Malware Analysis Report

2024-10-16 06:39

Sample ID 240618-j5jlwavcph
Target eicar_com.zip
SHA256 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad

Threat Level: Shows suspicious behavior

The file eicar_com.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Registers COM server for autorun

Modifies system executable filetype association

EICAR Anti-Malware test file

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:15

Signatures

EICAR Anti-Malware test file

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 08:15

Reported

2024-06-18 08:18

Platform

win11-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 08:15

Reported

2024-06-18 08:15

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 08:15

Reported

2024-06-18 08:15

Platform

win10v2004-20240611-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 08:15

Reported

2024-06-18 08:15

Platform

win11-20240508-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 08:15

Reported

2024-06-18 08:15

Platform

android-x64-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:15

Reported

2024-06-18 08:18

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

140s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\odopen\shell\open\command C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib\ = "{082D3FEC-D0D0-4DF6-A988-053FECE7B884}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\FileSyncClient.FileSyncClient\CLSID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID\ = "BannerNotificationHandler.BannerNotificationHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ = "IContextMenuHandler" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ = "IClientPolicySettingsEvents" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\Programmable C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CurVer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CurVer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 1596 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\dashost.exe
PID 4604 wrote to memory of 1596 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\dashost.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\system32\dashost.exe

dashost.exe {aa9abe04-4cb2-42c4-981266520916e6e3}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap30738:186:7zEvent1571 -t7z -sae -- "C:\Users\Admin\Admin.7z"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp

Files

C:\Users\Admin\Downloads\WaitSubmit.vsd

MD5 aba19b85c71bffe7eeacc026e557a1c4
SHA1 8efe45e533acd9c4d2bb5e0fc36108d89cb3b733
SHA256 4e711d9773efe76f1c3d373c5b8b21120d08586a4504c7ebbf3ca90ade8e30e2
SHA512 9cd015ddfd2f30a0902bbf3c9bbee501198bdeb7ff70a61dcf957b14068dfba425ebac3fceb9d47c7197558f5e7601e249da3fe2349758ba0988b21b31c2abda

C:\Users\Admin\Downloads\UnblockRestart.crw

MD5 37c3414030d8dd6ac4af2a6b133f73ef
SHA1 1673aefe2c22b53fab7625a27954ca3a3ed0d3f5
SHA256 2f2c523a33ccdcbcbc753f4aa67028e8223af42f0803ea242090e99f71685007
SHA512 2465d327a9ae16d42e96ef40a08775824e936f9892ba2dcbc9ccadcae8ceb0753f4b8630c530d8f8802d905fddf09d16070b818a372461c976abe36fd0702806

C:\Users\Admin\Downloads\PushRemove.xlsx

MD5 285a9cd49d448a70ddfb0237c18cb441
SHA1 b8970088123f5f7b996832ee44d8809caf8a8b11
SHA256 4a6a8d2cdde4904e7a93ea2660bdde990c624e15a8edda021ac7e92c428c0c14
SHA512 b89c4136b5adeda4a75fcb7b09fa3e11e4965e77597c71863416ea2b9d781bcdfd3a837d447ec34745fd4b4de66ae9df21278309ce4be29538e29779184bc5d5

C:\Users\Admin\Downloads\OutMeasure.css

MD5 11abdf9fd29b88430564dbcfa089c043
SHA1 7157737f48f3a6c8f9ca81fb4c4fdbee20df3880
SHA256 d1ab5c0ac57a6dec0197ee3555bcf95a58d3ec16b0ef62e678076f98c83442fb
SHA512 952b0cc3d1279614bd7ae21840613ef14133943624f29c1ce1f9fde60dbec99701bf59ac70ffc84113708148ffcb3e372083208a12a9b0e6185be4a8105ef00a

C:\Users\Admin\Downloads\CopyRegister.vsdx

MD5 fc95f8c4a7a5d05c654936e4c76a48a9
SHA1 c4f0a8377a329ab43db4445e4b59d8bf674126ee
SHA256 cca27f3f130a96ebc4bc03701dfcfcdf1493b387b131a99046aa4d95be634bd6
SHA512 82726516a53ce2e388449b61337929e24c1f8cf6a484b0b8f6e288ec3ad083243321096423a6b593b2aa26b205694821c1c6d1f49fb08e6f24588f7329f56b3a

C:\Users\Admin\Downloads\CompareOpen.mpv2

MD5 a00e9a9c82a71130b7b6c648601fcae7
SHA1 f5eb7e8f711f7a6f3e3f77d4b834b71bbbf96c3b
SHA256 efc6c9b668c52019aa9a710d2fcff61a6fa8165406643c994080e1dd92c293a9
SHA512 5e9b3e793ad1328cb317f9836f91767f3a1b3abec7f995e8f5ade1c5517222b720d31fc53aec10f710c287c41b460bdf5ae2bff6b5169e87e0cd69af6d4a77ed

C:\Users\Admin\Downloads\UnblockBlock.dwg

MD5 75f905b691e62b52d31bb85aaad5a1d7
SHA1 4ae728722c330703feaf99c9634f8322b3698083
SHA256 b949e3f3c5d4ece1585aa18fdb4f07b1d1916175ff0c9014430d038a1d3efd70
SHA512 59556b9fa0e52b360991481b3a8f862f6402fc4b87aa8c25dc5cb902dee7623b6d48db4b3010ff92b8520acf197b86aad5e55395186c215b80308587e3db105f

C:\Users\Admin\Downloads\ConfirmBlock.aiff

MD5 d6d0ff997eb1cb3308f525fde540758b
SHA1 64763a7f024d0084221360d8f82ae4b6609f0ade
SHA256 6a18d86616f51f68e6383019fee099b43af79de5f874d1a3c8bd3f3fa0767430
SHA512 c647a39730b43945999602c87ed94260bb23a1df7fe1b8b348b73d916c71248e63e2f4dc1823ebc4c4779a3840190c9d1519ad4ccc6e803d5fc587a4fd1b2e4f

C:\Users\Admin\Downloads\TestRequest.cab

MD5 7cae5e6a66af0fba24763bda8c8b273d
SHA1 1029e029abe33e129f94faeb91058184f301fa4b
SHA256 bd848a12f72bb0da43b1667d98ab487c60f28c2ef02adefd04f2c8d0693edc1a
SHA512 b43eb82f29b4a676c7a4c6fc90ce2a0f3eaa98a68c7cd63a8e0b95cf207d70553f079b7184eb869ec05f63bd56ec7f4beb9d125b782a18778970b806a71425d9

C:\Users\Admin\Downloads\SwitchSet.xml

MD5 80dc12cd1dfb555fa217521cba155746
SHA1 c734f8a0d665037de0b4a6ae2e0e3de850c13f6b
SHA256 4ddb0165855a83c6e5bd0e46d543bcc5e07edf9006aaf234aef35faa9c31109d
SHA512 a0f0054e121186ecb3f20f845b7fed3b496cf329fd4b3d26db9bfdf2e5103750295633732a5321466acca961e066440b31846bb85119435030eb017b7e4edd7a

C:\Users\Admin\Downloads\UpdateSwitch.ADT

MD5 d00b75f12f600493b9b48e3220b467c0
SHA1 ea1b7a36108858651b2333a5615dd1de9c87a87f
SHA256 84a09e16d89163d4b538f4a369b3459bf6be719fe458d29a4b6353c5fa324242
SHA512 538c66228ab4515a2118bf6513453b7144d79d2f808d175e33a37e26e830384fd9afabb8a5b9659ea5b278fbe317ff24a9b404fe726810a63cd3bdec516d7fe4

C:\Users\Admin\Downloads\MeasureExport.tif

MD5 2ebe4ce9bf4bb293cfe7babf45f2e978
SHA1 95bbfdb1cb2ceb637402b650b48472929f61a8d8
SHA256 f03bcc48e2520aebb029cd1fc0187acf8cbbeb87c85158d86a83b9c024895ce4
SHA512 855258e9c8767e52748a93ee8e0668ef5e45e52b7dfd8dd48bcd66eb3f85581c94007b57eeef4694c85d3d937bb002c30c0c8f3fa79f25769f5d600ece8fa22c

C:\Users\Admin\Downloads\RestartBackup.aif

MD5 8bcbab0a796d10a6bd52ea32da944dcb
SHA1 2d4ab87e17a2cdcb93eaa9ff27fe3931035bc498
SHA256 806a7173e0ca047172fbbcad8d1cc5a459d2ec02f209ca10879b4ab0b741338b
SHA512 526293b3481f0abf628356c43c77bdc9d212161a054cfe88802454c16943336179fd30a0952950cd1b0f32e6485253cd2f5c400f6d4c49280a05520db6f8509b

C:\Users\Admin\Downloads\ExitStart.txt

MD5 df1a337d6e5deb22895258617fde3610
SHA1 0437c1f9be5b7ee13902d2a30fe1ec6ba76af3d5
SHA256 6a03ed090cbd47a3cf71ce829d7122de3e953ba382b66eb4e56fd68eba233306
SHA512 ec2c533ef90b828421057616df284d3dbb7ef58d9559d6971b00249053b1a5007be353a320a8225cc6933cf392584ec312d59c5bf53b81ae1921406b77d48159

C:\Users\Admin\Downloads\FindCompare.m4a

MD5 0bce32ff6b71b47a4873b827ea337975
SHA1 312c91bdc3e86836c9387066a838e70bc7a2d634
SHA256 765455e9019130f42b44ef0b679f4dc6a2ba8c445ee744186ef22beb8c792b94
SHA512 3e8c9a1c6a7d995c095c2408ea93c470b4549a6a2aaa8db26007a621c658ccc9fbd62bd7f192eee9db4370f2c488fb3d6a6e0bc514482d7e4dcdc2adddfa08dd

C:\Users\Admin\Downloads\RedoConvertTo.rtf

MD5 6110cd86bf2730aa300ed7d1262f2093
SHA1 35075f1f942dafe194448ab006c8fc82c719b4e6
SHA256 0756b10c9b23ae73b30398de4ceea0463d809f9f0bf62c0cf2d92bef274ad070
SHA512 ce53a76aefce3556792f4416af80a7c795d24646de7dd89d1a2312e0d541c32e2864551de37fd1ba520c5c3d69b8f9faafa7c2104a0e01a1701ec83e222d2637

C:\Users\Admin\Downloads\GroupCompress.xlsb

MD5 6d718b81eeb23db502d0bd492ca4eb93
SHA1 f6b52e41e0474062a31cf12b62bf4c825b1d69b3
SHA256 6678e705dc7b88da4276cf1df94d96f023511157665ad4b2b842b2e0b70dd185
SHA512 624c7289cc49f5eabecdf0b3b6ff4717e3c4687b1778a15cb156b0aa98b6973223bc5ef6fde689efa44fd00e1f2cb4b10f1e0169a0ceb8e294a87c4aae0aed11

C:\Users\Admin\Downloads\PublishBlock.ppsx

MD5 9733b66764fe912f21d0ef5b44885c96
SHA1 04b01805af3d649770beb0130f29627978cb71e2
SHA256 bb396a49342066ab6274a850817f66f48cdbee143bf29b9302372d4f3395e042
SHA512 650c01eef0bd9a80bd6d0213c2dd6a85519ffa6cf802304063d9326b1820fac644eb84a236e96dee3726207b5edfba0af70236344892181e3a035303ebd546b3

C:\Users\Admin\Downloads\ReadDeny.potx

MD5 ae60e11fb6976f911a4e0e36d6ddf4e0
SHA1 0be1a6cd1d655dba79e5d1c8aa6c8dd4354e20af
SHA256 cd10b6c9cdcace902903d20848abd21c4a40a3145d1bfe8f9a6b4f2df98f2898
SHA512 f6311762a03c573edb5193a579aaa6b388600113002256a5310bb0a8f729f769a7e88b3fc5ba4b946794082bdf623df1c4881ea2d979e018382c4681831353b4

C:\Users\Admin\Downloads\InitializeGroup.lock

MD5 822004082c5f36a31d130a167ecb192f
SHA1 54062d277fbb22adfdf6b62363b2292c2b7a3d49
SHA256 b12606c88d9608b27161277149150c2c31d04109a6952a4a476b4c6c7736b45a
SHA512 5d3ee8a27c1c140d16c1f900941b7d56ad9f99c62ffe95174e371372689e05c32ec19700e6d6bf2c036f546f7f59dc24e2c0fd8b3e44971d61ee188707c888bc

C:\Users\Admin\Downloads\SendUnlock.hta

MD5 f7f965685adde54fb48e9a17478cf971
SHA1 69bcc4db123c02eb7b3e8ac77501563eed96ab4c
SHA256 d35f0108d1c5227e462dc005b5c9080b51b22529c447ac0298859bb2c185f379
SHA512 e50503d719981a3fbaecfc76c60a43fdf186e80cf5621484ac9e8694190d0396930d8832e2ae1abe52dc56c1eb0456bc60f4bfb6326891635bcb58e0f38d9b9b

C:\Users\Admin\Downloads\CompareWatch.ogg

MD5 31d20011e81431246464c88c58418236
SHA1 ef96bded3d2e5214c8a1c3e0a9709bbd00f0a67e
SHA256 d534fa653676f4190d6b684f17893db50b5d3d13352311a4cdba89b31462465a
SHA512 ef6e3e4754bd69f8b4146e4e99fc4f190d1dc273aea4fde05954e2e78dd54351a828bf891257c5fe1d03c285ee1d8db2930a414a0f5d581f2a4be4abb340ceab

C:\Users\Admin\Downloads\DebugRevoke.midi

MD5 b305479e1675cb2aa30ffc977dbe1c17
SHA1 632e6ec15a16b6352c2065c9a9cdfb56d48189f2
SHA256 b1e127d93288af9055faa26b8d7685d763f1e382a23940648825062ff8a567ec
SHA512 2c012f526c60300445d0a821a03a17bd9a25aef817115bf0648ed00895b6093b1d687df80663209f7294942cfaf9d314f85f6a59066654d45b0ac6f861b95786

C:\Users\Admin\Downloads\ResumeGet.inf

MD5 26705362e80b8e3e2dc5c3778ee60420
SHA1 6e956e291045d4d7344a8f78fbdbc8f9f02bd664
SHA256 ddda739fa6b44151cc69c422960e8dc73e7123f70a4ce038d5872336f495c6be
SHA512 ec763ce9a3a77f1939a17b8bec7b6815bf78e28d1c09030fdac71dcc55b5c5dc75baf019375ec70e9b8a7f1520bd6554cfe616a6842cd8096747324bf1512179

C:\Users\Admin\Downloads\OptimizeGrant.xla

MD5 b9b6b751a0e1ac23c8e7a0903111fffc
SHA1 4cd395b4857da8b15e0f1215e04e1a9066c225a6
SHA256 78bc4acbb404b89e294938566095f2e47b80142a8361469b58faabb1669a55d8
SHA512 0e8802f24acc76155b71082210f3849b6d397b1fb2cc831175a5f53dde38cf978b3d769a6e4a2ba9301bd02f7efd11d1b0a3ad1dbb168e75d19eadebf89fdc91

C:\Users\Admin\Downloads\ResetGrant.htm

MD5 11f1af7ebe61d08bb4b012fd609e5a59
SHA1 4a415d5282445768c1c0770cc8f88ce467b934c3
SHA256 f061bc876114f33a2058463d7a25d275c60e7a4b406b2924443007dab5a832d2
SHA512 74954593f62c69dadc7fcdb0131f88cffb70ce2fe3fadb86eb9846f2703d2dc68bf315723878c9d9045e7560d86d8e02f62dde974c269fa8c6651aa2d50b4c6b

C:\Users\Admin\Downloads\NewSwitch.rtf

MD5 d69c74d0aae68b8c158a62414e8535a0
SHA1 d38aca128cd8048f86c2fd44baadb310470ba0ec
SHA256 36700debc4d0586861d2c665a7d270a4c9ea4e8c98def95a29269be02f423264
SHA512 102eb05a7a39837b4efab58d38777963f51b785de8282bf27cd1140d23ad7f5cdd8b386cfc76587ede20b55199fe26b18eb295d474b794ca707a66c8914b49bc

C:\Users\Admin\Downloads\RedoConvert.jpg

MD5 dbcd77d658f83e0d79ef002d2a737f8c
SHA1 1b6572171900d8ed81e22f072f9aaf1938579a5e
SHA256 d35a335ab6611b9b278b1d71f7b04cb23b533faf087a4211589c88fe377de9a7
SHA512 8ebbef9573a6d6f9ecabe35ec4d9099de58049861fcc6896107d319a2af8356840749ea0a8342f0bebd65d02de9b4674b2499f4dc2008cff9164484ae2b7eb51

C:\Users\Admin\Downloads\FindCopy.midi

MD5 49c3c5dcbe1f18b496bfc07931c8404d
SHA1 5c1142611528417445672ec3573eca2bab266faa
SHA256 93f5b7c60a28abfe0fb5c59ecae4add2b8ead4e7b380bbab5ff535223c4c5e02
SHA512 d64412426accc9a5d3ab472a365bdd46b231e8e8ca80c45627edc0a87e0648092c7200d90fc549e6828cfd0fa8f363762f153afa5e5998e165f3fa92aaff19bb

C:\Users\Admin\Downloads\FindPing.nfo

MD5 29939088581e56775c91cacb93b76e22
SHA1 4b5df6f7571ede4a0cc96155b8aabda61110bb32
SHA256 8e5b49490cf90277023162de61fc82ff8651c6eb8d708c5e66959f35bf801079
SHA512 63c14d3f49a80053e09d0d393247f78589c8d4cb9b78e4bb62e71aa808ec04fd2d21cd0251ff6d65409e5c41b48ae58a46c11d77677c332bcdff508bf1a262bd

C:\Users\Admin\Downloads\GetApprove.fon

MD5 1339bf8fc400012404eae7c6b213bcf4
SHA1 8bc9f2366198dbbd8665ce14bbbc3c1d3c80bcee
SHA256 dd70d380831cab0618e26cdc5e61e45afde3b75591d22ef4335bc60e0948cdff
SHA512 6f83de9a9f32f5a752952da10d7913a31d49536311079dd4687d4aa0ddb0507cc702c2bff9796c125a8cb85415bb52238ce73eb0a438c96078d750b3915f2cbb

C:\Users\Admin\Downloads\InvokeStop.mp2v

MD5 aedbddcde6b1f607db10e953f7da9dbe
SHA1 38a903467194b0499b600ca40ef3af676cabb200
SHA256 2000cb0c631dce4d1aa4e22de2d77743403b6c1aa015eccdbd87df05cbadaaed
SHA512 b187b3aa50fe799d31a36ff1ddfcceaa69d4ec261bdde3e0d877106d16739c8ae620bad2197b6468985e0e23bd368ab770adc42d42bc3364a615be7576fec687

C:\Users\Admin\Desktop\SkipSelect.mpeg

MD5 5b91d13b3b941fb294e6ffec0d037c81
SHA1 63bc29fbc22d4ae967d9c1ccb955b237e91cc21c
SHA256 fef89009ec306fd6dd4359f945657540fba0df9203af7265e13218f5314cd453
SHA512 620b8a08d1030eac61bf9923ff537b6e054ef867e9f1f74f54d3a7fde7dc7a13b9255490c4614257fe7654d6e64cdd0d8996b4829cb5eb8f9d6f40c9254ba80c

C:\Users\Admin\Desktop\SplitImport.lnk

MD5 eb006abe46ba513aa4d76ef0cf8847d2
SHA1 b36ea185350d06f11c30915b026a86cf759e2542
SHA256 a543e24437de87cdd60d99857cc94360697321a4f327f8bc5da4c1e6ec829bbb
SHA512 11b6a6d108ac946882cbc4e66d42a1b0b0bb3bd7d62c42a2ef3bb66179cce56d58ec3be656e480b1d8d62ee07665ffe5302e2d5c43c26b37c84e6a7d191ee160

C:\Users\Admin\Desktop\UseRestore.cab

MD5 0047539e7750fa5a5b5b93cfd6b660d2
SHA1 c1505a2a2a5cf111c2f537fea7e9f06f97259bf8
SHA256 471950f7d079622a0630fde686c3c626190994036397f94e94a75fb1dba8f23c
SHA512 e1fd6da35fd7deb484cbdd0bc89f486b53486a1708d6921b41f9eccf78ea49f42df90be5cf3eb5153a9bd8842fa5159bbc8e9bc0f50b1d778829d7c6ed3ba204

C:\Users\Admin\Desktop\UnlockResume.xht

MD5 1476d3642c9c5ba8ddcc12d86d02a2e7
SHA1 1f96f408f43237547cdb5f88cfedf1d54fc3de31
SHA256 7e49981a7696d1780b4f9f3483340fb118bb5ea97cea6515f6be935374052ea3
SHA512 4e63162fe2dc8535d68b1f408125d4d3bafbaab1ece7ea995070beb14e81b5e0851532ae167d14d2d2510ea5b29fdec2ce19baef1ea260fa38a9dd242222ee8e

C:\Users\Admin\Desktop\UnlockRepair.js

MD5 45bce481d09f94d182c7991505bf9e79
SHA1 3acac6f4e24fbf5e47aa89de06c48179aa016fdc
SHA256 b2359aa2bcfd1ecc5c6e2e5c2702b44c968685fa834f6d2dcd42386bc39e2db2
SHA512 e769ee416071d3bbe0a28783de8eff4fdd9da675bed5d8a22db42704fb727a1c8bc74e40bd3d0654bf7278c21ed0f7aef89b8563e81fbb1f049a823fa4868a2d

C:\Users\Admin\Desktop\UseSend.cab

MD5 cb6c46239f1eab3fe850095b18fb4fec
SHA1 74addb728c8012e4fa7b927a31a7a2b1dd61c7de
SHA256 11b72159c146c2ba77ff3a289d2b98f0266c6c817de953f75a46a569ae6c9c54
SHA512 6ab4de76975c0b76f6646b3265c400f0747dffe776cfeeb2b8965f82907785b174ab88334054436d3e83588d3edfea1b44a24ed4e9f6b30b5653ac102657b2ab

C:\Users\Admin\Desktop\WatchSplit.eprtx

MD5 d06e51cdcc2a07a30c5dd6807590cb4d
SHA1 08d8eb28d7ee06bb76f0b3985e9790856f71f140
SHA256 aa991b5a40f407f36553c64f0cacd9bac49a0d45d0a7078bad21ed1c3c580dcd
SHA512 feb236864ad5b77cd6a4daba2387221581ab3d3186697c78432f1d4a0e2e3ea1629738c31db0b11bf876173b3eadc30c4a15808da0df288f8d255958dd957667

C:\Users\Admin\Desktop\AddEdit.dot

MD5 a18c7749b969bc8c5880579346454168
SHA1 87d28b22e6757fe89288bf8b411c59497c49708b
SHA256 1e8ec7c76b4286efa742b8d5fb6efb2f5bab012c56a063297ded5c57e1d77dbb
SHA512 a8b529063a722148d461d5967630b2152329b081cb98b2fe4026ce8881aaa8150e7394b4963f973aaa4a8bfdb60c0accbb0899d4d36cf56958fd7b365a069a7a

C:\Users\Admin\Desktop\ApproveTest.m1v

MD5 8aeb3699ebdcff8221990d19d635c203
SHA1 fd7636bb8976943aa08318bafaf11c422806bdad
SHA256 fedbc71f7b11492d054e1098399f7e4504b99c39723462475e8d45ffa781220f
SHA512 6738e084f0386bf20bb0ad51497ee1680e6536458a2a5de757a20e60cff974bd6a91c938020ca2544c42635a80c7cbfe05cba55ae7345ce4df722d3230fbce89

C:\Users\Admin\Desktop\MoveTest.dxf

MD5 188569e9c7a7bff10d0cfa04b622f13e
SHA1 4c0e6628c5d841660507b6bedf397ae5a7017f5b
SHA256 8d96ebad5e9a2cf7157ee00e872fee44969c7bfd91b89a7f4197a847426557ae
SHA512 542b2862d96a797c8bc2ca0cf682d63100de6888938b5b8db18772642a875718d9e00560c9dadeacb9cbb3fa30d88a202d7ab961ad17183378f992f4f5f13b8f

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 ccc9ef4179c717b0d381064f07ae8b43
SHA1 071c743bc00d36b035b6ff4f4112617e179faa4e
SHA256 7badd0e5b98770cb1a7c1426c199fb356e177c9eb0dcce63bd153245ab2c6717
SHA512 00df112330fc52c70105513ae5119cfc99b4e45088532423b029352956189798ec4af35a40c7c82c7d14a47c10d830914412bab3687bc1323adccf0cd30cb97e

C:\Users\Admin\Desktop\InitializeApprove.bmp

MD5 d91702e8c6e05108aea4a83a580f6ab5
SHA1 93f55e54096e35499ac169afa79cede57159ec54
SHA256 20533b3c130ccbccfdde42f15fd7a2ad75932fe85d5a7822fc11cfb0f3079ef3
SHA512 be9e4ce6f300179953a99384eaf79a05d96ce336166e048967b6eebae56fb3460772d7859075f361b9caf1298f784ee239452f01acece8c7bc6e9f024e14dd90

C:\Users\Admin\Desktop\ConvertToNew.wps

MD5 696f9d3927908ac7addefeb0ab7886c9
SHA1 adac1c3abb6c0c17c01ba493c88c6c0a78657fc2
SHA256 9eaf931d07dc3d78f2cac13bd80a145f98808592c279ccba06bab640f4fe8ce0
SHA512 0e3ac0d1c44221e72f738781e0ed286372ba0b9029fa8388a080b4abbba0a6e01c7c18658a501277b2e2ddcf17a46f6253b5e38074855bbdbe11e8b07d8c90d8

C:\Users\Admin\Desktop\RegisterMove.ram

MD5 3dff3f19dbb201cabcb287cd657dacca
SHA1 366afa688a2503b19766db18f152411c7e723f23
SHA256 5abb6c13ff490359ab3a298a01739e766fecc2deeb99300f3ae9d87292f37a91
SHA512 cc8536c974891e679abde722fd0c7b7e0f6dfea3c37923e6e8dad035a8cf87e62e12e02f6c21680ed9c1b7dc3bc5b537e3a2753824dd1c1d8e0a7e71a697a5d7

C:\Users\Admin\Desktop\RegisterSync.doc

MD5 d1ce06c5c6064a28b87d648ced11902b
SHA1 12c8152ca38794745cdfec00cae6a8c72cc1dfec
SHA256 27fcc2653b78a03ebc3909211651c7b310f576f5fae79eda29f0bfb87baf842e
SHA512 a279bffcfc28105296052297c8ff20bbcda0cbaf20435379566b062c281f24b27070e6e59ddc1d8aa914dd79e6a401319c1039585e39048de3733efb457cdc68

C:\Users\Admin\Desktop\RemoveUnregister.mpa

MD5 78406e936b0c3f2eeffed5509d9443b2
SHA1 f81d43d33a08e765632f7498526a13454cc9650c
SHA256 766dd7da610c633151639adae7f219c843b1a84d0dd6fc577bf89e4f2ad335c2
SHA512 6bda5da02eda2a635ff15ebc79fb4c3244aac5217bf3bcdf1933f64faa27322d9937c4b80380aef923d7fff7ef58ff21fa93d30c34f1ef6dd558991b1e91765b

C:\Users\Admin\Desktop\ResumeSwitch.xps

MD5 0267df2d4a38e106ca02234f65a2c285
SHA1 0b1adcd6fad48c96cf8a94e8b5926229e99a53fa
SHA256 b866bd8b3d8e682d817966274f3d2a70bbdbabba6918cdd95cfc73860a857f71
SHA512 f87b96d5290c8d22f825611535ef1bfd17d7e26457c8da3e83137fb238eeca9a0035513dc5f5a39a2b70e9a84b8f7328dca1f2e44cc9e17526d68771f63ddd81

C:\Users\Admin\Desktop\ResolveSplit.i64

MD5 bb06957f7804498f9297cb1e34dc9d5e
SHA1 1e504bf97f452cf9b6c4f430c6ff8b04449bed44
SHA256 0fdc2be82449bafec9260eda2d4422438e5d8d516f666dc2b5f307156b12dce7
SHA512 c4a37c9de2cee49fc7179c36919685d3c3fe34f25c5cdfc6860a709c9d649586f05173773da50e4545f193efd2ad759cb122f6a0f58e70742eeb18887f152462

C:\Users\Admin\Desktop\RepairGroup.kix

MD5 81172c08314a9a004796e4f9094d9645
SHA1 b0616ef88c0ceb05de67a9d09db93863866a5b92
SHA256 69102f4b43ec4980d3c8b44d7268c372dd61d0976a9feac7c05f894aa97ab49e
SHA512 f403a29b25bc7ad86cefc91f6c141639303058041c4da52421bc1aa5c053c7cf4f29f5e31f17099913ff7fff86e5e74ddd7c7c5ff4311fcd61b7a2aeb90e489f

C:\Users\Admin\Desktop\RenameSkip.TS

MD5 b14339eae8f9bb7df47841c13c7ab245
SHA1 7a27ed5382cc5d81bd8b3a863601bf53489be08e
SHA256 f4580fbda4dbe189f31621d73f81b53e8fb317dc5f408e3909403ad79fdfab8d
SHA512 07612075c642ff15506a486d4cc20f89da4e943cd1fbe631d4e5f191a944cf1316cc0961c7507cef7e10403f60ddd3bb0718711e707698c0ba81bd75af5e45d3

C:\Users\Admin\Desktop\ShowLock.mht

MD5 c35e03a6a0632e91e63d9bf9943a8bf6
SHA1 6e152615577425be5ad3d2c446dfaf881d559c95
SHA256 506c2c84240c7ffcd524f880c80adbc908d95541b435800715aaaed2db2845bb
SHA512 6a4c5dee8e084957fd34ac2b084ad8af8c133eaa26906bd8a921d64c319d843c6d5402e4746c7841f8315cc09976e4eb8e9ef96e453cc3ba651b62b95e5303ae

C:\Users\Admin\Desktop\RevokeLimit.search-ms

MD5 6a2dda102f0801f84fd4337d2080ea34
SHA1 e5b1c8b686b4d401ac024edde6898b5540f50d96
SHA256 ff8998b539a13de7df89cb8fe64ca2726cca03ad9429acbaa3a939d3fe036bee
SHA512 a9b85e346646967ed4f59c9325356b91c3578984872c49d89e11f07591f25b4c17c7aa6e0db18a9b5b3c9efa855176ac3a3d8ed4cf81a3ab83f48d78ba43c19d

C:\Users\Admin\Documents\SyncExpand.vdw

MD5 f9ccebea83004da8ae3f934033c61da6
SHA1 f3fae8c99d4e2fcda023436b6e7c73fa15abba79
SHA256 2c809067a380e96b904b1a3d7cc973d6cbe324b0fb38d0a676cda914f2c95fda
SHA512 c377e4e48a136783ab0e595e56f63c6fcaec1b945e25318f12abc08957dd2e20462286afd63b7183a0c417e4883f00aed11b71e23b9749c2080eb359d1bc0307

C:\Users\Admin\Documents\SyncLock.pot

MD5 d0ab733d4a02a30cc22d0591cc946115
SHA1 d14341feff9622faecdd7958d2a8853532071764
SHA256 35aedb0dadcee162a8e9912c7fec63959d08ac7acd10473b930cf238df8d4e61
SHA512 3431b6351b8a1ba1c0569397e3bac6b67728fe759fa0d04cb693ffab1fbfc6e66a6e306525fdb51dcd7597b424abe414b380f9b7d89b67688c866aff7458d0d9

C:\Users\Admin\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\Documents\OneNote Notebooks

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\Documents\CheckpointEnable.dotx

MD5 d3352f4691724cba14c2c49a8211c81a
SHA1 97e2238ac0bdb4bc06ddac59d0ec51a9a6314492
SHA256 b950e0c5d52abb5fcb17522e7078ddfd790688a6b0842c5b9aab5b09e60d7b16
SHA512 3ae929ccb2fac7e246c7893e5bfdd9a5110f40cdcf81058d8e01bdd6597a38a3b072b5cfd3d0c61afc128d9e3cbb2ef3be4b2e7cfb91115604ebe6c3f1451bdd

C:\Users\Admin\Documents\ConnectSwitch.html

MD5 73ead2e7bee88a7947830013b2567240
SHA1 d89b81e6e745538bc83c77ece0b3b0ac4c07e9e1
SHA256 95b31310db0efa09ac0c0bc52b5b88ba9ee0be2e3473834c6dd6cd1cb5a65ae4
SHA512 9e8c9f3a251a217f928f8e7cff9a822f7db71991f807e1e4b0c0374734bc60d7b266f715aa406562ac7b220fec34c032ab7e7dc015284517fb5f9a1fdaaedcb5

C:\Users\Admin\Documents\ConvertFromRestart.xlt

MD5 73b766bb76eb588912e618cb3cf3e298
SHA1 dacd31b99ada7782c302f916d52e58ebae57b21e
SHA256 f60917face1c4b158653afddea3b02dbdaccbd24f63c60a14ce08cf0ad3508ec
SHA512 7016e33a483f7d721f5da0cbd7ff6ade321046df0724347103e58913019ae2ec0c03ecc09c236f509e34c9654cd4f0834a7f634933f734525761f9d6fb7dc3f9

C:\Users\Admin\Documents\DenyApprove.xlsm

MD5 67d67775745e2ba1377bfb3a3b11adef
SHA1 93e80851fcab8ac21ee1f9c816e0b8c372fe80e2
SHA256 5c7e07911d24de7928bc669b16b536e49392ee25e8e23ad5920906bf02a9e591
SHA512 f73f808e17204e1a451d3d7e072d3cd4a7f8bb1cba7ef98dda6295585dc27028b025ffef629e74f85ae2d55fac9cf7bdc3df54b059120abd8a13ba6b6c68072f

C:\Users\Admin\Documents\DisconnectDismount.mhtml

MD5 927e66ae97322ba6a3daa842e0c983c3
SHA1 279b92b48485ac85903598e50dcba32fbc23fad7
SHA256 979d948f9541765106defdc9d3b711274ffd3526dc2c01820312a9240f5dfac0
SHA512 37f6b06828cd9092954183fae792266451123518cf6e6307599619fb3c8de8fa6516ad3187bac5461f8be7ad152eaa48d4d5ec7c2f737932db2fbf1f3d0e4375

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 cc04d6015cd4395c9b980b280254156e
SHA1 87b176f1330dc08d4ffabe3f7e77da4121c8e749
SHA256 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e
SHA512 d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940