Analysis Overview
SHA256
2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad
Threat Level: Shows suspicious behavior
The file eicar_com.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Registers COM server for autorun
Modifies system executable filetype association
EICAR Anti-Malware test file
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 08:15
Signatures
EICAR Anti-Malware test file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 08:15
Reported
2024-06-18 08:18
Platform
win11-20240611-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-18 08:15
Reported
2024-06-18 08:15
Platform
android-x64-20240611.1-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-18 08:15
Reported
2024-06-18 08:15
Platform
win10v2004-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-18 08:15
Reported
2024-06-18 08:15
Platform
win11-20240508-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-18 08:15
Reported
2024-06-18 08:15
Platform
android-x64-20240611.1-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 08:15
Reported
2024-06-18 08:18
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\odopen\shell\open\command | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib\ = "{082D3FEC-D0D0-4DF6-A988-053FECE7B884}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\FileSyncClient.FileSyncClient\CLSID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID\ = "BannerNotificationHandler.BannerNotificationHandler.1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ = "IContextMenuHandler" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ = "IClientPolicySettingsEvents" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\Programmable | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CurVer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CurVer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 1596 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\dashost.exe |
| PID 4604 wrote to memory of 1596 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\dashost.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\dashost.exe
dashost.exe {aa9abe04-4cb2-42c4-981266520916e6e3}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap30738:186:7zEvent1571 -t7z -sae -- "C:\Users\Admin\Admin.7z"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| N/A | 239.255.255.250:3702 | udp | |
| N/A | 239.255.255.250:3702 | udp | |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
Files
C:\Users\Admin\Downloads\WaitSubmit.vsd
| MD5 | aba19b85c71bffe7eeacc026e557a1c4 |
| SHA1 | 8efe45e533acd9c4d2bb5e0fc36108d89cb3b733 |
| SHA256 | 4e711d9773efe76f1c3d373c5b8b21120d08586a4504c7ebbf3ca90ade8e30e2 |
| SHA512 | 9cd015ddfd2f30a0902bbf3c9bbee501198bdeb7ff70a61dcf957b14068dfba425ebac3fceb9d47c7197558f5e7601e249da3fe2349758ba0988b21b31c2abda |
C:\Users\Admin\Downloads\UnblockRestart.crw
| MD5 | 37c3414030d8dd6ac4af2a6b133f73ef |
| SHA1 | 1673aefe2c22b53fab7625a27954ca3a3ed0d3f5 |
| SHA256 | 2f2c523a33ccdcbcbc753f4aa67028e8223af42f0803ea242090e99f71685007 |
| SHA512 | 2465d327a9ae16d42e96ef40a08775824e936f9892ba2dcbc9ccadcae8ceb0753f4b8630c530d8f8802d905fddf09d16070b818a372461c976abe36fd0702806 |
C:\Users\Admin\Downloads\PushRemove.xlsx
| MD5 | 285a9cd49d448a70ddfb0237c18cb441 |
| SHA1 | b8970088123f5f7b996832ee44d8809caf8a8b11 |
| SHA256 | 4a6a8d2cdde4904e7a93ea2660bdde990c624e15a8edda021ac7e92c428c0c14 |
| SHA512 | b89c4136b5adeda4a75fcb7b09fa3e11e4965e77597c71863416ea2b9d781bcdfd3a837d447ec34745fd4b4de66ae9df21278309ce4be29538e29779184bc5d5 |
C:\Users\Admin\Downloads\OutMeasure.css
| MD5 | 11abdf9fd29b88430564dbcfa089c043 |
| SHA1 | 7157737f48f3a6c8f9ca81fb4c4fdbee20df3880 |
| SHA256 | d1ab5c0ac57a6dec0197ee3555bcf95a58d3ec16b0ef62e678076f98c83442fb |
| SHA512 | 952b0cc3d1279614bd7ae21840613ef14133943624f29c1ce1f9fde60dbec99701bf59ac70ffc84113708148ffcb3e372083208a12a9b0e6185be4a8105ef00a |
C:\Users\Admin\Downloads\CopyRegister.vsdx
| MD5 | fc95f8c4a7a5d05c654936e4c76a48a9 |
| SHA1 | c4f0a8377a329ab43db4445e4b59d8bf674126ee |
| SHA256 | cca27f3f130a96ebc4bc03701dfcfcdf1493b387b131a99046aa4d95be634bd6 |
| SHA512 | 82726516a53ce2e388449b61337929e24c1f8cf6a484b0b8f6e288ec3ad083243321096423a6b593b2aa26b205694821c1c6d1f49fb08e6f24588f7329f56b3a |
C:\Users\Admin\Downloads\CompareOpen.mpv2
| MD5 | a00e9a9c82a71130b7b6c648601fcae7 |
| SHA1 | f5eb7e8f711f7a6f3e3f77d4b834b71bbbf96c3b |
| SHA256 | efc6c9b668c52019aa9a710d2fcff61a6fa8165406643c994080e1dd92c293a9 |
| SHA512 | 5e9b3e793ad1328cb317f9836f91767f3a1b3abec7f995e8f5ade1c5517222b720d31fc53aec10f710c287c41b460bdf5ae2bff6b5169e87e0cd69af6d4a77ed |
C:\Users\Admin\Downloads\UnblockBlock.dwg
| MD5 | 75f905b691e62b52d31bb85aaad5a1d7 |
| SHA1 | 4ae728722c330703feaf99c9634f8322b3698083 |
| SHA256 | b949e3f3c5d4ece1585aa18fdb4f07b1d1916175ff0c9014430d038a1d3efd70 |
| SHA512 | 59556b9fa0e52b360991481b3a8f862f6402fc4b87aa8c25dc5cb902dee7623b6d48db4b3010ff92b8520acf197b86aad5e55395186c215b80308587e3db105f |
C:\Users\Admin\Downloads\ConfirmBlock.aiff
| MD5 | d6d0ff997eb1cb3308f525fde540758b |
| SHA1 | 64763a7f024d0084221360d8f82ae4b6609f0ade |
| SHA256 | 6a18d86616f51f68e6383019fee099b43af79de5f874d1a3c8bd3f3fa0767430 |
| SHA512 | c647a39730b43945999602c87ed94260bb23a1df7fe1b8b348b73d916c71248e63e2f4dc1823ebc4c4779a3840190c9d1519ad4ccc6e803d5fc587a4fd1b2e4f |
C:\Users\Admin\Downloads\TestRequest.cab
| MD5 | 7cae5e6a66af0fba24763bda8c8b273d |
| SHA1 | 1029e029abe33e129f94faeb91058184f301fa4b |
| SHA256 | bd848a12f72bb0da43b1667d98ab487c60f28c2ef02adefd04f2c8d0693edc1a |
| SHA512 | b43eb82f29b4a676c7a4c6fc90ce2a0f3eaa98a68c7cd63a8e0b95cf207d70553f079b7184eb869ec05f63bd56ec7f4beb9d125b782a18778970b806a71425d9 |
C:\Users\Admin\Downloads\SwitchSet.xml
| MD5 | 80dc12cd1dfb555fa217521cba155746 |
| SHA1 | c734f8a0d665037de0b4a6ae2e0e3de850c13f6b |
| SHA256 | 4ddb0165855a83c6e5bd0e46d543bcc5e07edf9006aaf234aef35faa9c31109d |
| SHA512 | a0f0054e121186ecb3f20f845b7fed3b496cf329fd4b3d26db9bfdf2e5103750295633732a5321466acca961e066440b31846bb85119435030eb017b7e4edd7a |
C:\Users\Admin\Downloads\UpdateSwitch.ADT
| MD5 | d00b75f12f600493b9b48e3220b467c0 |
| SHA1 | ea1b7a36108858651b2333a5615dd1de9c87a87f |
| SHA256 | 84a09e16d89163d4b538f4a369b3459bf6be719fe458d29a4b6353c5fa324242 |
| SHA512 | 538c66228ab4515a2118bf6513453b7144d79d2f808d175e33a37e26e830384fd9afabb8a5b9659ea5b278fbe317ff24a9b404fe726810a63cd3bdec516d7fe4 |
C:\Users\Admin\Downloads\MeasureExport.tif
| MD5 | 2ebe4ce9bf4bb293cfe7babf45f2e978 |
| SHA1 | 95bbfdb1cb2ceb637402b650b48472929f61a8d8 |
| SHA256 | f03bcc48e2520aebb029cd1fc0187acf8cbbeb87c85158d86a83b9c024895ce4 |
| SHA512 | 855258e9c8767e52748a93ee8e0668ef5e45e52b7dfd8dd48bcd66eb3f85581c94007b57eeef4694c85d3d937bb002c30c0c8f3fa79f25769f5d600ece8fa22c |
C:\Users\Admin\Downloads\RestartBackup.aif
| MD5 | 8bcbab0a796d10a6bd52ea32da944dcb |
| SHA1 | 2d4ab87e17a2cdcb93eaa9ff27fe3931035bc498 |
| SHA256 | 806a7173e0ca047172fbbcad8d1cc5a459d2ec02f209ca10879b4ab0b741338b |
| SHA512 | 526293b3481f0abf628356c43c77bdc9d212161a054cfe88802454c16943336179fd30a0952950cd1b0f32e6485253cd2f5c400f6d4c49280a05520db6f8509b |
C:\Users\Admin\Downloads\ExitStart.txt
| MD5 | df1a337d6e5deb22895258617fde3610 |
| SHA1 | 0437c1f9be5b7ee13902d2a30fe1ec6ba76af3d5 |
| SHA256 | 6a03ed090cbd47a3cf71ce829d7122de3e953ba382b66eb4e56fd68eba233306 |
| SHA512 | ec2c533ef90b828421057616df284d3dbb7ef58d9559d6971b00249053b1a5007be353a320a8225cc6933cf392584ec312d59c5bf53b81ae1921406b77d48159 |
C:\Users\Admin\Downloads\FindCompare.m4a
| MD5 | 0bce32ff6b71b47a4873b827ea337975 |
| SHA1 | 312c91bdc3e86836c9387066a838e70bc7a2d634 |
| SHA256 | 765455e9019130f42b44ef0b679f4dc6a2ba8c445ee744186ef22beb8c792b94 |
| SHA512 | 3e8c9a1c6a7d995c095c2408ea93c470b4549a6a2aaa8db26007a621c658ccc9fbd62bd7f192eee9db4370f2c488fb3d6a6e0bc514482d7e4dcdc2adddfa08dd |
C:\Users\Admin\Downloads\RedoConvertTo.rtf
| MD5 | 6110cd86bf2730aa300ed7d1262f2093 |
| SHA1 | 35075f1f942dafe194448ab006c8fc82c719b4e6 |
| SHA256 | 0756b10c9b23ae73b30398de4ceea0463d809f9f0bf62c0cf2d92bef274ad070 |
| SHA512 | ce53a76aefce3556792f4416af80a7c795d24646de7dd89d1a2312e0d541c32e2864551de37fd1ba520c5c3d69b8f9faafa7c2104a0e01a1701ec83e222d2637 |
C:\Users\Admin\Downloads\GroupCompress.xlsb
| MD5 | 6d718b81eeb23db502d0bd492ca4eb93 |
| SHA1 | f6b52e41e0474062a31cf12b62bf4c825b1d69b3 |
| SHA256 | 6678e705dc7b88da4276cf1df94d96f023511157665ad4b2b842b2e0b70dd185 |
| SHA512 | 624c7289cc49f5eabecdf0b3b6ff4717e3c4687b1778a15cb156b0aa98b6973223bc5ef6fde689efa44fd00e1f2cb4b10f1e0169a0ceb8e294a87c4aae0aed11 |
C:\Users\Admin\Downloads\PublishBlock.ppsx
| MD5 | 9733b66764fe912f21d0ef5b44885c96 |
| SHA1 | 04b01805af3d649770beb0130f29627978cb71e2 |
| SHA256 | bb396a49342066ab6274a850817f66f48cdbee143bf29b9302372d4f3395e042 |
| SHA512 | 650c01eef0bd9a80bd6d0213c2dd6a85519ffa6cf802304063d9326b1820fac644eb84a236e96dee3726207b5edfba0af70236344892181e3a035303ebd546b3 |
C:\Users\Admin\Downloads\ReadDeny.potx
| MD5 | ae60e11fb6976f911a4e0e36d6ddf4e0 |
| SHA1 | 0be1a6cd1d655dba79e5d1c8aa6c8dd4354e20af |
| SHA256 | cd10b6c9cdcace902903d20848abd21c4a40a3145d1bfe8f9a6b4f2df98f2898 |
| SHA512 | f6311762a03c573edb5193a579aaa6b388600113002256a5310bb0a8f729f769a7e88b3fc5ba4b946794082bdf623df1c4881ea2d979e018382c4681831353b4 |
C:\Users\Admin\Downloads\InitializeGroup.lock
| MD5 | 822004082c5f36a31d130a167ecb192f |
| SHA1 | 54062d277fbb22adfdf6b62363b2292c2b7a3d49 |
| SHA256 | b12606c88d9608b27161277149150c2c31d04109a6952a4a476b4c6c7736b45a |
| SHA512 | 5d3ee8a27c1c140d16c1f900941b7d56ad9f99c62ffe95174e371372689e05c32ec19700e6d6bf2c036f546f7f59dc24e2c0fd8b3e44971d61ee188707c888bc |
C:\Users\Admin\Downloads\SendUnlock.hta
| MD5 | f7f965685adde54fb48e9a17478cf971 |
| SHA1 | 69bcc4db123c02eb7b3e8ac77501563eed96ab4c |
| SHA256 | d35f0108d1c5227e462dc005b5c9080b51b22529c447ac0298859bb2c185f379 |
| SHA512 | e50503d719981a3fbaecfc76c60a43fdf186e80cf5621484ac9e8694190d0396930d8832e2ae1abe52dc56c1eb0456bc60f4bfb6326891635bcb58e0f38d9b9b |
C:\Users\Admin\Downloads\CompareWatch.ogg
| MD5 | 31d20011e81431246464c88c58418236 |
| SHA1 | ef96bded3d2e5214c8a1c3e0a9709bbd00f0a67e |
| SHA256 | d534fa653676f4190d6b684f17893db50b5d3d13352311a4cdba89b31462465a |
| SHA512 | ef6e3e4754bd69f8b4146e4e99fc4f190d1dc273aea4fde05954e2e78dd54351a828bf891257c5fe1d03c285ee1d8db2930a414a0f5d581f2a4be4abb340ceab |
C:\Users\Admin\Downloads\DebugRevoke.midi
| MD5 | b305479e1675cb2aa30ffc977dbe1c17 |
| SHA1 | 632e6ec15a16b6352c2065c9a9cdfb56d48189f2 |
| SHA256 | b1e127d93288af9055faa26b8d7685d763f1e382a23940648825062ff8a567ec |
| SHA512 | 2c012f526c60300445d0a821a03a17bd9a25aef817115bf0648ed00895b6093b1d687df80663209f7294942cfaf9d314f85f6a59066654d45b0ac6f861b95786 |
C:\Users\Admin\Downloads\ResumeGet.inf
| MD5 | 26705362e80b8e3e2dc5c3778ee60420 |
| SHA1 | 6e956e291045d4d7344a8f78fbdbc8f9f02bd664 |
| SHA256 | ddda739fa6b44151cc69c422960e8dc73e7123f70a4ce038d5872336f495c6be |
| SHA512 | ec763ce9a3a77f1939a17b8bec7b6815bf78e28d1c09030fdac71dcc55b5c5dc75baf019375ec70e9b8a7f1520bd6554cfe616a6842cd8096747324bf1512179 |
C:\Users\Admin\Downloads\OptimizeGrant.xla
| MD5 | b9b6b751a0e1ac23c8e7a0903111fffc |
| SHA1 | 4cd395b4857da8b15e0f1215e04e1a9066c225a6 |
| SHA256 | 78bc4acbb404b89e294938566095f2e47b80142a8361469b58faabb1669a55d8 |
| SHA512 | 0e8802f24acc76155b71082210f3849b6d397b1fb2cc831175a5f53dde38cf978b3d769a6e4a2ba9301bd02f7efd11d1b0a3ad1dbb168e75d19eadebf89fdc91 |
C:\Users\Admin\Downloads\ResetGrant.htm
| MD5 | 11f1af7ebe61d08bb4b012fd609e5a59 |
| SHA1 | 4a415d5282445768c1c0770cc8f88ce467b934c3 |
| SHA256 | f061bc876114f33a2058463d7a25d275c60e7a4b406b2924443007dab5a832d2 |
| SHA512 | 74954593f62c69dadc7fcdb0131f88cffb70ce2fe3fadb86eb9846f2703d2dc68bf315723878c9d9045e7560d86d8e02f62dde974c269fa8c6651aa2d50b4c6b |
C:\Users\Admin\Downloads\NewSwitch.rtf
| MD5 | d69c74d0aae68b8c158a62414e8535a0 |
| SHA1 | d38aca128cd8048f86c2fd44baadb310470ba0ec |
| SHA256 | 36700debc4d0586861d2c665a7d270a4c9ea4e8c98def95a29269be02f423264 |
| SHA512 | 102eb05a7a39837b4efab58d38777963f51b785de8282bf27cd1140d23ad7f5cdd8b386cfc76587ede20b55199fe26b18eb295d474b794ca707a66c8914b49bc |
C:\Users\Admin\Downloads\RedoConvert.jpg
| MD5 | dbcd77d658f83e0d79ef002d2a737f8c |
| SHA1 | 1b6572171900d8ed81e22f072f9aaf1938579a5e |
| SHA256 | d35a335ab6611b9b278b1d71f7b04cb23b533faf087a4211589c88fe377de9a7 |
| SHA512 | 8ebbef9573a6d6f9ecabe35ec4d9099de58049861fcc6896107d319a2af8356840749ea0a8342f0bebd65d02de9b4674b2499f4dc2008cff9164484ae2b7eb51 |
C:\Users\Admin\Downloads\FindCopy.midi
| MD5 | 49c3c5dcbe1f18b496bfc07931c8404d |
| SHA1 | 5c1142611528417445672ec3573eca2bab266faa |
| SHA256 | 93f5b7c60a28abfe0fb5c59ecae4add2b8ead4e7b380bbab5ff535223c4c5e02 |
| SHA512 | d64412426accc9a5d3ab472a365bdd46b231e8e8ca80c45627edc0a87e0648092c7200d90fc549e6828cfd0fa8f363762f153afa5e5998e165f3fa92aaff19bb |
C:\Users\Admin\Downloads\FindPing.nfo
| MD5 | 29939088581e56775c91cacb93b76e22 |
| SHA1 | 4b5df6f7571ede4a0cc96155b8aabda61110bb32 |
| SHA256 | 8e5b49490cf90277023162de61fc82ff8651c6eb8d708c5e66959f35bf801079 |
| SHA512 | 63c14d3f49a80053e09d0d393247f78589c8d4cb9b78e4bb62e71aa808ec04fd2d21cd0251ff6d65409e5c41b48ae58a46c11d77677c332bcdff508bf1a262bd |
C:\Users\Admin\Downloads\GetApprove.fon
| MD5 | 1339bf8fc400012404eae7c6b213bcf4 |
| SHA1 | 8bc9f2366198dbbd8665ce14bbbc3c1d3c80bcee |
| SHA256 | dd70d380831cab0618e26cdc5e61e45afde3b75591d22ef4335bc60e0948cdff |
| SHA512 | 6f83de9a9f32f5a752952da10d7913a31d49536311079dd4687d4aa0ddb0507cc702c2bff9796c125a8cb85415bb52238ce73eb0a438c96078d750b3915f2cbb |
C:\Users\Admin\Downloads\InvokeStop.mp2v
| MD5 | aedbddcde6b1f607db10e953f7da9dbe |
| SHA1 | 38a903467194b0499b600ca40ef3af676cabb200 |
| SHA256 | 2000cb0c631dce4d1aa4e22de2d77743403b6c1aa015eccdbd87df05cbadaaed |
| SHA512 | b187b3aa50fe799d31a36ff1ddfcceaa69d4ec261bdde3e0d877106d16739c8ae620bad2197b6468985e0e23bd368ab770adc42d42bc3364a615be7576fec687 |
C:\Users\Admin\Desktop\SkipSelect.mpeg
| MD5 | 5b91d13b3b941fb294e6ffec0d037c81 |
| SHA1 | 63bc29fbc22d4ae967d9c1ccb955b237e91cc21c |
| SHA256 | fef89009ec306fd6dd4359f945657540fba0df9203af7265e13218f5314cd453 |
| SHA512 | 620b8a08d1030eac61bf9923ff537b6e054ef867e9f1f74f54d3a7fde7dc7a13b9255490c4614257fe7654d6e64cdd0d8996b4829cb5eb8f9d6f40c9254ba80c |
C:\Users\Admin\Desktop\SplitImport.lnk
| MD5 | eb006abe46ba513aa4d76ef0cf8847d2 |
| SHA1 | b36ea185350d06f11c30915b026a86cf759e2542 |
| SHA256 | a543e24437de87cdd60d99857cc94360697321a4f327f8bc5da4c1e6ec829bbb |
| SHA512 | 11b6a6d108ac946882cbc4e66d42a1b0b0bb3bd7d62c42a2ef3bb66179cce56d58ec3be656e480b1d8d62ee07665ffe5302e2d5c43c26b37c84e6a7d191ee160 |
C:\Users\Admin\Desktop\UseRestore.cab
| MD5 | 0047539e7750fa5a5b5b93cfd6b660d2 |
| SHA1 | c1505a2a2a5cf111c2f537fea7e9f06f97259bf8 |
| SHA256 | 471950f7d079622a0630fde686c3c626190994036397f94e94a75fb1dba8f23c |
| SHA512 | e1fd6da35fd7deb484cbdd0bc89f486b53486a1708d6921b41f9eccf78ea49f42df90be5cf3eb5153a9bd8842fa5159bbc8e9bc0f50b1d778829d7c6ed3ba204 |
C:\Users\Admin\Desktop\UnlockResume.xht
| MD5 | 1476d3642c9c5ba8ddcc12d86d02a2e7 |
| SHA1 | 1f96f408f43237547cdb5f88cfedf1d54fc3de31 |
| SHA256 | 7e49981a7696d1780b4f9f3483340fb118bb5ea97cea6515f6be935374052ea3 |
| SHA512 | 4e63162fe2dc8535d68b1f408125d4d3bafbaab1ece7ea995070beb14e81b5e0851532ae167d14d2d2510ea5b29fdec2ce19baef1ea260fa38a9dd242222ee8e |
C:\Users\Admin\Desktop\UnlockRepair.js
| MD5 | 45bce481d09f94d182c7991505bf9e79 |
| SHA1 | 3acac6f4e24fbf5e47aa89de06c48179aa016fdc |
| SHA256 | b2359aa2bcfd1ecc5c6e2e5c2702b44c968685fa834f6d2dcd42386bc39e2db2 |
| SHA512 | e769ee416071d3bbe0a28783de8eff4fdd9da675bed5d8a22db42704fb727a1c8bc74e40bd3d0654bf7278c21ed0f7aef89b8563e81fbb1f049a823fa4868a2d |
C:\Users\Admin\Desktop\UseSend.cab
| MD5 | cb6c46239f1eab3fe850095b18fb4fec |
| SHA1 | 74addb728c8012e4fa7b927a31a7a2b1dd61c7de |
| SHA256 | 11b72159c146c2ba77ff3a289d2b98f0266c6c817de953f75a46a569ae6c9c54 |
| SHA512 | 6ab4de76975c0b76f6646b3265c400f0747dffe776cfeeb2b8965f82907785b174ab88334054436d3e83588d3edfea1b44a24ed4e9f6b30b5653ac102657b2ab |
C:\Users\Admin\Desktop\WatchSplit.eprtx
| MD5 | d06e51cdcc2a07a30c5dd6807590cb4d |
| SHA1 | 08d8eb28d7ee06bb76f0b3985e9790856f71f140 |
| SHA256 | aa991b5a40f407f36553c64f0cacd9bac49a0d45d0a7078bad21ed1c3c580dcd |
| SHA512 | feb236864ad5b77cd6a4daba2387221581ab3d3186697c78432f1d4a0e2e3ea1629738c31db0b11bf876173b3eadc30c4a15808da0df288f8d255958dd957667 |
C:\Users\Admin\Desktop\AddEdit.dot
| MD5 | a18c7749b969bc8c5880579346454168 |
| SHA1 | 87d28b22e6757fe89288bf8b411c59497c49708b |
| SHA256 | 1e8ec7c76b4286efa742b8d5fb6efb2f5bab012c56a063297ded5c57e1d77dbb |
| SHA512 | a8b529063a722148d461d5967630b2152329b081cb98b2fe4026ce8881aaa8150e7394b4963f973aaa4a8bfdb60c0accbb0899d4d36cf56958fd7b365a069a7a |
C:\Users\Admin\Desktop\ApproveTest.m1v
| MD5 | 8aeb3699ebdcff8221990d19d635c203 |
| SHA1 | fd7636bb8976943aa08318bafaf11c422806bdad |
| SHA256 | fedbc71f7b11492d054e1098399f7e4504b99c39723462475e8d45ffa781220f |
| SHA512 | 6738e084f0386bf20bb0ad51497ee1680e6536458a2a5de757a20e60cff974bd6a91c938020ca2544c42635a80c7cbfe05cba55ae7345ce4df722d3230fbce89 |
C:\Users\Admin\Desktop\MoveTest.dxf
| MD5 | 188569e9c7a7bff10d0cfa04b622f13e |
| SHA1 | 4c0e6628c5d841660507b6bedf397ae5a7017f5b |
| SHA256 | 8d96ebad5e9a2cf7157ee00e872fee44969c7bfd91b89a7f4197a847426557ae |
| SHA512 | 542b2862d96a797c8bc2ca0cf682d63100de6888938b5b8db18772642a875718d9e00560c9dadeacb9cbb3fa30d88a202d7ab961ad17183378f992f4f5f13b8f |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | ccc9ef4179c717b0d381064f07ae8b43 |
| SHA1 | 071c743bc00d36b035b6ff4f4112617e179faa4e |
| SHA256 | 7badd0e5b98770cb1a7c1426c199fb356e177c9eb0dcce63bd153245ab2c6717 |
| SHA512 | 00df112330fc52c70105513ae5119cfc99b4e45088532423b029352956189798ec4af35a40c7c82c7d14a47c10d830914412bab3687bc1323adccf0cd30cb97e |
C:\Users\Admin\Desktop\InitializeApprove.bmp
| MD5 | d91702e8c6e05108aea4a83a580f6ab5 |
| SHA1 | 93f55e54096e35499ac169afa79cede57159ec54 |
| SHA256 | 20533b3c130ccbccfdde42f15fd7a2ad75932fe85d5a7822fc11cfb0f3079ef3 |
| SHA512 | be9e4ce6f300179953a99384eaf79a05d96ce336166e048967b6eebae56fb3460772d7859075f361b9caf1298f784ee239452f01acece8c7bc6e9f024e14dd90 |
C:\Users\Admin\Desktop\ConvertToNew.wps
| MD5 | 696f9d3927908ac7addefeb0ab7886c9 |
| SHA1 | adac1c3abb6c0c17c01ba493c88c6c0a78657fc2 |
| SHA256 | 9eaf931d07dc3d78f2cac13bd80a145f98808592c279ccba06bab640f4fe8ce0 |
| SHA512 | 0e3ac0d1c44221e72f738781e0ed286372ba0b9029fa8388a080b4abbba0a6e01c7c18658a501277b2e2ddcf17a46f6253b5e38074855bbdbe11e8b07d8c90d8 |
C:\Users\Admin\Desktop\RegisterMove.ram
| MD5 | 3dff3f19dbb201cabcb287cd657dacca |
| SHA1 | 366afa688a2503b19766db18f152411c7e723f23 |
| SHA256 | 5abb6c13ff490359ab3a298a01739e766fecc2deeb99300f3ae9d87292f37a91 |
| SHA512 | cc8536c974891e679abde722fd0c7b7e0f6dfea3c37923e6e8dad035a8cf87e62e12e02f6c21680ed9c1b7dc3bc5b537e3a2753824dd1c1d8e0a7e71a697a5d7 |
C:\Users\Admin\Desktop\RegisterSync.doc
| MD5 | d1ce06c5c6064a28b87d648ced11902b |
| SHA1 | 12c8152ca38794745cdfec00cae6a8c72cc1dfec |
| SHA256 | 27fcc2653b78a03ebc3909211651c7b310f576f5fae79eda29f0bfb87baf842e |
| SHA512 | a279bffcfc28105296052297c8ff20bbcda0cbaf20435379566b062c281f24b27070e6e59ddc1d8aa914dd79e6a401319c1039585e39048de3733efb457cdc68 |
C:\Users\Admin\Desktop\RemoveUnregister.mpa
| MD5 | 78406e936b0c3f2eeffed5509d9443b2 |
| SHA1 | f81d43d33a08e765632f7498526a13454cc9650c |
| SHA256 | 766dd7da610c633151639adae7f219c843b1a84d0dd6fc577bf89e4f2ad335c2 |
| SHA512 | 6bda5da02eda2a635ff15ebc79fb4c3244aac5217bf3bcdf1933f64faa27322d9937c4b80380aef923d7fff7ef58ff21fa93d30c34f1ef6dd558991b1e91765b |
C:\Users\Admin\Desktop\ResumeSwitch.xps
| MD5 | 0267df2d4a38e106ca02234f65a2c285 |
| SHA1 | 0b1adcd6fad48c96cf8a94e8b5926229e99a53fa |
| SHA256 | b866bd8b3d8e682d817966274f3d2a70bbdbabba6918cdd95cfc73860a857f71 |
| SHA512 | f87b96d5290c8d22f825611535ef1bfd17d7e26457c8da3e83137fb238eeca9a0035513dc5f5a39a2b70e9a84b8f7328dca1f2e44cc9e17526d68771f63ddd81 |
C:\Users\Admin\Desktop\ResolveSplit.i64
| MD5 | bb06957f7804498f9297cb1e34dc9d5e |
| SHA1 | 1e504bf97f452cf9b6c4f430c6ff8b04449bed44 |
| SHA256 | 0fdc2be82449bafec9260eda2d4422438e5d8d516f666dc2b5f307156b12dce7 |
| SHA512 | c4a37c9de2cee49fc7179c36919685d3c3fe34f25c5cdfc6860a709c9d649586f05173773da50e4545f193efd2ad759cb122f6a0f58e70742eeb18887f152462 |
C:\Users\Admin\Desktop\RepairGroup.kix
| MD5 | 81172c08314a9a004796e4f9094d9645 |
| SHA1 | b0616ef88c0ceb05de67a9d09db93863866a5b92 |
| SHA256 | 69102f4b43ec4980d3c8b44d7268c372dd61d0976a9feac7c05f894aa97ab49e |
| SHA512 | f403a29b25bc7ad86cefc91f6c141639303058041c4da52421bc1aa5c053c7cf4f29f5e31f17099913ff7fff86e5e74ddd7c7c5ff4311fcd61b7a2aeb90e489f |
C:\Users\Admin\Desktop\RenameSkip.TS
| MD5 | b14339eae8f9bb7df47841c13c7ab245 |
| SHA1 | 7a27ed5382cc5d81bd8b3a863601bf53489be08e |
| SHA256 | f4580fbda4dbe189f31621d73f81b53e8fb317dc5f408e3909403ad79fdfab8d |
| SHA512 | 07612075c642ff15506a486d4cc20f89da4e943cd1fbe631d4e5f191a944cf1316cc0961c7507cef7e10403f60ddd3bb0718711e707698c0ba81bd75af5e45d3 |
C:\Users\Admin\Desktop\ShowLock.mht
| MD5 | c35e03a6a0632e91e63d9bf9943a8bf6 |
| SHA1 | 6e152615577425be5ad3d2c446dfaf881d559c95 |
| SHA256 | 506c2c84240c7ffcd524f880c80adbc908d95541b435800715aaaed2db2845bb |
| SHA512 | 6a4c5dee8e084957fd34ac2b084ad8af8c133eaa26906bd8a921d64c319d843c6d5402e4746c7841f8315cc09976e4eb8e9ef96e453cc3ba651b62b95e5303ae |
C:\Users\Admin\Desktop\RevokeLimit.search-ms
| MD5 | 6a2dda102f0801f84fd4337d2080ea34 |
| SHA1 | e5b1c8b686b4d401ac024edde6898b5540f50d96 |
| SHA256 | ff8998b539a13de7df89cb8fe64ca2726cca03ad9429acbaa3a939d3fe036bee |
| SHA512 | a9b85e346646967ed4f59c9325356b91c3578984872c49d89e11f07591f25b4c17c7aa6e0db18a9b5b3c9efa855176ac3a3d8ed4cf81a3ab83f48d78ba43c19d |
C:\Users\Admin\Documents\SyncExpand.vdw
| MD5 | f9ccebea83004da8ae3f934033c61da6 |
| SHA1 | f3fae8c99d4e2fcda023436b6e7c73fa15abba79 |
| SHA256 | 2c809067a380e96b904b1a3d7cc973d6cbe324b0fb38d0a676cda914f2c95fda |
| SHA512 | c377e4e48a136783ab0e595e56f63c6fcaec1b945e25318f12abc08957dd2e20462286afd63b7183a0c417e4883f00aed11b71e23b9749c2080eb359d1bc0307 |
C:\Users\Admin\Documents\SyncLock.pot
| MD5 | d0ab733d4a02a30cc22d0591cc946115 |
| SHA1 | d14341feff9622faecdd7958d2a8853532071764 |
| SHA256 | 35aedb0dadcee162a8e9912c7fec63959d08ac7acd10473b930cf238df8d4e61 |
| SHA512 | 3431b6351b8a1ba1c0569397e3bac6b67728fe759fa0d04cb693ffab1fbfc6e66a6e306525fdb51dcd7597b424abe414b380f9b7d89b67688c866aff7458d0d9 |
C:\Users\Admin\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\Documents\OneNote Notebooks
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\Documents\CheckpointEnable.dotx
| MD5 | d3352f4691724cba14c2c49a8211c81a |
| SHA1 | 97e2238ac0bdb4bc06ddac59d0ec51a9a6314492 |
| SHA256 | b950e0c5d52abb5fcb17522e7078ddfd790688a6b0842c5b9aab5b09e60d7b16 |
| SHA512 | 3ae929ccb2fac7e246c7893e5bfdd9a5110f40cdcf81058d8e01bdd6597a38a3b072b5cfd3d0c61afc128d9e3cbb2ef3be4b2e7cfb91115604ebe6c3f1451bdd |
C:\Users\Admin\Documents\ConnectSwitch.html
| MD5 | 73ead2e7bee88a7947830013b2567240 |
| SHA1 | d89b81e6e745538bc83c77ece0b3b0ac4c07e9e1 |
| SHA256 | 95b31310db0efa09ac0c0bc52b5b88ba9ee0be2e3473834c6dd6cd1cb5a65ae4 |
| SHA512 | 9e8c9f3a251a217f928f8e7cff9a822f7db71991f807e1e4b0c0374734bc60d7b266f715aa406562ac7b220fec34c032ab7e7dc015284517fb5f9a1fdaaedcb5 |
C:\Users\Admin\Documents\ConvertFromRestart.xlt
| MD5 | 73b766bb76eb588912e618cb3cf3e298 |
| SHA1 | dacd31b99ada7782c302f916d52e58ebae57b21e |
| SHA256 | f60917face1c4b158653afddea3b02dbdaccbd24f63c60a14ce08cf0ad3508ec |
| SHA512 | 7016e33a483f7d721f5da0cbd7ff6ade321046df0724347103e58913019ae2ec0c03ecc09c236f509e34c9654cd4f0834a7f634933f734525761f9d6fb7dc3f9 |
C:\Users\Admin\Documents\DenyApprove.xlsm
| MD5 | 67d67775745e2ba1377bfb3a3b11adef |
| SHA1 | 93e80851fcab8ac21ee1f9c816e0b8c372fe80e2 |
| SHA256 | 5c7e07911d24de7928bc669b16b536e49392ee25e8e23ad5920906bf02a9e591 |
| SHA512 | f73f808e17204e1a451d3d7e072d3cd4a7f8bb1cba7ef98dda6295585dc27028b025ffef629e74f85ae2d55fac9cf7bdc3df54b059120abd8a13ba6b6c68072f |
C:\Users\Admin\Documents\DisconnectDismount.mhtml
| MD5 | 927e66ae97322ba6a3daa842e0c983c3 |
| SHA1 | 279b92b48485ac85903598e50dcba32fbc23fad7 |
| SHA256 | 979d948f9541765106defdc9d3b711274ffd3526dc2c01820312a9240f5dfac0 |
| SHA512 | 37f6b06828cd9092954183fae792266451123518cf6e6307599619fb3c8de8fa6516ad3187bac5461f8be7ad152eaa48d4d5ec7c2f737932db2fbf1f3d0e4375 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |