Analysis Overview
SHA256
ca740321cef658dd9854d4c514522d96ca115152757f734a631e48031e21692a
Threat Level: Shows suspicious behavior
The file BedrockLauncherSetup.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Modifies system executable filetype association
Executes dropped EXE
Registers COM server for autorun
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Checks for any installed AV software in registry
Checks system information in the registry
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 11:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 11:33
Reported
2024-02-23 12:04
Platform
win10v2004-20240221-en
Max time kernel
1800s
Max time network
1805s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\BedrockLauncher\StartBedrockLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\BedrockLauncher\app\BedrockLauncher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\BedrockLauncher\StartBedrockLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\BedrockLauncher\app\BedrockLauncher.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\services.msc | C:\Windows\system32\mmc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring|\"M9cDq0sMvqdhz5fs5dpIDGKls0nGPa2/MFdckOhu6+w=\"" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133531622292212195" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ = "IFileSyncClient11" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\FileSyncClient.FileSyncClient\CLSID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\ = "SyncEngineStorageProviderHandlerProxy Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER.1\CLSID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ = "IFileSyncClient7" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\ProgID\ = "NucleusNativeMessaging.NucleusNativeMessaging.1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\ = "ShareHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BedrockLauncherSetup.exe
"C:\Users\Admin\AppData\Local\Temp\BedrockLauncherSetup.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\051264e811124f94bd99a7f0420f27b4 /t 5020 /p 3268
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault515dc851h9273h44eehb1b2h30d51947c97f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbae7346f8,0x7ffbae734708,0x7ffbae734718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,14994983321342570853,2887816837812713555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,14994983321342570853,2887816837812713555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,14994983321342570853,2887816837812713555,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\w.txt
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExpandUninstall.mpe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\dashost.exe
dashost.exe {4c9bb161-e3a9-494d-89f835261b6f0e7a}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbae7346f8,0x7ffbae734708,0x7ffbae734718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2109979846678401218,12839758379690610528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbb8a99758,0x7ffbb8a99768,0x7ffbb8a99778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4676 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=244 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2272 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3324 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4008 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5476 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6208 --field-trial-handle=1948,i,9898695775994970386,12051994305227892876,131072 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\dashost.exe
dashost.exe {7a85202a-e5bc-46d6-987ac1e145081481}
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_win10activator.zip\win10activator.bat" "
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk PVMJN-6DFY6-9CCP6-7BKTT-D3WVR
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG9
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\win10activator\win10activator.bat"
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk PVMJN-6DFY6-9CCP6-7BKTT-D3WVR
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG9
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk WNMTR-4C88C-JK8YV-HQ7T2-76DF9
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 2F77B-TNFGY-69QQF-B8YKP-D69TJ
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /skms kms.chinancce.com
C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ato
C:\Windows\system32\find.exe
find /i "successfully"
C:\Windows\system32\choice.exe
choice /n /c YN /m "Do you want to restart your PC now [Y,N]?"
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
C:\Windows\System32\winver.exe
"C:\Windows\System32\winver.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicePickerUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Users\Admin\Desktop\BedrockLauncher\StartBedrockLauncher.exe
"C:\Users\Admin\Desktop\BedrockLauncher\StartBedrockLauncher.exe"
C:\Users\Admin\Desktop\BedrockLauncher\app\BedrockLauncher.exe
"C:\Users\Admin\Desktop\BedrockLauncher\app\BedrockLauncher.exe"
C:\Windows\explorer.exe
"explorer.exe" C:\Users\Admin\AppData\Roaming\.minecraft_bedrock\installations\Latest Release\packageData
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 23.214.133.66:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 66.133.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s2.dosya.tc | udp |
| DE | 168.119.136.27:443 | s2.dosya.tc | tcp |
| DE | 168.119.136.27:443 | s2.dosya.tc | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| DE | 172.217.16.131:443 | beacons.gcp.gvt2.com | tcp |
| DE | 168.119.136.27:443 | s2.dosya.tc | tcp |
| DE | 168.119.136.27:443 | s2.dosya.tc | tcp |
| DE | 168.119.136.27:443 | s2.dosya.tc | tcp |
| DE | 168.119.136.27:443 | s2.dosya.tc | tcp |
| US | 8.8.8.8:53 | 27.136.119.168.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.184.157:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 226.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.184.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | tcp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | adsdk.microsoft.com | udp |
| US | 8.8.8.8:53 | cdn.adnxs.com | udp |
| US | 8.8.8.8:53 | 193.212.58.216.in-addr.arpa | udp |
| US | 151.101.1.108:443 | cdn.adnxs.com | tcp |
| US | 13.107.246.64:443 | adsdk.microsoft.com | tcp |
| US | 8.8.8.8:53 | ams3-ib.adnxs.com | udp |
| NL | 185.89.210.46:443 | ams3-ib.adnxs.com | tcp |
| GB | 92.123.128.165:443 | www.bing.com | tcp |
| GB | 92.123.128.165:443 | www.bing.com | tcp |
| GB | 92.123.128.165:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 108.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greatdexchange.com | udp |
| NL | 185.89.210.46:443 | ams3-ib.adnxs.com | tcp |
| US | 188.114.96.2:443 | greatdexchange.com | tcp |
| US | 188.114.96.2:443 | greatdexchange.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 188.114.96.2:443 | greatdexchange.com | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | enastravel.com | udp |
| US | 172.67.146.210:443 | enastravel.com | tcp |
| US | 8.8.8.8:53 | feed.cn-rtb.com | udp |
| US | 172.67.146.210:443 | enastravel.com | udp |
| US | 104.21.73.203:443 | feed.cn-rtb.com | tcp |
| US | 8.8.8.8:53 | sdk.ocmhood.com | udp |
| US | 104.26.7.228:443 | sdk.ocmhood.com | tcp |
| US | 8.8.8.8:53 | t.cn-rtb.com | udp |
| US | 8.8.8.8:53 | cdn.ocmtag.com | udp |
| US | 188.114.97.2:443 | cdn.ocmtag.com | tcp |
| US | 8.8.8.8:53 | 210.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.7.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.ocmhood.com | udp |
| US | 104.26.7.228:443 | t.ocmhood.com | tcp |
| US | 104.26.7.228:443 | t.ocmhood.com | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.109.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.194.113.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kms.chinancce.com | udp |
| US | 107.175.77.7:1688 | kms.chinancce.com | tcp |
| US | 107.175.77.7:1688 | kms.chinancce.com | tcp |
| US | 8.8.8.8:53 | 7.77.175.107.in-addr.arpa | udp |
| US | 107.175.77.7:1688 | kms.chinancce.com | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 92.123.128.167:443 | www.bing.com | tcp |
| GB | 23.214.133.66:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 167.128.123.92.in-addr.arpa | udp |
| GB | 92.123.128.183:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.128.123.92.in-addr.arpa | udp |
| GB | 92.123.128.165:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.raythnetwork.co.uk | udp |
| DE | 217.160.0.107:80 | www.raythnetwork.co.uk | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 107.0.160.217.in-addr.arpa | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| DE | 217.160.0.107:80 | www.raythnetwork.co.uk | tcp |
| US | 8.8.8.8:53 | fe3.delivery.mp.microsoft.com | udp |
| IE | 20.166.126.56:443 | fe3.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
Files
memory/2280-112-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-113-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-114-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-118-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-119-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-120-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-121-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-122-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-123-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
memory/2280-124-0x000002C06DAB0000-0x000002C06DAB1000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal
| MD5 | 3d71fecb16802db72511d30457ecd26d |
| SHA1 | 9c9d59f7c44f7e7f431ae626eb7b5de772e7e6dc |
| SHA256 | aaec13a513d5712938c395bc13a6ef8a4290de6bd3bd6b58f0a13e20ddca60ef |
| SHA512 | 4d1696878bc5675ea74cf345805cb591fbf75cb384fafc1d51bccecafb0c3daac38592376c6569ec1a9f985776d57d2a2a1e44efbbecdf2d932ced1f2f7ace2c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7ee1c6757da82ca0a9ae699227f619bc |
| SHA1 | 72dcf8262c6400dcbb5228afcb36795ae1b8001f |
| SHA256 | 62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31 |
| SHA512 | dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f |
\??\pipe\LOCAL\crashpad_4996_MISOHUHNHKRMNXBH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bd8f6ab0422b576f22da67a44184e90a |
| SHA1 | 508e78c99645d892937c00d0eac4947f74667b82 |
| SHA256 | 11f3af8031009c034f7597f69a02c9a721255b00aa5cdbd8006c440990c1b837 |
| SHA512 | 2dda72c38a78bd50cf163a05cfb1c95df408898e8bc988772eb3fc02c955522bfed55549298634e93a6c46b13be41a66e943a970988f020c101c337f79104e8c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b234b064a49dd223eecdd07df3c313e2 |
| SHA1 | 420694e5b081cbaf4f12b7875f779dddd03f890a |
| SHA256 | 36786b3d07729558f33ab047a81613720bb33e6c46ec1af45f0fae486610e788 |
| SHA512 | 836b5aef1d278cdf3af56ffe0325238735637f3bc149e18f698cfeb2e94909b3633c25a95301ec7cfaf6f404fba6b402faa816cc8ebc6aba7c3a8c9396204c17 |
memory/3772-199-0x00007FF60DF60000-0x00007FF60E058000-memory.dmp
memory/3772-200-0x00007FFBAD400000-0x00007FFBAD434000-memory.dmp
memory/3772-201-0x00007FFBAB750000-0x00007FFBABA04000-memory.dmp
memory/3772-202-0x00007FFBAA210000-0x00007FFBAB2BB000-memory.dmp
memory/3772-203-0x00007FFBA9600000-0x00007FFBA9712000-memory.dmp
C:\Users\Admin\Desktop\StartSplit.midi
| MD5 | 0f399251ec73a1fe03e356b8b1049762 |
| SHA1 | 00a3a34a5bda47719fe6952587b4f33d6cdfa75c |
| SHA256 | 0c2221d39a5678301b46e019420b51c863c1a65e67de010b1b71a5af712ff458 |
| SHA512 | a052b8cd304ffd3b47024620b57d8afa0d084de1fe37416e9eaac176d6f4371f6253994e00cb36e338ec7764c835eb35f20c9be743511bfdf9d04a06c5554126 |
C:\Users\Admin\Desktop\AssertDeny.wps
| MD5 | d3be596263970529eb516cb8669a6358 |
| SHA1 | cd77f205512a6136c44e0bf068aacb4c6e3c0ee3 |
| SHA256 | a1565d8c0f0f12005ce65fa889cd9c2d81f38f90bac4c241881c2d7008e0d76c |
| SHA512 | f6dab2c034a55fb7ee1e005aa671cff5e800e1f3d920a1cb7b4c83355197107d61835b7b82aff4c6b1f8d0a26b71b6827a10c79a4adc544ffdbb726ce153f6f3 |
C:\Users\Admin\Desktop\ConvertImport.xltx
| MD5 | bda9f068476ea9b1e479e61275a24794 |
| SHA1 | 1e140510841b5baee2918ac5472d38f8e75dfb53 |
| SHA256 | 14fdbc2cc4a03381129effbbf5a9464a0a737bdc6388b520c2ac8de455a7dcbb |
| SHA512 | 06d59fb5b3d5936624530e2a58cc7f6540e27fde35d62a11cbbbefac75bf4709b8f454232d95b309c0f5a0df6c4a63ae04858274de02b35908f98dfefa2c9e1d |
C:\Users\Admin\Desktop\LockExpand.ods
| MD5 | 42eccc0426e90f44b14db909d0a926fe |
| SHA1 | a41d8d0a345c3bb9a7c480144309f4e21340ae35 |
| SHA256 | 4cf938210a9b40b903cdea604c80f0fc819a17856549e4879cb44d4cf288a544 |
| SHA512 | b13a0dc9313fccfffa55a3a4d1df539938636f2251348dbb454fb7d1c669dd6a3edd69d8c0cabe5e7eeb25d1301c9ae0836f6ce704388a798277ab5e2061df6a |
C:\Users\Admin\Desktop\PushAdd.pub
| MD5 | 72571450f83ea77b37bcb31bd9d03800 |
| SHA1 | 16e9487841a95db571c8cdc2a8525c5e9828320a |
| SHA256 | 30954c327ac99060e054867b9072aba66c6803fa98afde31aee4cb43315748a8 |
| SHA512 | 79949f05247462aa5b309fcd99da27a8c445f012529b42af5c2440bb33398198bc6b7d5e754412a0669f63897d2a5c42c28c06a49579f8380c953832553e44db |
C:\Users\Admin\Desktop\SetResume.aifc
| MD5 | b02205cc8f38419e7c5115d255afc256 |
| SHA1 | cbfd1572c8a9769055c575930c01869c441d3778 |
| SHA256 | 5d90b4fe411ab3bb4661a59195017959c0462424cb7f0406efba8236d0116ca5 |
| SHA512 | 71df68059a0908a77f6d4fbf3df675416fd304d5ce7800ee4e37bb0968e77f968b24d94a164300ab53a2dbedfabce34d3cd92a5725c4f1996e3de2c63ccbca51 |
C:\Users\Admin\Desktop\ConnectTest.jpg
| MD5 | d4037741f76d5de3059d43369b49a4f6 |
| SHA1 | 60f8e9a48301eacf802fbe13163f71f49a3c60e4 |
| SHA256 | f48e5eb40e3f02939f2ba505b5b178ace6acd479ed527fdfa89d79a5d0c52d7b |
| SHA512 | 5e4cf1998cfd2498a75f5032977a4f356847989933deefad8ade379d3955aba79ac41a27bd3dd75aeb975d9db5a4acdf94af197062c39cbb31490d6e78cdcbce |
C:\Users\Admin\Desktop\HideStep.xhtml
| MD5 | 414f40a0e3f33ca21d7d4911d99f210d |
| SHA1 | a0415f4cb2718e6cc0151e6b3b7649d38eb05b82 |
| SHA256 | a13a2052a200497e28b9704266fdf334662395b37985abe21064439eb7ecf3d2 |
| SHA512 | d44550c40476576467bbd58f2b8a2e7db0d4d250c4abbb85cfb087f4331e8d7684d8d053e2d1b39fa9665058f78477070ba87070e4c823d7b82efdd9b736493e |
C:\Users\Admin\Desktop\OptimizeProtect.3gp2
| MD5 | 70ccbddb73b8d9e42ed3eb9e5f3fb4d9 |
| SHA1 | 0cf4caff3ce1ab0b7a90545125e2c0bc6a76dcd4 |
| SHA256 | bdfa113b20087a86cefd464e97cf8da94679be73ea2347d3f029492575b4a1ce |
| SHA512 | 19a8bdf8db56fb30e39eae9d8ce1eed4397ce560b020386a6bd2e1e48047a1340afcc76f0954aeb01211644ee3ce890a2b737d4a1471c0a8b957d00055c43501 |
C:\Users\Admin\Desktop\GetRevoke.wma
| MD5 | 4aeaa64a935bddad75241865783034fb |
| SHA1 | 941c489babae9e793f2b4ecf6685c33f2d460217 |
| SHA256 | 825c5d767804aefbb5c7639ae5b906fa5002e8832a60d95139b99051058afc77 |
| SHA512 | afc24de2a716525f8eb20f44a4ff7134c81aad9007ead06b4fe771c045aa39b35a8c306732b193614b4076d4244c041c638c21aa1747ffc25161c1f78c8725df |
C:\Users\Admin\Desktop\OptimizeDisable.pps
| MD5 | c0bb2e14529e3fac98076f49a3519a71 |
| SHA1 | a5981d689ba27f1b2dc7f812a11ca51729d67683 |
| SHA256 | 53d15705f3235f734ada75bef7ebbcd3c64dccd16973f90ed82fba3d96013edf |
| SHA512 | 43d75635bf0d2a065e9a3e8daddf4aaeb2ce7ee27b4b218a2efcc968d0d426ebaef7c2f5dc8bdec45698fa8a726d0e0005388307a47a3db0d5dc35df7b66dd07 |
C:\Users\Admin\Desktop\CompleteReceive.vsx
| MD5 | eb6e0e3ac1800af0936803ebd6876523 |
| SHA1 | 48a9f98dd28450f61c6fbe2652f898ccfb906d9a |
| SHA256 | 86bd63ff11705097a280face0de372cac0a8da8ba6d13d57ba08b08dbf2c4adc |
| SHA512 | f3dcb2ee4ffcf7baa1cf014590b173c82b50a07170ff545f55b5cab7c1e2503c3ade4f57547d7e5464c1082a4e8857a8e79f2093f2244155eb082dd56b5a7250 |
C:\Users\Admin\Desktop\RestartSwitch.hta
| MD5 | 6ea486f8167636fd629afa885aeeb96b |
| SHA1 | 5d1a8cfb3a41c156e0a096b65fa0511117fa874e |
| SHA256 | 1ec7f2ad42ad6f50bafda5b23309e9de8e03287c009d1e7177720fa8e63e5ef5 |
| SHA512 | d1d6fe62619df7ad20b963a7baa6e96768c271b0b5b72f95176e2ff2ddff14efb4b535d8890fac33b3c374e70bb9e3d73dbe358cf2472a27b64a18544197ed87 |
C:\Users\Admin\Desktop\NewRegister.mhtml
| MD5 | c852c77f8735437f42503e73faa41da2 |
| SHA1 | 70b4ce02a0d9b9fe03e41114670c466ce61a187c |
| SHA256 | d565bf8feb757b73b88b628214603627c22a63c9ddc022b18a9af16432001b73 |
| SHA512 | e8b65ba7d372fe2abbf895c98e679590511e3849b35721f84657e060b396a4e40e00ccaf5ffdf9b834ef7ac00a89ef078205332e49ed0fcebc88f0aa755a83cd |
C:\Users\Admin\Desktop\NewWatch.rm
| MD5 | 00753ffa82ebeaf08854b10b27de2a09 |
| SHA1 | 4c083c933ef109c26caae3f61924a69fe1e9c081 |
| SHA256 | 733458460a71de21eddc6ae33a38fab9121ae5177453d6f21db738fe952bef16 |
| SHA512 | 899645132ac7ae2e8b3346a133fe6185099233f9cf0c7da6251267b2a3fd7f6c8e23a8a9f82ca1077f805f07f3d7c419b247cf1c5b960cb99d567975982cf017 |
C:\Users\Admin\Desktop\RenameWait.jpe
| MD5 | baec6525b3ce86c0028057930ce0ed38 |
| SHA1 | 66ccad6c58694a9627ee11df8f73c7b7eb886377 |
| SHA256 | 5193a5055c73bc08f3d81491b0c6e3564d85d1df5ed8154c691eca426fd4a7e4 |
| SHA512 | 56f2f9b5b40e784c75943b2aebad69b39488337e1fe91427742057acf764262a64c8fe66d53b3510e8408b6dec65b1b6edfc77081564bcdda7904c0546a346ac |
C:\Users\Admin\Desktop\ResizeAssert.xla
| MD5 | 72a8c73b78eeb3bc842b0d80f17bac0e |
| SHA1 | ac25c5b41f1801827af3cc09e1b72fb85bbebe4c |
| SHA256 | 7a53793e46d00611c444acedf331a7c3fac6cd15b31e82331858406868af0a22 |
| SHA512 | 342a10ae5a1438e3cf7c76269d9d197e20a660ee6bfe226a85b4ea7109d32de4c568016c135b4a677f715b5474d2bfc7e8d31f80f3eb81d53f379b32c6351406 |
C:\Users\Admin\Desktop\UnprotectConvert.lock
| MD5 | e8434470e78b562d88629629ca6471b7 |
| SHA1 | 43aebc47a9c518ab4888f1951de376cc8a34bb34 |
| SHA256 | ed27ee88f7ca88b41f56e69344ea3b5ffbd78c3299e09270cd72b13283e92a5e |
| SHA512 | 7cfac26132b097923b662d13fd5d323a8ca51c5284121431f067749afabcca87fae7bc8b3505ec283dacf843fcc5b853fd962567e52ee80c10c4684b97e7aedf |
C:\Users\Admin\Desktop\CheckpointMeasure.sys
| MD5 | 7438c440e34289e1c4f9e54d523fc03d |
| SHA1 | 8335e18e15d5b5706a2bee1181e2fbae68fedb87 |
| SHA256 | 397d8cf15dd604b6defd7e2413522bf83cc8ea561455ce6ea468324ebee29006 |
| SHA512 | e9008bd79d4e3c8fe7d1d87b5d1a5c2c264a0a454bd1d82e6eb300750cdf1405c52578aedda240559cee8e5b60058ff8145be8f327f52f5d1b99236ea134c406 |
C:\Users\Admin\Desktop\CompareMerge.htm
| MD5 | d153fe1f5b5786e7e38cba604940264c |
| SHA1 | c7b84f1b8bf5780fb06233e2c7956f986e788368 |
| SHA256 | f936b69e0836af72c7598ec4d0d3095cdd37de58ad2ca0b6a9ba7ea4e712f4df |
| SHA512 | d838b080a73efb84cddd1439f6a9e29b444acc100975d24904c30f5d98d5125e4e2707f314c920b14a9ca42453c354d5bb576a97100efafc40bc9a7335c972f3 |
C:\Users\Admin\Desktop\ExpandUninstall.mpe
| MD5 | d3adcc818084b716a99c8c0b88d46e79 |
| SHA1 | 42e45f48371df8bd87efbd018298d5629759b6d2 |
| SHA256 | 05313ea5a53c630d9c96c8c8e54f9cc2139384ef82960b589dd5f089c33effcd |
| SHA512 | 3bad148f45ad9fe8e314afb8e4b2e77427d4869b243b35d8500aae6bb783e7ae1a31f820d4310bd25dbec436d9ba9e4821d95902853c9e1a39ac2f0ae0c8afa0 |
C:\Users\Admin\Desktop\FindMove.mp4
| MD5 | 36c2e9906e2fa7a9dc209c1cc68571c5 |
| SHA1 | 48a8e3e4900207e44960cc67695feda11dcf295e |
| SHA256 | 45065757798925477bdb17a9bbfd59b13f6d8de2c8a0d199538fa7280966c6a6 |
| SHA512 | b83d928ee73ef3e9e91c36d161bf4eee9ad377a1a1bf2efd70e618cadccbe15f8f77de5413afa184dc3be8ef4ed8806db46debe07050ecf4ab78bddef3bbeb26 |
C:\Users\Admin\Desktop\RegisterTrace.tif
| MD5 | 72de62f32ff8e59fda5052462de109c5 |
| SHA1 | 5e8f7d4860288f04deaca7d6f2d732a3151dc01a |
| SHA256 | 0d004b53868e7315dcd8eea9b50d1649c6341515af415da48e5bd58f79408631 |
| SHA512 | f85cc4929562d6dd9739e7f70785e3a7c8787fcfaddc2b32609a5e9edffc7052dca805dea4e1bcb9f16157a47d70d08917b22c39cc055edb754b50aa00a7f41e |
C:\Users\Admin\Desktop\Microsoft Edge (2).lnk
| MD5 | 34d0a8b51ca0882df7b32c69a4ff48d8 |
| SHA1 | 311b321e0e755d053f9dedc1dca3b13eae1f7729 |
| SHA256 | 51e76209e2782183a9f3d28a272767655019a5e2e46005cc2f8f9969d198a082 |
| SHA512 | 609cb9c2ab1a3fb824077883d237205467ac5dbdd71480003d76be0adcf84fb80f9b1bc615c3d8b673465386df0a168fdda6c9f4f95274712929c5951386c488 |
C:\Users\Admin\Desktop\RegisterTrace.tif - Shortcut.lnk
| MD5 | 560a52da7492f76a7fdba13e17904fa0 |
| SHA1 | 9ffa47763e4e751ccf61cd7bdc0b6528c98f01cc |
| SHA256 | 6bb98b14ad021e91153b2e92d73b213a6aa66e8955116b72eb5c394281452def |
| SHA512 | c3e6676c96fde1f7e15c085f6d94bebcb55f515cada15ab54f0f01d103ac69c32b7c2c92426014c024e0f7c271d8e145dfacc999cafd1df15748fdef5361ef6b |
C:\Users\Admin\Desktop\TestUnlock.nfo - Shortcut.lnk
| MD5 | da6101ae0480a7e062ef80ec532ad532 |
| SHA1 | e22e103a490c626105a38e8f799a9880fe5accdc |
| SHA256 | 2c93794f0a73edc252ea351eeaa42ffe2094522dc275d8acc5a6df0d4b86c6b2 |
| SHA512 | f21b39d55c66af0dc5771d1e646ad5cc9bbb48ce8e22e60be1b95264c2d21873e4de7b63857cc261bd6cb331e0b1afe266b35de06f3e78499015abd5ea8b4de3 |
C:\Users\Admin\Desktop\BlockResolve.ini - Shortcut.lnk
| MD5 | 0459cce84092e8fcad8fad21649cc171 |
| SHA1 | 3ade443a3c1a08e9c347569e814a07faab6bf832 |
| SHA256 | 8379e49b936b26b363d202bb37c63ec9c1487d092323dc566710c8bb585cb793 |
| SHA512 | a01174eca7137911998a8868afd033d6dbbc00b9f4a38dbeaa84759416ccce64d8c4528b733ee7ece7b2da1a556b5515dd970a25ffa05f975839714808acc8de |
C:\Users\Admin\Desktop\CopyShow.svg - Shortcut.lnk
| MD5 | 0f5a09a40b7ea2b8fba680f5cfd994ce |
| SHA1 | befd35fcf3b9519749b79f29af51e635f98bbdac |
| SHA256 | 39cfe04538ad0ef3cc4da8c917e37f6edff78725caf9d9a983a44abc04da9239 |
| SHA512 | 039ec8d99b4643b9d9ab583ef086eda2f882fe96d4546c19f141f98563c0c0051d51fd42fb34718a6cca5e5925c25074ac71c5f729594c99e117a1eff5468c96 |
C:\Users\Admin\Desktop\TestUnlock.nfo
| MD5 | 80d4862cf0306532fdce2c03684dd4f3 |
| SHA1 | 88a2fadf11ac7211c3f1d3e767cd0dea55d91104 |
| SHA256 | 337e29eba4ee5f92d7a508b303fc7f835df4df8a885d97daf9763662941153c2 |
| SHA512 | 17d51205968edda0c5c8f29c555ee128feba7e7ef73cdf1db4bfd11c4ede22b9ab779748b55bebd964fcced3442813fd6850831420ae4aff53a9e05db9f4e1f3 |
C:\Users\Admin\Desktop\BlockResolve.ini
| MD5 | 4017f1ffbb2cf73e62ab07609f51a37a |
| SHA1 | 07683a47e7cf0f1f6bc91d7ddfb16ccae470ba67 |
| SHA256 | 46a85f9bfb2f8b9ec6deb05728a08369e1160b9e4d3ca4305c0ba1df2eec0968 |
| SHA512 | ede09a728631dee6e7ca61514c12eb7f9430e29a54df96829c7bf741658a6d5c63c4a2273db1b7aecbfa537f0d14658199a531240b71f98be5005305bd7de911 |
C:\Users\Admin\Desktop\CopyShow.svg
| MD5 | 5680ddd973fa9f4bd0720a15ef4edd51 |
| SHA1 | ea6de5aaaac7c28212b4f2341d0d09c25db42b6f |
| SHA256 | fb4201e6c04285c0755fd66ae14fc3089f3d6b5b6d1c33f383d76c1ad5eb6547 |
| SHA512 | 1397a2185042d74f7ef3a895960eb364c4c1e2401fef2b8e713d6672104d229fe2771b96294d1dd6fbc9e50d99205968019d2465e4bd2c8a8ad4fd37b8555ab8 |
C:\Users\Admin\Desktop\VLC media player.lnk
| MD5 | 953aef80fcf55082e1c6df695e1f7dfb |
| SHA1 | 78ed36082c09dbddf19737b60abf335783695163 |
| SHA256 | f84743df7ea23293907ba7e6cdee1208a7683c04c9500b85e9e7d6b135a8356a |
| SHA512 | 5f8c8d3eb8d0bc5ff90fb6123e3ec34e9661ea0b3bb0bc75036f5d6992f4127e2ad1070fbe4f30a73b447053116695b7f4be1267c2424f167140cf1a107d0371 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d62cefeb0c8fbab806b3b96c7b215c16 |
| SHA1 | dc36684019f7ac8a632f5401cc3bedd482526ed7 |
| SHA256 | 752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01 |
| SHA512 | 9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | afaa794de37b385f4952b60d3355edbd |
| SHA1 | e9065e522bbf99a31ba24956b8d87c8186daf1f4 |
| SHA256 | d3f88bd8469ab6685e57e6de5438c94d4d76102380ab6580d76818add5f36181 |
| SHA512 | f6bcc4d8d70bbe2a53c09bd96dcba74ee1ba7e4bf2067f4015de2cb50f52660d73fa3dd51c164d34dfe54b0429ae15779ebd83a04874292f749ce4037af8491c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | cb397e2ce48f347ba7a0a5c81d1743aa |
| SHA1 | 9574f8e71e9d726cfee908d7ce8988ed2cd157f2 |
| SHA256 | af9c6cfde70f3992f128583d024d15c5084e5727e60c7fd9d5d113a47ab8bad7 |
| SHA512 | 4991c3defacea247a278a823809071d3573c573846e1a37064edc7e32654a26d6c1cc4811183c7d6eae165b665b63ed09333ade4280d5974feaed51117c7503e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | adb762ec4e89e016691f91aac122333d |
| SHA1 | ef2184c9e7bff75b3c52a0fc9b85bb01659c3ab5 |
| SHA256 | 4e760bcc8bb798ce57a67e0cf541679cd623424d94c8488ce7fb487ca4e70b7f |
| SHA512 | 5a39857e2f77626a8f71a875dd9d9f7248343ed15d3020007fe5c3a781905560a2f0325ab19c2a96d3085b72b5f79061ac454c91fe1362e79bbb404cd3dd0186 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2004249c3696d26d03138a0e4475ee4a |
| SHA1 | aa7edacc18ed5abc12318d9e3f03dfb1ed1a96c1 |
| SHA256 | 44308f2e0ddf1336826b136581dc83dcf4bae4081be9833fb9317787e0424573 |
| SHA512 | e691bdbaea8504a6b306d68425998fa67bedfbc6e1a7a1ee18cf670da1251e9a577d82e8a4e3566005579a444488cc288c369e02cf4222e1eb34302983213264 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1f943602155608add5f793d4c52ed605 |
| SHA1 | c3682ac65a70d0cb86f7428385cf5bbfe1fd81d0 |
| SHA256 | 73d0483cc3da87cdbe097d20c860e984b3b3c58609fbf90c4852c1dead1e90a2 |
| SHA512 | f946b51892715fd1f4be858e82ecf4247036c0e9732f86e8a3c1f12f1c0f3b5ca175503119f6d50f8e0c37194ad520d77de304174302b405898c4db341effc07 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | 019c27a2c7a17b9a1f7faa3d6c2a3da4 |
| SHA1 | 427c085de411421398f7210ec72d2f93afd75d06 |
| SHA256 | 3444465298b8eb96b6e675f81c1363a326643f085cdaca8164a611876381e517 |
| SHA512 | 800ddedaaacf89f5e697f0e46780a15a1a5319616e40a9a2a04c09dd5798cadb2b44ae863feb7caaeab42f5bd8e1eec92fcded5ad039be2a5126f53e5d78d9e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 48efa2e632d384b146cbe0c8903ec96a |
| SHA1 | d9fdaa8495728161fce479f1a75215e104d15520 |
| SHA256 | 94a7411fdaf87ee46cce91b0c1cf72286449751de5ba403cdd2c633f3745610f |
| SHA512 | a7a70d8016edba820cb2c37c41affea7982200f7573ebc479d78f39fe8a4bc3945a2f4e68cf4e2204cd1657b9fdf272e72538d41ec065c0b970162503c117694 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9943c64f-8281-447a-8b6f-25106f70fbd6.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7b8e4c058d1c127685135f4e49e6d307 |
| SHA1 | 6e8b30b6c576441064b6550d6ec0174715346289 |
| SHA256 | 35809c393aeb5b0f5e007105d91ebc8ac365f5ee561c58913c29a53b1b8c0f79 |
| SHA512 | 6efe2ad576366cd9d16847df777ef828c6d3cafe5625786aaba8e17cd06fb73af3311138e7aa4f6a13175da040a2dac50795beba7d7dcdc89044544ccf2ff7a5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 329e8c57b564b3df8c506b494b012692 |
| SHA1 | 6181964c922c0339177f24f04d23bb7b97d56683 |
| SHA256 | a42327774c4fa3be84e911f1543921d9abf0c12d5d6a8911cb97737a1cdfb558 |
| SHA512 | 1a634768d7164e6f0807431540b0173b19f5d31fd90c27a3ce22f8b38d54e50587cb845f82e98fd6fd63d01b93b0f138bd602ca18d5314c66326aa02c76de793 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1f8719d55d1c75e296fc9d115e5a159e |
| SHA1 | 2fa8afc92470b74338e243ba2bd4c80006a56cb9 |
| SHA256 | d43611cef101684068f1379f8d872854e2d173f342c5a8cb9eb9418bdf060141 |
| SHA512 | d78054d65332ec2fc8b199df4c00418887c1115861bb40ba6fd10cae3bcf7a9f598ff80cf43a070c58e971a23a2e75c9d7f96da04374f125d57bab38ab57b529 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 3e433d562c1c255d8ab05c801b78388f |
| SHA1 | 9ca7bf163a1b33c007d15bb04e3de5941c60e575 |
| SHA256 | fc697c06db97c7b6baaddb5b811f10d444054485085eb0ca6b58d11953176fef |
| SHA512 | d49d0aafa310968bdf5aebcdd1a655d42149a9799c29fbf05c9588185516e3557d87f34e6e4dbffc72fa465a5e2011227ed4b7edd5ff1d1a29008a9f517bf01b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a97facb01e07071a5c4920dd106459c3 |
| SHA1 | 76bbd32adcc66b4b9f7941183449d67d058f43e0 |
| SHA256 | 60cf1fac12b0ee697799852a36ea1c2b1c3ccffb0849257199aba47b8cd7be43 |
| SHA512 | eafa7d95f41da0bb536578b5fb7a8aabd58171a6febfac4ffdb2572431614a97174f5dfc50dc0e68cb42fc8321fe1c41b722497b5d01430bd4c5dce758e952cc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2037e3864b2501c978691791ae7b07ed |
| SHA1 | 5fa0a131fba038dab2a16808ffee853a0dbcb16d |
| SHA256 | 4ddd956b8df6d5cbfb87d6c6b35e3eb7eb727757229254b9eca9dfff62853803 |
| SHA512 | 76051d5ab3d65b62742ccfb2c672e1008d3115292960e3fb9cc11d73c3f5daf245f74f85edebefd5b198a7f9a388775ec5420308ab91ecfcc221866dcdad2469 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 22851f0b22dc403f5c5087a664f14de5 |
| SHA1 | ea300ebeae4461fc1dc2609048e80f631e87a9c1 |
| SHA256 | d30751ade271f86478024681a4e00294241c902390003ca6b26a8d9760daf2f2 |
| SHA512 | e4bf9149367f682b4c5e6cf9a692df1abf899e97f64a1ae62c6c087712cb8b11d73f5b5f65b179efa729559ebbcf920e5b954d605918ce50dab000ab441bbc7f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8fa8d1a939b772a748462d3f90f478f9 |
| SHA1 | 54dfa707c66d37a7438b5ae619a94340a7a789d5 |
| SHA256 | 843a451ef2eae41837210b3c784b6161a21ab919e6c899a62e8b77e10cf782d1 |
| SHA512 | e062baad79311e88af85d90014e584fcf95ecba25a87e26cf9038471b8cfa02b80709cf9db67cee7fa4aaf212ed6381e3b8fae6175dd0b8ed49bee527cba45b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | fd8604e4a15f2117c9e87c82b00d4229 |
| SHA1 | b8e26f9849b01aed0ac9fb22355f974526104e0f |
| SHA256 | 2efc7b8bb33d678c8fa0d8909ef9efaa4d8bf9bfc6af362e5d21377b8724335a |
| SHA512 | 596c08caaff6c45b16d13855ac3921237ed5ba68c89701d294fb468c7b6d9c4e0d09857341d7f446a06341bec2bc2a257991ccc35a41975e429cb8c83120b545 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe617270.TMP
| MD5 | b23b452b24a46186bfadf7e4f93efbd2 |
| SHA1 | c7d24729e55a4d99e6296947c899a2b08d3b76cf |
| SHA256 | e312a2ad2b96426814e9be46302b89312dcd39edf84ab463b05cf7e2ec832285 |
| SHA512 | 1aaed3618db1eb4474916e2668cd5b0c49096dc9c279cdc033be85f86661fd61c02655533c507fed2db4231504f8d09c748389e15c1e3a1d6c3ffc307c4fa6e7 |
memory/1716-500-0x0000028CE1B40000-0x0000028CE1B50000-memory.dmp
memory/1716-516-0x0000028CE1C40000-0x0000028CE1C50000-memory.dmp
memory/1716-532-0x0000028CEA220000-0x0000028CEA221000-memory.dmp
memory/1716-533-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-534-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-535-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-536-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-537-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-538-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-539-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-540-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-541-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-542-0x0000028CEA240000-0x0000028CEA241000-memory.dmp
memory/1716-543-0x0000028CE9E70000-0x0000028CE9E71000-memory.dmp
memory/1716-544-0x0000028CE9E60000-0x0000028CE9E61000-memory.dmp
memory/1716-546-0x0000028CE9E70000-0x0000028CE9E71000-memory.dmp
memory/1716-549-0x0000028CE9E60000-0x0000028CE9E61000-memory.dmp
memory/1716-552-0x0000028CE9DA0000-0x0000028CE9DA1000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | b218015593f18d900f49a2fbc08a53cc |
| SHA1 | 312eea1169f88d6d1bbd060b8a78d1bf6916ce9b |
| SHA256 | d2c9325e72757430bb43d30b12d4cfd966f9c27e5723319c93a490757c21794f |
| SHA512 | fc06d50ceb11cd45ae1c7d864338a332ee6d1bb3d7b79c6c19c2f21d2014ea68fc81eb783839e89eccfd8e9e791e83547c5329d683ff189f6cadc83848feeba8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | feacce8b850cae84dd8d2b61a0dbe4cf |
| SHA1 | 4329967cad58803031a499f09088eed53bc72d1e |
| SHA256 | 46325040fd48013625232c888400af8e09689c3fc3cbffa7f47b1884c7c85595 |
| SHA512 | 33c1aff7467778f80e384eba545f83cd369efcc7b0b10bc5d1ba6d4f9c63f4e9eea1177afec6d3d2a3bc0a4c31ad5c469d134a66183b35bd0902bc7b49dcacbc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | de4a305c28904e09b9f96b4783242ed2 |
| SHA1 | 3e3152e234442a918b98f4efb587251135a496fd |
| SHA256 | 6e190b955c4cedc04dca8e35fc3caae5145c615c0ddb71297a0b8cc7c13be594 |
| SHA512 | a7cb4c70ad9b9ecff78cb74b7744c26e6e82f8fe871f0a247b3b593fc3ebe451222805a6d286f6e959bff64e0b92eff799142f79b6a07aa4999697813ec4ec89 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a0329aebbe5003307a8c787753abb399 |
| SHA1 | d1e53b6918f058870d57e64f2a01a4bc617e6709 |
| SHA256 | 5ff10055320d865948aab89601c4a7d6cb7c8dc424f5cf33b69491133be54ae3 |
| SHA512 | 37e709a2c287a0d5e587f9aa56ca587be140abf216d3efab4c1b6a9da94e97cde1402c955c86f4caa56706f225e1a3fb03e45f32c7fa3dc5d17df70d96231074 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 53c8d8f7423a4c32911ef4c7ffd36c22 |
| SHA1 | 19f5d3896d83e634d22dc90af03c0ff6df78fe17 |
| SHA256 | c605e473c0d25f25e2411f146ef99153515c34e73c612b3cf91e1fc9538bd83c |
| SHA512 | 01e949298a327ab29db1e1bb4014de42b7781a9716cbb5a2e14f483624245cec9ffa6464e08b1b89ed7676b4ba6d7b0af720e05214f86865898874f8d0a87537 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0c22b990295e66164ef2aed7131cf458 |
| SHA1 | 66e4036b1e6bedbedcc79a695c89d665ca99f3b7 |
| SHA256 | c8fd40e3a6c44765887e213d1da2a62df0a290122529da75a5710db2d90263f8 |
| SHA512 | 4d32e102ec062356247f8fa412cf76e788278b3cc1fc3faa1fd858451d76f5c683efeb2fd8501506334cbb3ebdae19e0b79be469d985228878febd028771cb05 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ARC7ZUJB\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | fb4aa59c92c9b3263eb07e07b91568b5 |
| SHA1 | 6071a3e3c4338b90d892a8416b6a92fbfe25bb67 |
| SHA256 | e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9 |
| SHA512 | 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | 699dbae2ae558db67cf398e2cb442655 |
| SHA1 | 27a8fb5e33ec8ca527d201f07ab6d3501e1038db |
| SHA256 | 4d9822ec35b177fbd64abb943506bc81c319f03a8a8903fa1cc7468d695a0885 |
| SHA512 | 982c43063ccd3598b5bb5bb9d113a123b4912810d4f56f226e0ae066d1caac1f1d329483133048720b364363de054329b21d62366e541a73206605e42671ee8f |
C:\Users\Admin\AppData\Local\Temp\tmp649B.tmp
| MD5 | f567e7c00d81a6db9c1259150f5cb8ca |
| SHA1 | e51f9613b46d971e95eba4aa25d5933b3c860952 |
| SHA256 | f07d6928606f40d2c56c13db2316bbcbdad5e77fa0fc0a1bc1eb6d135877a04b |
| SHA512 | 728bc4e9ea78d88bfd57de32e611089dd48166cb6946c11994138d48d274d34df02c49f0d755305f15682d7616c58bdd635d0ac842f04887d620698b157445ed |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
| MD5 | c2938eb5ff932c2540a1514cc82c197c |
| SHA1 | 2d7da1c3bfa4755ba0efec5317260d239cbb51c3 |
| SHA256 | 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665 |
| SHA512 | 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
| MD5 | 72747c27b2f2a08700ece584c576af89 |
| SHA1 | 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33 |
| SHA256 | 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b |
| SHA512 | 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
| MD5 | 771bc7583fe704745a763cd3f46d75d2 |
| SHA1 | e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752 |
| SHA256 | 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d |
| SHA512 | 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
| MD5 | 09773d7bb374aeec469367708fcfe442 |
| SHA1 | 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6 |
| SHA256 | 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2 |
| SHA512 | f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
| MD5 | b83ac69831fd735d5f3811cc214c7c43 |
| SHA1 | 5b549067fdd64dcb425b88fabe1b1ca46a9a8124 |
| SHA256 | cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185 |
| SHA512 | 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
| MD5 | e01cdbbd97eebc41c63a280f65db28e9 |
| SHA1 | 1c2657880dd1ea10caf86bd08312cd832a967be1 |
| SHA256 | 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f |
| SHA512 | ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
| MD5 | 19876b66df75a2c358c37be528f76991 |
| SHA1 | 181cab3db89f416f343bae9699bf868920240c8b |
| SHA256 | a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425 |
| SHA512 | 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
| MD5 | 8347d6f79f819fcf91e0c9d3791d6861 |
| SHA1 | 5591cf408f0adaa3b86a5a30b0112863ec3d6d28 |
| SHA256 | e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750 |
| SHA512 | 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
| MD5 | f1c75409c9a1b823e846cc746903e12c |
| SHA1 | f0e1f0cf35369544d88d8a2785570f55f6024779 |
| SHA256 | fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6 |
| SHA512 | ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
| MD5 | de5ba8348a73164c66750f70f4b59663 |
| SHA1 | 1d7a04b74bd36ecac2f5dae6921465fc27812fec |
| SHA256 | a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73 |
| SHA512 | 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
| MD5 | 57a6876000151c4303f99e9a05ab4265 |
| SHA1 | 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794 |
| SHA256 | 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4 |
| SHA512 | c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
| MD5 | adbbeb01272c8d8b14977481108400d6 |
| SHA1 | 1cc6868eec36764b249de193f0ce44787ba9dd45 |
| SHA256 | 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85 |
| SHA512 | c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
| MD5 | d03b7edafe4cb7889418f28af439c9c1 |
| SHA1 | 16822a2ab6a15dda520f28472f6eeddb27f81178 |
| SHA256 | a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665 |
| SHA512 | 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
| MD5 | a23c55ae34e1b8d81aa34514ea792540 |
| SHA1 | 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf |
| SHA256 | 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd |
| SHA512 | 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
| MD5 | 13e6baac125114e87f50c21017b9e010 |
| SHA1 | 561c84f767537d71c901a23a061213cf03b27a58 |
| SHA256 | 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e |
| SHA512 | 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
| MD5 | e593676ee86a6183082112df974a4706 |
| SHA1 | c4e91440312dea1f89777c2856cb11e45d95fe55 |
| SHA256 | deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb |
| SHA512 | 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
| MD5 | 2c7a9e323a69409f4b13b1c3244074c4 |
| SHA1 | 3c77c1b013691fa3bdff5677c3a31b355d3e2205 |
| SHA256 | 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2 |
| SHA512 | 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
| MD5 | f4e9f958ed6436aef6d16ee6868fa657 |
| SHA1 | b14bc7aaca388f29570825010ebc17ca577b292f |
| SHA256 | 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b |
| SHA512 | cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
| MD5 | 552b0304f2e25a1283709ad56c4b1a85 |
| SHA1 | 92a9d0d795852ec45beae1d08f8327d02de8994e |
| SHA256 | 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535 |
| SHA512 | 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
| MD5 | 22e17842b11cd1cb17b24aa743a74e67 |
| SHA1 | f230cb9e5a6cb027e6561fabf11a909aa3ba0207 |
| SHA256 | 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42 |
| SHA512 | 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
| MD5 | 3c29933ab3beda6803c4b704fba48c53 |
| SHA1 | 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c |
| SHA256 | 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633 |
| SHA512 | 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
| MD5 | 1f156044d43913efd88cad6aa6474d73 |
| SHA1 | 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26 |
| SHA256 | 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816 |
| SHA512 | df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
| MD5 | ed306d8b1c42995188866a80d6b761de |
| SHA1 | eadc119bec9fad65019909e8229584cd6b7e0a2b |
| SHA256 | 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301 |
| SHA512 | 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
| MD5 | 09f3f8485e79f57f0a34abd5a67898ca |
| SHA1 | e68ae5685d5442c1b7acc567dc0b1939cad5f41a |
| SHA256 | 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3 |
| SHA512 | 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
| MD5 | d9d00ecb4bb933cdbb0cd1b5d511dcf5 |
| SHA1 | 4e41b1eda56c4ebe5534eb49e826289ebff99dd9 |
| SHA256 | 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89 |
| SHA512 | 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
| MD5 | 096d0e769212718b8de5237b3427aacc |
| SHA1 | 4b912a0f2192f44824057832d9bb08c1a2c76e72 |
| SHA256 | 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef |
| SHA512 | 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
| MD5 | 7473be9c7899f2a2da99d09c596b2d6d |
| SHA1 | 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac |
| SHA256 | e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3 |
| SHA512 | a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
| MD5 | 5ae2d05d894d1a55d9a1e4f593c68969 |
| SHA1 | a983584f58d68552e639601538af960a34fa1da7 |
| SHA256 | d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c |
| SHA512 | 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
| MD5 | 9cdabfbf75fd35e615c9f85fedafce8a |
| SHA1 | 57b7fc9bf59cf09a9c19ad0ce0a159746554d682 |
| SHA256 | 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673 |
| SHA512 | 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
| MD5 | 57bd9bd545af2b0f2ce14a33ca57ece9 |
| SHA1 | 15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1 |
| SHA256 | a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf |
| SHA512 | d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39 |
memory/2456-1599-0x0000000003B40000-0x0000000003B50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | b754f0ca6e8b1c31b0e81f932440be20 |
| SHA1 | 32c99389e134434b20d802220cc56a47b6befd75 |
| SHA256 | 5a466c8338681122ac301426b75dd382fb17646211c45278287313b6639a7738 |
| SHA512 | 8c2ff9ac3fbef3cb50f58d9dd289f82b37c58758d6c911791e1223f9fc593589783f0b447f00ed099041a40b2cddda2ee2aff4dcf2e09fb58ec2ac659d6aaeab |
memory/2456-1650-0x0000000003B40000-0x0000000003B50000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/4384-1718-0x000000006BEC0000-0x000000006C670000-memory.dmp
memory/4384-1717-0x0000000000570000-0x0000000000596000-memory.dmp
memory/4384-1719-0x0000000005410000-0x00000000059B4000-memory.dmp
memory/4384-1720-0x0000000004F40000-0x0000000004FD2000-memory.dmp
memory/4384-1721-0x00000000051A0000-0x00000000051B0000-memory.dmp
memory/4384-1722-0x00000000050D0000-0x00000000050DA000-memory.dmp
memory/4384-1723-0x00000000051A0000-0x00000000051B0000-memory.dmp
memory/4384-1725-0x000000006BEC0000-0x000000006C670000-memory.dmp
memory/3904-1726-0x00007FFBAAFA0000-0x00007FFBAB49E000-memory.dmp
C:\Users\Admin\AppData\Local\CarJem_Generations\BedrockLauncher_Url_mj1roedl04f02hckqgobxuxm2215kcic\2023.4.30.195\user.config
| MD5 | e6024554eab63c31826942f1f5e74c10 |
| SHA1 | b5451632d5c4c12571e9a93144de1e83c3d8a55e |
| SHA256 | 396830126f73dfb58e9a4ac3e7543ac4763efb02851bbc68cf00f4b796777494 |
| SHA512 | 335a540aaf637474f946ffd95e79347b85e73f20acba1ef3115a89a823af43c720f903df1dc1a74f5a3e1f2e9e8d6fff4f2c2a2e3eff4f20fa34f3f77a6ea01d |
C:\Users\Admin\AppData\Local\CarJem_Generations\BedrockLauncher_Url_mj1roedl04f02hckqgobxuxm2215kcic\2023.4.30.195\rnjt2kgi.newcfg
| MD5 | 12dc94768232eb197348ebfba7270b87 |
| SHA1 | 00d9a6efd1e2eab4df2e854d447772693a9b6b15 |
| SHA256 | 24f5f3c85b2091ccef597d51aca5e83c84fc49b13f7d6c612c71d37f861c518e |
| SHA512 | 0b8d1ce5b5c19ca513ce961022d676db139faeb8a3de981c6ba698f87c5bdf5923bd5da24215aec3aea51a056716987dcf219ece6675a3bcf262c777c89688a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3904-1784-0x00007FFBAAFA0000-0x00007FFBAB49E000-memory.dmp
C:\Users\Admin\AppData\Roaming\.minecraft_bedrock\user_profile.json
| MD5 | c8e6e9b9e1a01843374b2b50aaa17d3e |
| SHA1 | cc6a8554d3627703ad5fe33a0cc6649d7ae86270 |
| SHA256 | b85117e678c391b098af93c44668a11eea837811d6b76c8ae6c8c7dc7d2b4592 |
| SHA512 | b5ab936231efde0e92e7f62aa129f0eade36ba25bbf4b7cd517b170636352987eb9de66352992a6db19f029e4255a2792e329703e5255727473f85ab870404e9 |