 1720 wrote to memory of 3984	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	101
PID 1720 wrote to memory of 3984	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	101
PID 1720 wrote to memory of 3984	1720	2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe	101
PID 3984 wrote to memory of 2388	3984	OneDriveStandaloneUpdater.exe	106
PID 3984 wrote to memory of 2388	3984	OneDriveStandaloneUpdater.exe	106
PID 3984 wrote to memory of 2388	3984	OneDriveStandaloneUpdater.exe	106
PID 2388 wrote to memory of 4800	2388	MicrosoftEdgeWebview2Setup.exe	107
PID 2388 wrote to memory of 4800	2388	MicrosoftEdgeWebview2Setup.exe	107
PID 2388 wrote to memory of 4800	2388	MicrosoftEdgeWebview2Setup.exe	107
PID 4800 wrote to memory of 1660	4800	MicrosoftEdgeUpdate.exe	108
PID 4800 wrote to memory of 1660	4800	MicrosoftEdgeUpdate.exe	108
PID 4800 wrote to memory of 1660	4800	MicrosoftEdgeUpdate.exe	108
PID 4800 wrote to memory of 4348	4800	MicrosoftEdgeUpdate.exe	109
PID 4800 wrote to memory of 4348	4800	MicrosoftEdgeUpdate.exe	109
PID 4800 wrote to memory of 4348	4800	MicrosoftEdgeUpdate.exe	109
PID 4348 wrote to memory of 4292	4348	MicrosoftEdgeUpdate.exe	110
PID 4348 wrote to memory of 4292	4348	MicrosoftEdgeUpdate.exe	110
PID 4348 wrote to memory of 2856	4348	MicrosoftEdgeUpdate.exe	111
PID 4348 wrote to memory of 2856	4348	MicrosoftEdgeUpdate.exe	111
PID 4348 wrote to memory of 3772	4348	MicrosoftEdgeUpdate.exe	112
PID 4348 wrote to memory of 3772	4348	MicrosoftEdgeUpdate.exe	112
PID 4800 wrote to memory of 2304	4800	MicrosoftEdgeUpdate.exe	113
PID 4800 wrote to memory of 2304	4800	MicrosoftEdgeUpdate.exe	113
PID 4800 wrote to memory of 2304	4800	MicrosoftEdgeUpdate.exe	113
PID 4800 wrote to memory of 4624	4800	MicrosoftEdgeUpdate.exe	114
PID 4800 wrote to memory of 4624	4800	MicrosoftEdgeUpdate.exe	114
PID 4800 wrote to memory of 4624	4800	MicrosoftEdgeUpdate.exe	114
PID 3352 wrote to memory of 2736	3352	MicrosoftEdgeUpdate.exe	116
PID 3352 wrote to memory of 2736	3352	MicrosoftEdgeUpdate.exe	116
PID 3352 wrote to memory of 2736	3352	MicrosoftEdgeUpdate.exe	116
PID 2316 wrote to memory of 3764	2316	OneDrive.exe	117
PID 2316 wrote to memory of 3764	2316	OneDrive.exe	117
PID 3156 wrote to memory of 5392	3156	OneDriveSetup.exe	122
PID 3156 wrote to memory of 5392	3156	OneDriveSetup.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe" C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /cusid:S-1-5-21-4182098368-2521458979-3782681353-1000
  2⤵
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe
  C:\Users\Admin\AppData\Local\Temp\2024-08-24_ab86f641aa302fc302970ac48dd22eea_magniber.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix
  2⤵
  - Checks computer location settings
  - Checks system information in the registry
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2384
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /installWebView2
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\MicrosoftEdgeWebview2Setup.exe /silent /install
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Checks system information in the registry
        Drops file in Program Files directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjgzOEU5MzAtQzhBMi00NDZGLUFCQ0EtOEMyMTIzMUQ4MEU5fSIgdXNlcmlkPSJ7MDE3MjY3NUMtMkI2RC00MEIwLTlBQTAtMDI2QUYyN0VDRDI2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxQzA5NkVDRi00NjY5LTRDODYtODM2Ri1CNEVGOTFFQjE0RUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4xNSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5MjEwNzExNTUiIGluc3RhbGxfdGltZV9tcz0iNzM1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        6⤵
        Checks system information in the registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2304
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{2838E930-C8A2-446F-ABCA-8C21231D80E9}" /silent
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    /updateInstalled /background
    3⤵
    - Checks computer location settings
    - Checks system information in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart /updateSource:ODU
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3764
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix
        5⤵
        Adds Run key to start application
        Checks computer location settings
        Checks system information in the registry
        Executes dropped EXE
        Modifies system executable filetype association
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\FileSyncConfig.exe"
        6⤵
        Executes dropped EXE
        
        PID:5392
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        
        /updateInstalled /background
        6⤵
        Checks computer location settings
        Checks system information in the registry
        Executes dropped EXE
        Modifies system executable filetype association
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\Microsoft.SharePoint.exe
        
        /silentConfig
        6⤵
        Checks system information in the registry
        Executes dropped EXE
        
        PID:5888
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\Microsoft.SharePoint.exe
    /silentConfig
    3⤵
    - Checks system information in the registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2280

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjgzOEU5MzAtQzhBMi00NDZGLUFCQ0EtOEMyMTIzMUQ4MEU5fSIgdXNlcmlkPSJ7MDE3MjY3NUMtMkI2RC00MEIwLTlBQTAtMDI2QUYyN0VDRDI2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjlDMzlCNzctOTZCRC00OUU2LTk3QzgtMkQ1Qzg3MUU4NjU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyNjAyNjQ3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjcwNzUyODUzMzQzODU3Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDkyNzE2NTA5NiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
136e8226d68856da40a4f60e70581b72

SHA1
6c1a09e12e3e07740feef7b209f673b06542ab62

SHA256
b4b8a2f87ee9c5f731189fe9f622cb9cd18fa3d55b0e8e0ae3c3a44a0833709f

SHA512
9a0215830e3f3a97e8b2cdcf1b98053ce266f0c6cb537942aec1f40e22627b60cb5bb499faece768481c41f7d851fcd5e10baa9534df25c419664407c6e5a399

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUCD91.tmp\MicrosoftEdgeUpdateSetup.exe

Filesize
1.6MB

MD5
45e5ca74b9ae3c3fc6f6a63c609783b6

SHA1
f36715bea96d69bb18075fac30b90502c6d2464b

SHA256
b4afd37b9087df7e041ae749fd0fa342926d9cce533bde9cdc4283132c3820a9

SHA512
014fd398d456fcb118dfd6b038b6f96008ca209d44d9707e175e85e7f14cfb3f2886deaed0d8ed25971813035e8dd7f88142c06972f3e2c9b4a534d84bec661a

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
185KB

MD5
3ecafb0284af522f19b19329b126b5c8

SHA1
5756ae77f010047fa86e5ac6df497b1ed5f6677f

SHA256
adc1323d9abd9294abca9e1d82bf80e3d894e7f753c186fb907d776733f1525f

SHA512
e46b3bee410697a9c0a75d1c70b4ed9bcd2e41e0ca131a53bc6540158d3ad8933a87c204cd9fa0678cd32ac3757e51af68b193922bd4df91d211efcedc19ef3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncClient.dll

Filesize
7.8MB

MD5
04ed90b21610d67873eaebe219965841

SHA1
b9298337d2d8b9731930b0f7d2135528d6e76505

SHA256
a458a4986be48f18cae6a56edb7bbc716793f0031408148c0c611d54046289a1

SHA512
b76e2035302c5d546154c15fb7ec621bd70b6193b312e3c8258409949db679ee43afd852a8970853550f6cc317e00f5085fa8871c5a60084cbfacbcbbccc67cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncConfig.exe

Filesize
620KB

MD5
68b02aa11265371f567123348ccee6a3

SHA1
a388e4c4777c1f30b323d1b0dbbbec4041a1bd2a

SHA256
7da18fa5efc9216ebc0617655f6ff592656aad6749621081bc53de61ce0f0564

SHA512
935e1e7d6925b366a8835ecef74114bea65085f819eb1765a7621f586b7b7f2e83149254fbde1734317467a6c18d6c6fc2835b0a5c29428d0dc071e83783fad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncCxP.dll

Filesize
422KB

MD5
f4c686989c150b74029734fe1bf3e2cd

SHA1
57bef676ba203eb1c271f235fd4328f0bc4c696c

SHA256
68cc4f1acd657c546464c9f51cc0fae5d9cdd7fc94dd30198cfe884c9704dae7

SHA512
e62a149bc1f77c91e51cbc5836b426e61a0a841ff84a30660b0cb2b6012fa634d5d7584fe10f07847a8aaef22193581c58acb3fcbf93536380e31211c7a798d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncEvents.dll

Filesize
106KB

MD5
ca1f8d83c88ac49de1df52e90722cedf

SHA1
a4293d2c7b68a027ce15b7d7ff70f8700d3de3b8

SHA256
1a14640c14727b48125f588d30891cdb2c3593a92834019bcb84409aaeef28a3

SHA512
d4bff24dcaa767fd0d64e9250d8741add4da4b2c1cec0668d83b06808ffcd986c9116558b4f06f3bb55fc271be2a55e758ac46101e3d09a326fde743f39e142a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncFS.dll

Filesize
638KB

MD5
baf57da785b0b4cbe6b8fa31dbe2068a

SHA1
28c9ac2b485da9d2ff7dd6efb0b8ca3f4f7966b1

SHA256
7750e9cc924b7a9ffb0242bee1c1a5691a7ac908ab3a34e43014c80dcc160940

SHA512
70234f6056456ee54f679fb3a78f2786c779c89df326b24ea1f19855a8348ebdca2bc2cab25daf8b7256e57612ce0b72494c049bdc3c087b4e6b9e5656587b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncHost.dll

Filesize
362KB

MD5
33221aab91cba98b0bf9a187fbbee762

SHA1
a15a5de4b5f2251624ed1064cf2b12b4c0b9a5fa

SHA256
b05abdf048574f1a93c2d44833ac63bdf4bdb0d9676bdb08017a35db27e449b6

SHA512
e6212ad26f71aedd91cdb050d7df5d8dc7d7f05c3aa6cd1df8b1dc4fc6b901a39699afba80c07701927408efa3a782089d318cb4af117bae25dc4f7e9b06dc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncRNWin32Lib.dll

Filesize
305KB

MD5
d00a5744db91ac7f0e3d24d17be463ca

SHA1
b57b90475c55e7a2242647e565322ff36ff1cdd7

SHA256
50d5fdcbc66edc7474e1b3deaff7062dbab37d1c690609eea84c1caeeda2a138

SHA512
61c0dd51996b89b156c157890ee6a247ca7af38177d0237e2964336f5dfde873b990e22ed84863f0508d9036c7c683b0f6e84fbf71a52df77a14d2b4d14f0f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncSessions.dll

Filesize
4.6MB

MD5
3dc21bb04d6bc43bc2bd15948d6c6637

SHA1
e6330c6a5dd042fb76be5eeb19deb057dcb70c16

SHA256
9a358d7b1af55ffee4dc51619fa91c0f47edb9fa4bc17fc10c86d4a817e909e7

SHA512
c749a1711e6d80056b7c63b965fcfbb725c64f1da724906411ed7a8f37bc9bc1d89c3640162ec9b47fe47bcf7ba85cbda64a749e145ce739d7df64b967a62f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncSqlite3.dll

Filesize
526KB

MD5
ff1db56a8f398f051c7e98a1826884b8

SHA1
66b8752fe9ff9fe8af7793f86ca06e4218e02553

SHA256
9df7dd937bb8aebb5fa8d626a54ffc29dcadb1fddd71e0c92f6be78ed58b8eb5

SHA512
9728527f523a4132d7a1866401638eba2c6fdc7cfe680bfbe550aeb9419fd5ab62d7504e1fcf56e717ee34d10ba55a4b7027a200d331cb2d929882ecb2fad539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncTelemetryExtensions.dll

Filesize
456KB

MD5
4ed0f91335272797d15dba0836b4e4c5

SHA1
1e8fcb76f123b4832c98a59c8db90eb52f750117

SHA256
a8e2cd6dbaaf9bf1f8ac97dc66a50edbb392da5765670a09c72b79a9ddca22b5

SHA512
2f849237b0c895ed1f859d444751a6c9156b0ebed8c7b5f5b4c1cc3ed51f48bcbdc138df65f068f8737e397d9ef7e438a956b50feb6b3766fe5bfa68df9456b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\FileSyncViews.dll

Filesize
2.9MB

MD5
55fd89c0f64f190ed741aae2e88c29d7

SHA1
d619bbcc27714552b17859377754eda41a0ddfbb

SHA256
93a113901c1d8f28249fbb241dd5f977127ab22c3738230427ee24ebdb149f6c

SHA512
093826bff23cff30eb4d2739328461b9bed75dca86a4bf75acb79631ad5caa9b8e2bf2b7cef0618edf56621b984e84b628d559667b3389ab208327258487c92e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogUploader.dll

Filesize
854KB

MD5
be586c58ad1bd089c50594966c58ee54

SHA1
67cf3c0d5f5304ff9f7e9190e85d94d718eb8c85

SHA256
351e80a896db4334e24cbdd3648e93e4ba040c9a9fdd7a188f05346c4573a3d6

SHA512
f7d6672443aa88811b82268b5a523b5518ee8b787cafe9c5b3d20ba7ae18d7f9a25c22c46b85ffba6ce792da5c7a8922ff73ee45369502ab05a365263c05614a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LoggingPlatform.dll

Filesize
523KB

MD5
5fa5ca2d7628f7ff5ce9eb9844e5be57

SHA1
358c3155d3b7fd37908d46fe1515c7024e994265

SHA256
b1a213219faad687d78fe8e54639ab2508f48981d0bdcb051ecb0e4e4275ad4d

SHA512
cc3bc2780c05cfeb7b50a72d1afb13f02ef17609dce59d4609a75bc622f4823b1a4bd614ae22c3ba3e4012653852463f5bffa033b283d634b9e0333d6335efac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\LogoImages\Resources.pri

Filesize
18.1MB

MD5
4fbd1578d8beef2787c69a650c6e18a9

SHA1
51c7bfd3d23b7aaef7f6f9fa16f816714900c7e9

SHA256
2d9961faa1b5b8018f803a74c8e83c0036eed830fbe70fc9c57320bd8cddf1cf

SHA512
ab82c867dad53c2c839c16f031d97ebe9ba691be9ae0d9aed6370d34cd43594330f8167bc1e1a2dbfc99848a30aea5f6d3532590a263d4248db72319a26a3f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\OneDrive.exe

Filesize
4.5MB

MD5
753b0ad1bdb070097bfbaa5d39b013f1

SHA1
085c013c4055d9e8e0f911326f78420c90fdf58e

SHA256
d297ca72c09970179aa5bda02914540f9ce0d6c8d841065a679b1c02d4540fb8

SHA512
dbda9b7e38ed5e762c160672f257f28ad44ac7c3a77ee93a2208205f90c5321b91500208ab15d26d256780606fb77670fed51dc1bd26ce8ad8a1350354073288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\OneDriveStandaloneUpdater.exe

Filesize
3.1MB

MD5
68a817a7ed059bad00425e41e694e2df

SHA1
8d8b81ec811634e31b5fb53f90cad74412f62b35

SHA256
848df2948cb18d1899c41ede17679fac073761adb21805c7d6c040b209a2299d

SHA512
1b39a8246bd05aae81aaaaa59598d5862e50d97cf2528b5ac599a8d0b9b82f16156babd26ced7cba986e26a9bdbeef5a00f68450dc14eb9c963858d6e7c65455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\OneDriveTelemetryStable.dll

Filesize
1.6MB

MD5
e1413a659da2891db910d73f099e823c

SHA1
5cc0f982f5dd4ed99edaafb2f258fe2d3329144b

SHA256
3976b3bea8aa7d94093ee7462045a62249dc72ba9685bf86aec367b7a1eebc8b

SHA512
7f034fc447004d8a2231257d4607633e8071c80b516e27434ffda386026eebc8b4cd02685a75370d186cb88e1130abe2a561ee6d4ccda56cdf38c78f0b26fc47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\Qt5Core.dll

Filesize
5.2MB

MD5
8631bcfe36239be219a1a2219fcbb3d7

SHA1
9cbd64a7e18e55c32a36665f61d641583e125d3c

SHA256
c023e4323ab3f81531d4af24d6f997d4cfc3f19e6af8dd0a0fbfd071ae65cad7

SHA512
dd5341ed4a89b11fd67c80affd776add23dd75af3a64804755e390d6e536441b886155633c67f46d1f96fd6153c0aa862a8f0416807093bbded79213592ea64d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\Qt5Qml.dll

Filesize
2.8MB

MD5
e076123553da57b39604947bc077c810

SHA1
e8d5418a0dd8ba28b10798d985f5836c0351a75a

SHA256
181e44dbb60a821345efa7b39c8c8345284b5d5c0644760b5cf51209533e0418

SHA512
0de128a8bc8bef702dcc891b1a9a08cb3aa1c08e304a9ad64cd3bddaaee9c8172ab71ed4b0cbf3701df56b7b6a17b7727ffd6f11376ab5364853cde96bb72607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\SyncEngine.dll

Filesize
9.9MB

MD5
b694842c3c643e32c757b80c318377b0

SHA1
60512341408c8338fa21d89dcc87d1670ff982b3

SHA256
a5507b819b977ff9355a3f0d0fca6fe4bcde1ca73bb2289ddf801def8af92e24

SHA512
ef98d95f551b3e94978da6f56cda3eb118d9cc6ec793077b104de2ad3aeb48b9400ac04297632856adc1c7aa1c2b81e9bab469b92ca01e40fe20971d02e8f56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\Telemetry.dll

Filesize
891KB

MD5
61ef452d51f2275a3de26572944d09d4

SHA1
3096b43c779f60aeaa718a3a31a51cd32148e483

SHA256
323b32da7f4cccdcc7f7b368aa86933d285dd30cf2b56a5036774dcf4d1c4928

SHA512
2c3bebf1c184f20e68675910d99023e36fb3888c3c0de412637777a9fe2b0d54609fc0e85a84abf6cc0c2d5b9e5524f793bc877e599c6a02df1241c0b904b875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\UpdateRingSettings.dll

Filesize
513KB

MD5
b1f74780b78ce810784962fe740719cc

SHA1
41a1ced8ae582bd072841fcc1acb6bba1c2d7064

SHA256
207d3ab953aae4b54625d95ae2ef893615080589b4b78f30595f7bcf041ca9b7

SHA512
e80ea8f6608e3165b91f9f9fd2e45bebff74b48769657a898ec62c9d01c8275713fd7f4d4507545075ffff34de988e8e539571acc1b9dc69b2a78b68fdb3b4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\VCRUNTIME140.dll

Filesize
78KB

MD5
b579bc3c3e0e3a12e18d7c63e727c18e

SHA1
e86706a6f99d5e1e5130ff5386767de3d0a19f6a

SHA256
bcd7f6513f9da814977f409ecf21d2dd6f15f7f23758988ea69ddca843420bd8

SHA512
9174c831f0c304aca154be89a720d77fee7b90101191dd63bba1ceb3834aea16c8193c6b7f353751425735b444a6c626d04bd8b4c44492c9a6ce86ff1136940b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\WebView2Loader.dll

Filesize
108KB

MD5
6df6c8ae7d1faa0a2a37fcffbfe7fde0

SHA1
b55a654296e41edd42af3d7149cfd131ce10bd5e

SHA256
e8051d75f0c22c2335aadcae7c6582c86d23f3a3e320bd6af6fc518bd8b163aa

SHA512
2e0e8e24935eaf7a9e0763be53b4d5903096c8ac0e42284a5179a6dd7322e5d83845721e439b46409b74eb4a90defb5eed26a374904b129fd807f9a8c9e42249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\WnsClientApi.dll

Filesize
720KB

MD5
b552fa0d058aa2c2e4e32af12f21ed77

SHA1
3b1e1e4b8e3be9bc9450ff440e9edb009695d30f

SHA256
944991c09af312b76686598f3dad88a6ad27d9c0c82043796a63585fbb7485aa

SHA512
5b93400e265fc5dd74c664fa136387ecc80bccee0f52286affc62ea27437d591588d5eddc8cd442e789199af6fe9707a05099bcb328e3625f52ae5717508b023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\adal.dll

Filesize
1.3MB

MD5
7d8b61a0766f835ee45d33c047b07a0e

SHA1
0f062309bb0b0aa62a9111f1e581e31b39172ff6

SHA256
51116474d60e960173d4afa4c05b96d4f96a84d30fbb518a9d24962ebce59133

SHA512
594d05aab07b047bf325fded0e8ed635e49940ec861de03efdb452d191c9cc1e0c62ca00b13ba8036c18531591140733769aef5deaff5db64efa5d746ec91507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\msvcp140.dll

Filesize
427KB

MD5
1fdd75be535c8997d40ff9cb9f9282f2

SHA1
5b27836175bbed22a3bb4a5acd0aecd1903af338

SHA256
6463d7fb5a4ebb58cb5bb27863ea6af0c7a5386ee50fb7ecd2bf0fc83ec65298

SHA512
ff854216213d0b0638bff4d33ecdfee7d52b5127474a38a04d8557d49049f5c3d07feb7f555758ce480ee7001d1bdcda849ab109e5258377dfe2a1663632b29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\msvcp140_atomic_wait.dll

Filesize
51KB

MD5
bf262ffb147c2f0cabd17f4cb63ca884

SHA1
35f49fc44bcafcae14e5d6e9519297f3ea9286a5

SHA256
ef3e9b7ef3d2fd8f1bc614d06e55beda254943d606845b446140fa2655d869d8

SHA512
5c0548bd226ba64a5262b14e9b6b3cc6b9ea89e826850e54c48f813237fbecbf3d43443dea0b70fe093b3582b2084553c5861efeb10641a2ff328cca7b144e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\pa-Arab-PK\localizable.json

Filesize
4B

MD5
c443b04d0fc26b0a5a4573a78e0082a1

SHA1
3c957535345645dce7190b85eb10b39da96b2518

SHA256
e3566b3a06430868d71e9287dfd6c6c520a3da027aabea01951d407ee131dc2f

SHA512
7bbf6dac485c9e59d02edabc91ff5b15bc1319cef6905c0077ee16e3b1f572b61bff85f2400bc0f5b4aeab0260bd5d68787d72c7a688d79192952f7957a44de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.156.0804.0002\ucrtbase.dll

Filesize
1.1MB

MD5
17550d953daaf06aa8de611537c4ab9b

SHA1
09de53409e476400becbebaf4d0ade08360b9751

SHA256
fbf6dcc8e06010aa216c8c0f8c68ee345110056e03b73670e14764a61eb41f0a

SHA512
d75f80f9222ddc95fc054654ba80f5d1f8118141cb73d6af980e93324ff9e9a9a018bd07b30bf1a8f7c2491a801d540599bf48230cb7147332548be8164de292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\Assets\Square44x44Logo.altform-unplated_targetsize-16.png

Filesize
637B

MD5
b735ac2c67ff5335bd4215e4907abf32

SHA1
39d32221ec712532042f9175d83598ef0e842394

SHA256
3234a95ab229383eafa6f4036d6e5bcccdf441511fc86b83e5a8a8de2df9bd40

SHA512
8ec1bebeaee2dcafac2013c833eaf6da6123830e5a4d86dda722d9a26263c44c38fa603eb1ea43195010e31f6687142956324d274e2de9d8923774da5d3a4e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\Assets\Square44x44Logo.altform-unplated_targetsize-24.png

Filesize
1000B

MD5
1433673065290ad7497f1559b99528e2

SHA1
70169b46ff0dcffca74e3978206b9650bd5f4b31

SHA256
7fd2eba3f94391b2894a0fde79d3c09a253b371e258ab48aeb13320ac2d7321f

SHA512
60459ef7a11867f92970be857972ca24d5ca7507047898dbad1537cff3c04a67dc9c83bcfafa16917175d01da7376e7eff9288c8b6334a384df356fa70b87494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\Assets\Square44x44Logo.altform-unplated_targetsize-256.png

Filesize
18KB

MD5
65e01ff43c980fc95ed04e60e7cc8132

SHA1
686c9751958e05fc180117542b5f1d9ae7bd6fcd

SHA256
4a4f966db5813b27a8217adb9a5d8b1d62dd00dad83261650d2f4ae3b6a02d01

SHA512
89dd2e9db684f6b68a0ec1766654019e7809c6423e90e85977dd2270e1f685c8b7afeb13fe5aff0cc21dd21d491f21c32ec0ea2480834b6f11b54d867c1cc696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\Assets\Square44x44Logo.altform-unplated_targetsize-32.png

Filesize
1KB

MD5
3685995d9d28d9633cd4610e86a387c2

SHA1
bd5fef5096b4f947ff1bada0a900d1fca0e4b221

SHA256
2b515f953b65863e521b66c9ce37dd8756602823d2e0415bf6898a1e7c7bc55d

SHA512
4b07e829dc0c10f2216bea916fe2185f751385c5f389c30f5b4d15626f3c069a58137e8e863f88d1989a3907f22181103f01c3d601660970843a2857e5099e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\Assets\Square44x44Logo.altform-unplated_targetsize-48.png

Filesize
2KB

MD5
7f87b385d14233279ddbf44ae53d1345

SHA1
6aadef638a9bf41dcad3e1ce18fd3dc4cc695fa2

SHA256
24587df3a9381bf22922c5c194d828492f48287c97a42791305a4dbf62d145fd

SHA512
e0f42dab68b9fee96edfb6547232caf225acba8d02970bbc0164457eac130510f5c987eedc08f829aff06dd78ce2e64250fbfeb69d8c754af33996c39ead6d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\FileSyncConfig.exe

Filesize
734KB

MD5
d1160516c2bdce49f33375fc76ee7a5a

SHA1
305a9fba80b353dd593af6cef0cc4f087439ac2d

SHA256
342e35bb1953437d2eba322e18c11a683e4e9bc3488e5529c8b0ea4796736464

SHA512
d11342969cfe178492e0ddf43fe1c7ea125a10baa4c9fd3e5064959d432a7dc8f3d34e5708651efd4b5222b3259c6f45f6d4c477c1979ffeff8baabddbcb8346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\OneDrive.exe

Filesize
4.7MB

MD5
00b940426c7f06664179a7fd638f0304

SHA1
1fc694356d03466beadab5b2499631ceddd510e4

SHA256
77599c6287ed7e76080fafd1ea79b58a3489feb530adc9530d45af6b543f591a

SHA512
5d37b61b4c00019065cbf3b25e99991311ccfc0141c98e634f2199f44929f0c8e9d00939410bd97ba8a1b202c39926cf0b23a36a536b7cf1768dded58186c455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\24.161.0811.0001\OneDriveStandaloneUpdater.exe

Filesize
4.0MB

MD5
0229624de598d329bfb30bec4aeb8466

SHA1
d3b796755c3ec74f60330d17b7c84d4ad4eae7df

SHA256
bff12ce837fbba698995aa9962b0071a0872b726a80e39c06cb9ed82fdb82ea4

SHA512
579f5683dc3c129374697d46d1b882bfb2be5db39c1a618e6c1592fe4f1e2d29acbd1b672480813bd0192327e9af33de1d42ffd5248a1770e9b8055af2199ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
9caed8c96174ed88142f7436e5510143

SHA1
7f63c366f1326b142a767d92899a4943a014d7cc

SHA256
e1b72fdb6fb9da58322f43b4ac4d23a84be5800fefd87fea07b6895ce091fea6

SHA512
94f50b56085a5ee5638b9651fd9d8674dd90da1cffddc4ae5b8c3e86d915f6e4d71d461254c4ea16e9b3f4659bcc83c03b5013a3ac89924a6d324272d5fc4407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
600db0227974adfc8b60d36cb62dec9b

SHA1
f7039d3680536d0219f151f0d7a0ddf2bf6d1b61

SHA256
4c33e2eba68c35c32449f4e158e0e1d5042c8f4d48bc535bf527f23947e4b6a1

SHA512
662b830ec9457d0fb7b85b0f7d7d18fc8a1a560f4cd64bbfd9be15c722f8b84b213823cd894d3e07f3035fdc6fe8a91c84c8b650a2d379d67f70977f15957b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.Settings.db

Filesize
16KB

MD5
d108c94d6a633acd650a71852a07a7c3

SHA1
6d26de3ad0e2e0b225a02907b7e4579ef026aecc

SHA256
22d819eea7c5d1ab7d036e915275464d8ceadb295ccda82bb28f4fa1e692a679

SHA512
aac53efb5e898be3710e0576d25fbdaa222beb42b694a5f7dd62a62a2b984d5c407ed67197559032cc77a2b61760fe5d0de986557f41892863766a1a77315c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
42f7b70388435aa827a86652b289e6fb

SHA1
52c050a1151442f461eebbd13bf4b636479140cb

SHA256
4ae473a1fc36521f91afebef8b80816bd1bc432d849925d6b2276ec9196e0043

SHA512
4ed8bd637694f98adb35c8b1fedf22e8ce5e04610aa7631395fe01fca1f90959fa395171a59499b2f02d9aaa73f44d6251d514013aac16a71bdbf9fe5c361845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
81KB

MD5
d1d5db2960fce53261765962d95d7558

SHA1
d1fb7e6e4a5a0fa7af01b8206f7c13cd6a317370

SHA256
5924793a8f6dd5dea080daa316e248306ddc1b4cab64b8559486be5fb99d3486

SHA512
56a13be8013e62cb9cbcc7782dc28787f82bea9163a341af18482266f29cb882e1a02145f79ece65fa8f2264924c42155da48c90a42ff8b3fb405a5ea69b1d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\4e7a3602a6530194fc2a9d803f78656054f42b7e.tbres

Filesize
2KB

MD5
c9b7c3069a5a0f506e4004873b659aaf

SHA1
0b1afc693805e88c8eb6a3206fb84218bfb5dd8a

SHA256
11d0a96177987e62bb32e0a0012fbab2fafbce032b3bf97f8abe4e7a1c8cccbb

SHA512
e3a3d981b270981731948d0ed0fc39799c2c7bf8e6d5b22024454ba714d9276207a7635d8b207f4fd91485e6d2126b7e2fc685c9ddd9f0fb536f1a3acce11657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\78c091ac6d34daa9d603629dd088840de549030f.tbres

Filesize
2KB

MD5
7c2e52cddebfbe70c69b9e044c256cc9

SHA1
93ed72de67c62a6cd1015276ed2405fce44fe56b

SHA256
40269c6570cebc6cb07f619fdc3e2f17234398d39c41298099b2fd867d59be93

SHA512
078f195ddfb0fc8432c4d94cff02521a4f3bab5c1ebf6beb72f645dd058aeeb149bbf85baa0bf977c70f0acd1ce7628e97c58e49438edf44f96bc3907b84d59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\26cd1b04339a18197427087fe7a87fe7d1d2db62[1].xml

Filesize
1KB

MD5
deaced675b91816dd28892ef57f8d023

SHA1
68c3fb5bb49b750732f2b134da3d204cc4b7b577

SHA256
d023ecf82f20455fd4c12d4ae16e02b9765bc4c27fd6930f33bfd4bacb701079

SHA512
c50accf5815524d19292d6a1941394327316f7e6f2d187c077771b523f865f973fee54336bd9e66f19fa12a6f37fd4bb47e33877d58622712726fa937d792042

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct1613.tmp

Filesize
475B

MD5
dd13b2b8aeb020b57ab127477520681a

SHA1
af687ee8645376e80767d439ff72d3eaab6368fe

SHA256
6df6d154fa98d67363bce3b3ebceaf0fd89bacceddb1168d6de42ffb6b6eceb3

SHA512
30a140372e8c65be644340555e25d607de4f22fc45ed3470f73bc1d5b9ff1c6c656d92d357cad9155f0138a92c582c3e8ba8b8384e45d046359ee55c10405c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC1DA.tmp

Filesize
475B

MD5
205c62760a8d4025eb0e0d79d938c7d7

SHA1
aac66ae3fb7795559240df261368c6d9bf7c6ec8

SHA256
a7630996ab265ad25ed87a65bc84162d9d49e378d74ae9ae3f1cc603a72e14af

SHA512
94a0db88ccf3eaf34f3f6bfb98185dd9674ce58f56f2b95a82ec58168bdf2da6180db081042a9379c25a8c0a50e9154b537c6256aac136b2e0404fd63ba30cf7

Download Submit
memory/4800-1723-0x0000000000BA0000-0x0000000000BD5000-memory.dmp

Filesize
212KB

Download
memory/4800-1724-0x0000000067140000-0x0000000067365000-memory.dmp

Filesize
2.1MB

Download
memory/4800-2895-0x0000000067140000-0x0000000067365000-memory.dmp

Filesize
2.1MB

Download