asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
78s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat phorphiex default discovery evasion execution loader persistence privilege_escalation rat spyware stealer trojan worm

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

127.0.0.1:22253

eu-central-7075.packetriot.net:6606

eu-central-7075.packetriot.net:7707

eu-central-7075.packetriot.net:8808

eu-central-7075.packetriot.net:1604

eu-central-7075.packetriot.net:22253

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022723-8.dat	family_phorphiex
behavioral2/files/0x000900000002342f-16.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023517-158.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1648	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	sysarddrvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	stub.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
2572	r.exe
232	t.exe
4736	peinf.exe
968	tt.exe
3936	11.exe
3660	sysmablsvr.exe
4108	sysarddrvs.exe
4632	sysmablsvr.exe
4912	sysarddrvs.exe
1424	twztl.exe
4544	stub.exe
2868	svchost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	t.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysmablsvr.exe"	tt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysarddrvs.exe"	11.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\sysmablsvr.exe	r.exe
File opened for modification	C:\Windows\sysmablsvr.exe	r.exe
File created	C:\Windows\sysarddrvs.exe	t.exe
File opened for modification	C:\Windows\sysarddrvs.exe	t.exe
File created	C:\Windows\sysmablsvr.exe	tt.exe
File created	C:\Windows\sysarddrvs.exe	11.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2072	sc.exe
3932	sc.exe
3548	sc.exe
4780	sc.exe
4004	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4428	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\FileSyncClient.FileSyncClient\CLSID\ = "{7B37E4E2-C62F-4914-9620-8FB5062718CC}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppID\OneDrive.EXE	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID\ = "OOBERequestHandler.OOBERequestHandler"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ = "IUnmapLibraryCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\odopen\DefaultIcon	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ = "IGetSyncStatusCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1184	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe
1184	OneDrive.exe
1184	OneDrive.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe
4544	stub.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4912	sysarddrvs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	4363463463464363463463463.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	4544	stub.exe
Token: SeDebugPrivilege	2868	svchost.exe
Token: SeDebugPrivilege	2868	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1184	OneDrive.exe
1184	OneDrive.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1184	OneDrive.exe
1184	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1184	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2572	4612	4363463463464363463463463.exe	91
PID 4612 wrote to memory of 2572	4612	4363463463464363463463463.exe	91
PID 4612 wrote to memory of 2572	4612	4363463463464363463463463.exe	91
PID 4612 wrote to memory of 232	4612	4363463463464363463463463.exe	92
PID 4612 wrote to memory of 232	4612	4363463463464363463463463.exe	92
PID 4612 wrote to memory of 232	4612	4363463463464363463463463.exe	92
PID 4612 wrote to memory of 4736	4612	4363463463464363463463463.exe	93
PID 4612 wrote to memory of 4736	4612	4363463463464363463463463.exe	93
PID 4612 wrote to memory of 4736	4612	4363463463464363463463463.exe	93
PID 4612 wrote to memory of 968	4612	4363463463464363463463463.exe	95
PID 4612 wrote to memory of 968	4612	4363463463464363463463463.exe	95
PID 4612 wrote to memory of 968	4612	4363463463464363463463463.exe	95
PID 4612 wrote to memory of 3936	4612	4363463463464363463463463.exe	96
PID 4612 wrote to memory of 3936	4612	4363463463464363463463463.exe	96
PID 4612 wrote to memory of 3936	4612	4363463463464363463463463.exe	96
PID 2572 wrote to memory of 3660	2572	r.exe	97
PID 2572 wrote to memory of 3660	2572	r.exe	97
PID 2572 wrote to memory of 3660	2572	r.exe	97
PID 232 wrote to memory of 4108	232	t.exe	98
PID 232 wrote to memory of 4108	232	t.exe	98
PID 232 wrote to memory of 4108	232	t.exe	98
PID 968 wrote to memory of 4632	968	tt.exe	99
PID 968 wrote to memory of 4632	968	tt.exe	99
PID 968 wrote to memory of 4632	968	tt.exe	99
PID 3936 wrote to memory of 4912	3936	11.exe	102
PID 3936 wrote to memory of 4912	3936	11.exe	102
PID 3936 wrote to memory of 4912	3936	11.exe	102
PID 4912 wrote to memory of 3460	4912	sysarddrvs.exe	103
PID 4912 wrote to memory of 3460	4912	sysarddrvs.exe	103
PID 4912 wrote to memory of 3460	4912	sysarddrvs.exe	103
PID 4912 wrote to memory of 4172	4912	sysarddrvs.exe	105
PID 4912 wrote to memory of 4172	4912	sysarddrvs.exe	105
PID 4912 wrote to memory of 4172	4912	sysarddrvs.exe	105
PID 4172 wrote to memory of 3932	4172	cmd.exe	108
PID 4172 wrote to memory of 3932	4172	cmd.exe	108
PID 4172 wrote to memory of 3932	4172	cmd.exe	108
PID 3460 wrote to memory of 1648	3460	cmd.exe	107
PID 3460 wrote to memory of 1648	3460	cmd.exe	107
PID 3460 wrote to memory of 1648	3460	cmd.exe	107
PID 4172 wrote to memory of 2072	4172	cmd.exe	109
PID 4172 wrote to memory of 2072	4172	cmd.exe	109
PID 4172 wrote to memory of 2072	4172	cmd.exe	109
PID 4172 wrote to memory of 3548	4172	cmd.exe	110
PID 4172 wrote to memory of 3548	4172	cmd.exe	110
PID 4172 wrote to memory of 3548	4172	cmd.exe	110
PID 4172 wrote to memory of 4780	4172	cmd.exe	111
PID 4172 wrote to memory of 4780	4172	cmd.exe	111
PID 4172 wrote to memory of 4780	4172	cmd.exe	111
PID 4172 wrote to memory of 4004	4172	cmd.exe	112
PID 4172 wrote to memory of 4004	4172	cmd.exe	112
PID 4172 wrote to memory of 4004	4172	cmd.exe	112
PID 4612 wrote to memory of 1424	4612	4363463463464363463463463.exe	123
PID 4612 wrote to memory of 1424	4612	4363463463464363463463463.exe	123
PID 4612 wrote to memory of 1424	4612	4363463463464363463463463.exe	123
PID 4612 wrote to memory of 4544	4612	4363463463464363463463463.exe	124
PID 4612 wrote to memory of 4544	4612	4363463463464363463463463.exe	124
PID 4612 wrote to memory of 4544	4612	4363463463464363463463463.exe	124
PID 4544 wrote to memory of 2572	4544	stub.exe	127
PID 4544 wrote to memory of 2572	4544	stub.exe	127
PID 4544 wrote to memory of 2572	4544	stub.exe	127
PID 4544 wrote to memory of 3892	4544	stub.exe	129
PID 4544 wrote to memory of 3892	4544	stub.exe	129
PID 4544 wrote to memory of 3892	4544	stub.exe	129
PID 3892 wrote to memory of 4428	3892	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\Files\r.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\sysmablsvr.exe
    C:\Windows\sysmablsvr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3660
- C:\Users\Admin\AppData\Local\Temp\Files\t.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\t.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\sysarddrvs.exe
    C:\Windows\sysarddrvs.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4108
- C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\sysmablsvr.exe
    C:\Users\Admin\sysmablsvr.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\Files\11.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\sysarddrvs.exe
    C:\Users\Admin\sysarddrvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3932
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3548
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4780
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\1154018470.exe
      C:\Users\Admin\AppData\Local\Temp\1154018470.exe
      4⤵
      PID:4144
- C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF11.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4428
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- C:\Users\Admin\AppData\Local\Temp\Files\66b5b7e28e9ce_trab.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\66b5b7e28e9ce_trab.exe"
  2⤵
  PID:2220

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1184
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      PID:1304
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      PID:3840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

Filesize
553KB

MD5
57bd9bd545af2b0f2ce14a33ca57ece9

SHA1
15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1

SHA256
a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf

SHA512
d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncTelemetryExtensions.dll

Filesize
58KB

MD5
51b6038293549c2858b4395ca5c0376e

SHA1
93bf452a6a750b52653812201a909c6bc1f19fa3

SHA256
a742c9e35d824b592b3d9daf15efb3d4a28b420533ddf35a1669a5b77a00bb75

SHA512
b8cfdab124ee424b1b099ff73d0a6c6f4fd0bf56c8715f7f26dbe39628a2453cd63d5e346dbf901fcbfb951dfbd726b288466ff32297498e63dea53289388c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll

Filesize
504KB

MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

Filesize
2.9MB

MD5
9cdabfbf75fd35e615c9f85fedafce8a

SHA1
57b7fc9bf59cf09a9c19ad0ce0a159746554d682

SHA256
969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673

SHA512
348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll

Filesize
1.6MB

MD5
6e8ae346e8e0e35c32b6fa7ae1fc48c3

SHA1
ca0668ddb59e5aa98d9a90eceba90a0ee2fb7869

SHA256
146811735589450058048408f05644a93786a293c09ccb8d74420fb87c0a4d56

SHA512
aa65ef969b1868a54d78a4f697e6edbded31b118f053bbe8a19a599baaf63821dc05f75b2ac87452cb414ab6572b8d9b349093931e64601c47f8ebbb49c431cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll

Filesize
451KB

MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll

Filesize
432KB

MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll

Filesize
425KB

MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll

Filesize
1.1MB

MD5
7a333d415adead06a1e1ce5f9b2d5877

SHA1
9bd49c3b960b707eb5fc3ed4db1e2041062c59c7

SHA256
5ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46

SHA512
d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll

Filesize
73KB

MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
2.3MB

MD5
c2938eb5ff932c2540a1514cc82c197c

SHA1
2d7da1c3bfa4755ba0efec5317260d239cbb51c3

SHA256
5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665

SHA512
5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
37.6MB

MD5
bf2323372094dae9fc883cc7c6aaf833

SHA1
b5bfcb630b1bf3b3552a1e551b79771fd1fa0849

SHA256
5a04db6c30e994817278811543f56705a171058448c54d86a05b253f61a97c5c

SHA512
897342a1baeea31acabd9fa56603de94ab5d1e00d248c0e065f41f193a44acfcbb67104683c963cad7612b3287610fcb0c87cc3785f0ee2c8a017d9cff5730dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
30.8MB

MD5
cb33931f466bd8cacb32141288405407

SHA1
877a79d33d3cfbea0fac57f3b9f8005c00c7dba7

SHA256
76da9598d1d8fd23a7c891c337a73920faf8d659a1a779839786d8f85f12b4a2

SHA512
bae625bfb88c8e536b3fe55edfd6f63282e16236704e3480fbc5335f3d677781b91fb06f82123358b57e3d61baa641a23081816b8a88669c0d347af637d3fbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
24.1MB

MD5
65b1aeced38bea9f1ee70b4005b12945

SHA1
c143308863c6d62181bd14400f46eaa76eadf8c7

SHA256
91315cc963989f27bb3cccb47f5ec13a084a4b3e16f7571db2650ee20e1199d8

SHA512
220d6c674b7ac7929b58ce3e67556a02786f4449aebbdf77ea8bfc5e491e0d6ecde817a0150aea8edfa5a71e474ca22d4e6ff2762ca7e28204dbe8791bf6b659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
25.3MB

MD5
ed7005a1134ee8d640a85560738df485

SHA1
b810db0c739d2f11f795a2fb20a00117b81bacbe

SHA256
c003469443f7eed739a4f6f28f9779ee2ff8698a380d5803db78fe7bd2cf258d

SHA512
04ca6fa942bb331636208ce3680f740a99142f58c3ff0a1ff29a770268ae968b67124bb664b08461efd006995fa0654489258ae8ad0485ece859919d24a91088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
a57e7991fbc5491525643fa5aad9d33e

SHA1
bd1530d6cec2e2985613e0cb297904a2e18a9339

SHA256
d14d87e6bc250adfb5851f17ca14da755a0f28ecd166b5c6ad9ddc7ec45ccfe6

SHA512
f6e8886d12de53f021f6e81c3bf998c3c66e5d8ca605621fbe2f51290266c1fa8f7ca5f9b05a7045ee974d8336342be23079477d3830e328b457b8a7405ead30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
9037f60a77f79b12af7921b7d434f7ad

SHA1
a62b52abec53cf714b4c6bd56938cd94d39b2f9e

SHA256
a1ca0c2c879af1c2b4f59e79cd2546fafa65535e17e6b40c31b4baba35f9ada6

SHA512
5842ec0a9997c23f0e203cfb6691723e75a4ee7fb4ef9c38b98de5f890108fea042e0503da219fde760a38a250ffbaab0bd8902b719aeaf4c6c36086ca65cbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6809OHQ0\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\66b5b7e28e9ce_trab.exe

Filesize
1.1MB

MD5
d6d13bd6eb1563fd3e0a6a30befde81f

SHA1
5e25703dd0ec673ddd9f2e5bd1371bf62c15909e

SHA256
7d0af6602da272e34ef9313fb9c3b5e793c1f12447f99f028e04623961f48ace

SHA512
94747cd7bfe19ecb0fa5654076aeca7b671266b97913ae81bddb669628a126f162e41edfa8b53565fa3116898044020e0a7d229183f6378c04ad45bf1e9fdff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
1382c0a4a9e0a9a2c942458652a4a0e4

SHA1
55ed8ebd6281c280c3e77763773d789a6057e743

SHA256
4cb590dfafb7653379326e840d9b904a3cf05451999c4f9eb66c6e7116b68875

SHA512
cc1ba7e779536b57409c974f16b0d8706fdf8749fb9eca36716d4e84d4f420a650b6476ac08570e684ad1e492da3bbacc15a4e5be4b94a1b708909d683da0b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\r.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
48KB

MD5
a7ed4ba445aa61c4632dd6579c212bf5

SHA1
a81d766d12a6dd8c3cec537387a089650b34e103

SHA256
91fb355fdc173c40fa77f8a252031d6bc32fab91c5e5573da28044494691c820

SHA512
2a0e0afdecf803657f2d67433399dc3119a3b4221334a9c8d7cb3e3e741457aaa26d2edd32377a102f1c539a4ef065cb5296d4cdfe7657993223e675e3fd4bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ewgqdf5b.1q3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E4A.tmp

Filesize
23.0MB

MD5
5ce6d3cb77b57faabceb3d0b8e6ab697

SHA1
8be25084bf499ee8d01ee70ed92c59b40d2e0a6b

SHA256
42bccf53f34126cb1e4e47f568a763e5690a3dd9340d5cf15fa2e3d5f4c8a716

SHA512
20b1838326df9b037a6e2a853a18090030ac3e33794dc1d0a8d8ef46dd603f6a03053f2869904c37916adaf3cd49d598f92f99ab6e7bbe26577af686bb8d4aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF11.tmp.bat

Filesize
151B

MD5
fd1a194052a9fe08ccf53d63c133f971

SHA1
0a7fcfda3d456ac40815b28399ebcf7f87e86e17

SHA256
46670c08b583ee6b0c855e7da1e0f19db7994b683ac9731d539eb7313c977ec2

SHA512
0a096b2778a075f091d6f6b7a236fe77266d181fa6900d434200a3cfd384e1b424ea4cacb51c5051cf73a6b7586f3c775433652c2eabbd201f81fd91c93eeaa0

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

Filesize
380KB

MD5
1e98147cea1b3e629d688333ee3f7d85

SHA1
c404c95e4109ded5511964abf58745f21bbc40f2

SHA256
ceec9dd22b8979af83b648a711adcf28397a9936648ab9bb096003b6f11d8ed9

SHA512
ebf06bda1533313738e4aa38884ed96db45730dc89ed6299517e8a3da703f038de635c6c8c7c63c9815a179ed82bc1f23327708ba14b71b81b8f696ede1006e1

Download Submit
C:\vcredist2010_x64.log.html

Filesize
86KB

MD5
719595bd3d1f702071fff442c653c4b8

SHA1
4ede194f154448ef0ce858f14c64047d6cf2118c

SHA256
c5f3dd3ffceea6f19d84089c9e6c77481d3d607a4ace39a5e9590af427f44c27

SHA512
d545151bd1496920842a383a7f358165613e4a54834292ffc0ba120b003a02fe7aca5ec1450139ece1f93372fee46b1a474cc3c4ec0549a1c1b24945b0082024

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
396KB

MD5
cab0f3bc43bfe2376351f2edb50d9c18

SHA1
d02cdd1fb4b3ba4c0a37497596bc2a20ee99a1c5

SHA256
f474e9e80be8a3843a4bea398e0c4face28ddc863beb6a9beaa3cf68fd1604f1

SHA512
6ab24e14f6a04d39f16ea31031adf8b963bf63d07e503d65fd9da7ec908cdd1edbfcc39edd70ea9350c989c9495343114cce63c02bc4217dcbf30a2c42573f58

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
4cc3676eab2bff47f73a77b3b065e841

SHA1
13f3b7dd164d1467c0cb730c9f49e513aca72825

SHA256
afc44517448a1dca577a292455df051008a14e7668f29f1fe0622d12d7a23e9f

SHA512
80bcca93913a6e2edfd15d793484aceb7d1f51218544be76f3a5f0ba5764f1cfaf7ae3c023718261318793e93812fe8d9df03b56ea23e47f2d37d01c0a43c4b9

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log

Filesize
168KB

MD5
99c07699c2fd936dfda1fc55f4bccdde

SHA1
cb5d356c5cc5f21be98c10205afd8b58cdbac969

SHA256
e7d9d182ecf7739afb7533ee011bbb93eb8d49182479341b323609b02bf17d93

SHA512
1375ce6f17f5eb8cbeb7fd23d9fe588f277740da563018baef58fe446ba1a48c3a3fe3224078294f3b1b596495cce7418689aec8616d2ced43ad6df8d05750b4

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log

Filesize
195KB

MD5
44e76ea6c323697cb1a7965dc2ddf93a

SHA1
7b192120fffc463d2a5367504528096c9300bd13

SHA256
93f2de3b4023a5d17e6341debef8a52bbaafe0ad00bcd947baded5bb4933bbf4

SHA512
a3ae44afb128588f5dad5f27975a93f47a70b054ac269f0219ff433c609e6e0e66a880293caf4324e0468e702097a0f5fe14e49171f484f94780f6323055f66a

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

Filesize
171KB

MD5
7139e59c3edfd4f60634cd0d57f731da

SHA1
3e7ea1f30e2dc3294f0a27bd75c44896d53077a0

SHA256
98286405bd3e53af7bfe7b9b210be1cdd9ed6cc7b96435a9ff8d6939dea65901

SHA512
03d96c3a1af85c15e99f3fef73cf849d1c05c84f55d0ab6e08ee28b1d978da93d873c74150c5a1d358a3f04b7e3ab1d07b226940507c79523b9bf9690e2d8ce6

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log

Filesize
208KB

MD5
00a1b3dba1caa882e9e99071d9404fc7

SHA1
6f443987e6fcc6fcd1bde91c8072aa15eca00164

SHA256
9e835e4f308ad6ad2325a2f57ff7714acd8dfd35edd8884a668dbe9dbd18e972

SHA512
889eddf26c34633fb43ca17c5c974753a97e2b5379a61df3f4b6ec28d316059c5b804e9f323cdd17e79bc5eae71573631e409d3a927572f24304e111b30307c9

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log

Filesize
170KB

MD5
916a9ecea9e80a5bf2bbed282ae0a5a7

SHA1
237b6ec786f24417616bececadd80fc87943f630

SHA256
7594ffdfd0e06d729153166a26c20c96e87c25a6177c9a37b8d402070228870c

SHA512
9b418da09ef551cb593d9f3f91c299cd584de8c981322846498f8eae43dae3231beed950270f7ab7137bdb36c712c9c0c2afb5980cb446b2c188ded39e0d3b4e

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log

Filesize
191KB

MD5
fc01f1ee731ce8d5f734ff05ba8f0167

SHA1
4823a978380fa12b3cf6364fddfa5a8596faa299

SHA256
eb1fbfa562587718180af78a3a2d6dcc02ee0710a61e6eca641263b2499c6bbc

SHA512
0dc5c05159d9a0aa06eefb6aa2a42f5a9c330d19cfa8b1a80c620a4052af854c9841b93e03cbdb42e31f2ad13cd802a331fce22eb257d22bc48ec5da3da562c4

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log

Filesize
170KB

MD5
49a8a5eb99626e702722d23193cd592d

SHA1
937ced0a91a2a54e4ca44e41cd6266898dc3ff7d

SHA256
71017ac5b027a3c9116b47c060c96479b3bdce813b45dec162569fefd56f9ddc

SHA512
c9f70e324845713d75dc1c285650a7e5271e96998b3732a94c199087346c4baaeea291897530bc8c1c4872c5861c9cd0863c86fdd1d46a1299596305b46fed24

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log

Filesize
198KB

MD5
b5e336f76b8dc584606b98381b56a137

SHA1
fb7c754410a5c9c615b59f495a93be672e97d965

SHA256
63465731758193436aad2969b422f7223a05b3525ced166d55daab8364cc9670

SHA512
58930d6e989c07ab322e72e2e1401f6f3bd42640573852f05465fbafdac2e2132fe7e7495d98b0297cf672c9c4dcbc8a194d96bd87ad070b6239fb43502a292d

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log

Filesize
123KB

MD5
ae63a568d741e323b3cba52f4c1dab36

SHA1
78eab044cd511f577a7d528011d923e9ba731443

SHA256
7502b2c3275704890bb62b598a37fe33b796f1ca23b333d34119790ef9ade072

SHA512
c6f1386a53541b9f3895fd847f96f02d1adcd5c9325ed92d9899602d22246bfed9f41a372e76184b3a666832981066543812a52ce50ce99a013134a6014f4ced

Download Submit
memory/1648-99-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/1648-82-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/1648-104-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/1648-103-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/1648-102-0x0000000007BF0000-0x0000000007C04000-memory.dmp

Filesize
80KB

Download
memory/1648-101-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

Filesize
56KB

Download
memory/1648-100-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

Filesize
68KB

Download
memory/1648-66-0x00000000050B0000-0x00000000050E6000-memory.dmp

Filesize
216KB

Download
memory/1648-98-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/1648-96-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/1648-97-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/1648-95-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/1648-84-0x000000006F3C0000-0x000000006F40C000-memory.dmp

Filesize
304KB

Download
memory/1648-94-0x0000000006C40000-0x0000000006C5E000-memory.dmp

Filesize
120KB

Download
memory/1648-83-0x0000000007620000-0x0000000007652000-memory.dmp

Filesize
200KB

Download
memory/1648-67-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/1648-81-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/1648-80-0x0000000006040000-0x0000000006394000-memory.dmp

Filesize
3.3MB

Download
memory/1648-70-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/1648-69-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/1648-68-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/2220-1095-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4544-165-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/4612-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4612-65-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-64-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4612-3-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-2-0x0000000004CB0000-0x0000000004D4C000-memory.dmp

Filesize
624KB

Download
memory/4612-1-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download