Microsoft.SharePoint.exe
- File Path:
C:\Users\user\AppData\Local\Microsoft\OneDrive\21.220.1024.0001\Microsoft.SharePoint.exe - Description: Microsoft SharePoint
Hashes
| Type | Hash |
|---|---|
| MD5 | E506372420D151E40C0B5C6C368A96E6 |
| SHA1 | A1D259B8923D6D833CD66C9D793F25337BE1F174 |
| SHA256 | EA0D2F722FEC4497E4D8DCA5B299BCA70EED9FC9D02FB8C4CC5876AC2CF70F43 |
| SHA384 | 7E7E6993EE752C1698B416B94948848E3610299BE0D02A3982C391DC8CE63DE4EFA96A4D8CEDC3007DD11C859D33AE89 |
| SHA512 | F5A1CCA677841B74EFF74341DD583DEDDA202F7314DA1FF66BD545AE1A12DBFCC8AE711ACAFB2F36E8A045C9ED5FB0234DE534049200DB31BF192AA67E201272 |
| SSDEEP | 12288:F+aFZXEOwbX8McFegCs+WXQRVPpTibh7Ku1zbr/h5RoudaddsCyCpMjDUpetBbXp:pLEcFv5ELzetBbXocItKMR5YjK6Acz |
| IMP | DA772FCF017733933A4506713839B2E3 |
| PESHA1 | 98DB20678E5CCC36EB9B92DC11777F1E231F2466 |
| PE256 | 3C20BA0906E68142EFFB3737722C4C0EB68C7CF1E32FB3A84823F8308AAB7B72 |
Runtime Data
Usage (stdout):
[OneAuth:Error:9benb:00000000-0000-0000-0000-000000000000] (Code:3800) Default account was not set. User cannot sign-in silently. Default account not found.
[OneAuth:Error:9benb:a5f2a7f6-db52-4698-9f09-3ceaa885c1bc] (Code:3800) Default account was not set. User cannot sign-in silently. Default account not found.
[OneAuth:Error:9benb:0c6fc91d-6109-4236-b1d4-f8c5c7f0c7df] (Code:3800) Default account was not set. User cannot sign-in silently. Default account not found.
Usage (stderr):
[OneAuth:Error:9benb:00000000-0000-0000-0000-000000000000] (Code:3800) Default account was not set. User cannot sign-in silently. Default account not found.
[OneAuth:Error:9benb:a5f2a7f6-db52-4698-9f09-3ceaa885c1bc] (Code:3800) Default account was not set. User cannot sign-in silently. Default account not found.
[OneAuth:Error:9benb:0c6fc91d-6109-4236-b1d4-f8c5c7f0c7df] (Code:3800) Default account was not set. User cannot sign-in silently. Default account not found.
Open Handles:
| Path | Type |
|---|---|
| (R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\ListSync\Business1\Nucleus-2021-11-07.2318.8820.1.aodl | File |
| (R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2021-11-07_231824_8820-11192.log | File |
| (R-D) C:\Users\user\AppData\Local\Microsoft\OneDrive\21.220.1024.0001\en\FileSync.LocalizedResources.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\crypt32.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\kernel32.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\mswsock.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui | File |
| (R-D) C:\Windows\System32\WinMetadata\Windows.Security.winmd | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\ListSync\Business1\settings\Microsoft.ListSync.db | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\ListSync\Business1\microsoftNucleusTelemetryCache.otc | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\ListSync\Business1\microsoftNucleusTelemetryCache.otc-shm | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\ListSync\Business1\microsoftNucleusTelemetryCache.otc-wal | File |
| (RW-) C:\Windows\System32 | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\UrlZonesSM_TI-ADMIN | Section |
| \Sessions\2\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\2\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-1128764013-3361508229-3049782613-1001 | Section |
| \Sessions\2\Windows\Theme1077709572 | Section |
| \Windows\Theme3461253685 | Section |
Loaded Modules:
| Path |
|---|
| C:\Users\user\AppData\Local\Microsoft\OneDrive\21.220.1024.0001\Microsoft.SharePoint.exe |
| C:\WINDOWS\System32\ADVAPI32.dll |
| C:\WINDOWS\System32\combase.dll |
| C:\WINDOWS\System32\CRYPT32.dll |
| C:\WINDOWS\System32\GDI32.dll |
| C:\WINDOWS\System32\gdi32full.dll |
| C:\WINDOWS\System32\IMM32.DLL |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\System32\msvcp_win.dll |
| C:\WINDOWS\System32\msvcrt.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\ole32.dll |
| C:\WINDOWS\System32\OLEAUT32.dll |
| C:\WINDOWS\System32\RPCRT4.dll |
| C:\WINDOWS\System32\sechost.dll |
| C:\WINDOWS\SYSTEM32\Secur32.dll |
| C:\WINDOWS\System32\SHELL32.dll |
| C:\WINDOWS\System32\SHLWAPI.dll |
| C:\WINDOWS\SYSTEM32\SSPICLI.DLL |
| C:\WINDOWS\System32\ucrtbase.dll |
| C:\WINDOWS\System32\USER32.dll |
| C:\WINDOWS\SYSTEM32\USERENV.dll |
| C:\WINDOWS\SYSTEM32\VERSION.dll |
| C:\WINDOWS\System32\win32u.dll |
| C:\WINDOWS\SYSTEM32\WININET.dll |
| C:\WINDOWS\SYSTEM32\WTSAPI32.dll |
Signature
- Status: Signature verified.
- Serial:
33000003F16206E3E7EFDA8ABE0000000003F1 - Thumbprint:
5362FAEB842C236D05A729B7FAC85BAA1B68BDCA - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Microsoft.SharePoint.exe
- Product Name: Microsoft SharePoint
- Company Name: Microsoft Corporation
- File Version: 21.220.1024.0001
- Product Version: 21.220.1024.0001
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/ea0d2f722fec4497e4d8dca5b299bca70eed9fc9d02fb8c4cc5876ac2cf70f43/detection
Possible Misuse
The following table contains possible examples of Microsoft.SharePoint.exe being misused. While Microsoft.SharePoint.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | microsoft365_suspicious_oauth_app_file_download_activities.yml | description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. |
DRL 1.0 |
| sigma | image_load_uipromptforcreds_dlls.yml | - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.