Analysis Overview
SHA256
29847ebafcead5a736de54c9a6ece3966787f43fb5a34542d56b77c5145d8acb
Threat Level: Known bad
The file 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with Dotfuscator
Detects executables packed with Yano Obfuscator
Detects executables packed with SmartAssembly
Detects executables packed with Dotfuscator
Detects executables packed with Yano Obfuscator
Detects executables packed with SmartAssembly
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 11:30
Signatures
Detects executables packed with Dotfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables packed with Yano Obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 11:30
Reported
2024-02-23 11:33
Platform
win10v2004-20240221-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Detects executables packed with Dotfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Yano Obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_128703\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_128703\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{1AA344C6-371C-4E33-823E-0C10B79FCB5A}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\AgentService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5a1ab234c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\AgentService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a39138214c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003678c0214c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2ff07224c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\AgentService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\AgentService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000902eb5234c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd9057214c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef06f4224c66da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\AgentService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x2d8,0x2cc,0x2d4,0x2c0,0x2dc,0x140325960,0x140325970,0x140325980
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_440_YAWEZWUDSAWJXUCS" --sandboxed-process-id=2 --init-done-notifier=832 --sandbox-mojo-pipe-token=3512868907126487890 --mojo-platform-channel-handle=808 --engine=2
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_440_YAWEZWUDSAWJXUCS" --sandboxed-process-id=3 --init-done-notifier=1400 --sandbox-mojo-pipe-token=14112224018033169729 --mojo-platform-channel-handle=1396
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 34.41.229.245:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 34.41.229.245:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 53.96.141.3.in-addr.arpa | udp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 34.162.170.92:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
Files
memory/440-0-0x00000000008F0000-0x0000000000950000-memory.dmp
memory/440-7-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/440-6-0x00000000008F0000-0x0000000000950000-memory.dmp
memory/2116-11-0x0000000000510000-0x0000000000570000-memory.dmp
memory/2116-18-0x0000000000510000-0x0000000000570000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | dc111e172b64b1c903ba7aff1fc62102 |
| SHA1 | 6408b63198da32a508cb5a5b1fc363e96351f29f |
| SHA256 | 283685bc61bc6c41485182762f8c913d9142f3f0bb03cecc53c6bff9845f9452 |
| SHA512 | 0efe0c00cb1fb2d16e4b131e5c4a140b8f8ce7f9dcc81ba00de696bf35a6e43060ea9b8fd89eeafe8f117aca37d8dc44c22f7871acb632dfd9e346d05201a9bb |
memory/2116-17-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/2624-21-0x0000000140000000-0x000000014029D000-memory.dmp
memory/4500-27-0x00007FFCC1F00000-0x00007FFCC1F01000-memory.dmp
memory/4500-26-0x00007FFCC3D10000-0x00007FFCC3D11000-memory.dmp
memory/4500-29-0x0000018767800000-0x0000018767860000-memory.dmp
memory/4500-28-0x0000018767800000-0x0000018767860000-memory.dmp
memory/4500-31-0x0000000140000000-0x0000000140F04000-memory.dmp
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
| MD5 | 7f23abb8ea2977ca3620928e6d4f016b |
| SHA1 | d3a3106566dad39bb64dbfe22580337fb056fee5 |
| SHA256 | ba2de2296651a49f7362a257ea33c0edf582dc208d84d38a75add2a1eac689da |
| SHA512 | 845f68bb7c0b2151a9ba3a81799356241c8d96d7e744ce2d9042fd95537af2df949cd21d5f6adf25ef48e06e0c26cf07b5e17b7c856e33f010284491069dff4e |
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 96721d710d90c5dff5630036652af0db |
| SHA1 | beb0ff0f7d5e87701a480ea2841345d9488e355f |
| SHA256 | ded5e986c7d7eeda1ca06550469a50d12fb2a232994323bdf8249ec3776fe35d |
| SHA512 | a7b30e8b76b5ff2c7ee7a43bddda11a4dbb5df10a1e5ceab75a8f8ab615b600c0a9b783be54ea9e5af5d7066e600c143f74a12ef2d34d82606ca086620b6d3ae |
memory/1028-39-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/1028-41-0x0000000140000000-0x000000014029C000-memory.dmp
memory/1028-47-0x00000000006C0000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\edls_64.dll
| MD5 | 79d7f318441c21d17739e43990697d1d |
| SHA1 | 9683265bf401d11313b768dfc4b3aeb10015d18c |
| SHA256 | 0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970 |
| SHA512 | 67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595 |
C:\Users\Admin\AppData\Local\Temp\em000_64.dll
| MD5 | f8b7cac6e9587baabf4045c34890c7ce |
| SHA1 | 61814262c6ee5ceaab2c0263c913cae52e203af7 |
| SHA256 | 8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30 |
| SHA512 | 4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211 |
C:\Users\Admin\AppData\Local\Temp\em002_64.dll
| MD5 | fd3f64c102f03e5bab59708b9d2ed1da |
| SHA1 | dd6eb89b2af74d3932a39ea70e1eaf233a68860a |
| SHA256 | 2bb890717df267bda88ecb5b503a2a3431291ee807a610e08475154dd12ad8f3 |
| SHA512 | 5c3c61d1c8cd4a7c128bc5019483587ec07afa7418b99f96f6a9e803b6e0dd5e72650edc1f7a2570f1009ff8444ee993a2a1a98e31eaadf64eb560149ed96d73 |
C:\Users\Admin\AppData\Local\Temp\em001_64.dll
| MD5 | 023024d74374f4f324b7528ef680d660 |
| SHA1 | cef55c531e324e730097077538c9872f0913f7b5 |
| SHA256 | f03d7e333853fbbcd508f8674c703575f4c8f8396af85f62c6ab9e61def4d0e8 |
| SHA512 | d50d481d834a1f3a41bf8b27132721d69014f82f01e5cc6bb1d3d1a14a1b767730f103456eac2bd51361a27d124d9f60f24a6dc4a667af780cc6a19cfdc0244a |
C:\Users\Admin\AppData\Local\Temp\em003_64.dll
| MD5 | 9f6ce0db3bd04191069b114ca44efc59 |
| SHA1 | 5f7c807762206b720d4a7176c92ea883d1f090af |
| SHA256 | 77b7677239f4e1299a7c7961b478d5401add74e4e27b57f64f8ae6e868b5c321 |
| SHA512 | 0302a6e330878bc2d35fc6badcc9d7e682cf0574f1d4914c799faee7368e19862036d79a9f9bff5c3050ab1dc3a664792eef09a6cc5cd91af9d6f272963af720 |
C:\Users\Admin\AppData\Local\Temp\em004_64.dll
| MD5 | df307e7183f011688d5f0d037742593a |
| SHA1 | c534f2a5437f11d980f592199ab1b618dad6a60b |
| SHA256 | 6d8ce9827768ad0366a2cd3d4ac61b048f3791a20c70c93046fc1d3634b03210 |
| SHA512 | 8913ed466b64a54495b29d9fa22e29d6a30ebd051d8f8f3a1ab9b4182e347dd57a41ec7ccc28960127297bb838ba842ea9aac5d1eea92baa70317f4225acbf60 |
C:\Users\Admin\AppData\Local\Temp\em005_64.dll
| MD5 | 3c2cf9d3f974156976c9fd7f1cedc643 |
| SHA1 | 170f0a8e1f22bedc93f012ad8ec9d4d02cb4dc7c |
| SHA256 | b59238aaf90e9644bee14f22be878623c714ba9526e90a8b738b5572ef20ed6c |
| SHA512 | 2e6ae7fc795d0b2e9c95e512f496726db6b0dc47805f1cc6338e3d80545b1e75cbfd8e64d3699fe51576d7c5bd90c6860cba9d3f94457a9bcb3d2149aa0c5bd1 |
\??\c:\users\admin\appdata\local\temp\em004_64.dll
| MD5 | 6f9589fbb74183b0a97898999be3667e |
| SHA1 | 2cd9d4a21f67d23eba5c77a01e93acc50f7dea18 |
| SHA256 | f457acee1f041744bb45269d323749f366fdfc3bfb98c2e218e63722803b75f8 |
| SHA512 | 7283c60141d65e31df63534b1fefdbe37197fc0b365dfced418de9ac8f18f75228b8054781536e65242c7c015d9b6b72e0879fc8c5ba128fb9dde6edfa90a451 |
C:\Windows\System32\FXSSVC.exe
| MD5 | 3cf8c5c11eb46e6eb29a5b3ab85182b4 |
| SHA1 | cb533cbfc83a3a8d55780ce0596b80027ed1c0d6 |
| SHA256 | 4231ab5a64ba4bd7838dc29b2407fdbbaed505a492da499e612dbe0df36c0a73 |
| SHA512 | 5f185d32d608217d208024683ad35f45f93c993bd9b5d1b45992c42f83cabd8218f1edf2ac5586bcf9a5b1b50f63cad8a04c69a3971ad0b1b48b07a3f721f2f3 |
\??\c:\users\admin\appdata\local\temp\em002_64.dll
| MD5 | 8571cb2f77afb10e3c1685cdff26aa02 |
| SHA1 | a91e8849a7e79a57cdfbc130ff63806167a58018 |
| SHA256 | e1bfa717c8da2d8d8c59ae7ce6857e55660c04735beaed2c6323437d38a4491a |
| SHA512 | ae160df312da2a04bd78e796d8009011f17e5237f2e9c5e25011e057a50c19c183b3b1d5257e90c806bcd59ef0d7d4513dafa54fc7defdb2c11937a2f0c3841b |
memory/564-84-0x0000000140000000-0x0000000140135000-memory.dmp
\??\c:\users\admin\appdata\local\temp\em005_64.dll
| MD5 | f6aab20e8b555df1637dbca6b097c129 |
| SHA1 | a9a2353171a98b56097ea078aba83ac765ff76de |
| SHA256 | 199bd67cb6f7f9bceb80d59601e768392c70a7f4c5344c5c74636413436b127d |
| SHA512 | ba89ca3241129d430ae980306b7a952897bbcce438ba15fa986a781d701783bd8835a13ccbdfd5981a4483993f46923f0d97b886ee948fcf6e16db84177bf359 |
\??\c:\users\admin\appdata\local\temp\em003_64.dll
| MD5 | 7b62448d6f41b1c4738217341b28fae7 |
| SHA1 | 049255c1e31f1294e47384dadfc0c4d720e8b91f |
| SHA256 | d2a87241ddbae2fcd9a650b84ff0cc0d08897a034e1bd24d7c84cbb7bf4f2d02 |
| SHA512 | 36bd5a6df3c2aab1d9acf30e24634692a0fe8681938c33851c1fd79cc8f594f29815b57d73988a3133802edc217aab5aa0f4db76b5711a5f822fab6715a73cb8 |
\??\c:\users\admin\appdata\local\temp\em001_64.dll
| MD5 | 9db75f5afe2b6449adf69fc5180b8ca3 |
| SHA1 | b628bcc7e140a39b3d30d8cf8ddea3f32c0e539d |
| SHA256 | 542e785b6d9bd520f4f4c14eda44d215f381b03566d9b1440a41e8bd17535329 |
| SHA512 | 0c83acb53c229b39a23ebf409815634d0be51adda1ea2df48d8e05e63c292f443d17f491799a5aa781a2846e41c5d8e493ce0139c16a78ed4d1f02ed879dd658 |
memory/564-85-0x0000000140000000-0x0000000140135000-memory.dmp
memory/440-89-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/2812-90-0x0000022BEE8E0000-0x0000022BEE940000-memory.dmp
memory/2812-91-0x0000022BEE8E0000-0x0000022BEE940000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
| MD5 | c0e27e4e7c6ca766e475020e2c8773e7 |
| SHA1 | 2cbb476ec4c819f3a3eafc06413aa500dd3d93cc |
| SHA256 | b8ac6ad033e6f4751cf15c723075a2e7b2062273cfb90e9b1de78a88265796c9 |
| SHA512 | 85c300f7b5abce11a2342ff8492682111dd3d1b1b4d2cc930accf42baac434ab954d7acfcca1031d6d87e85f81a4139177eefd5f436abfc831e0dd46872af35c |
\??\pipe\crashpad_440_YAWEZWUDSAWJXUCS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2812-95-0x0000000140000000-0x0000000140F04000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 751a1aab73d3015ad6136d08c1aecd2f |
| SHA1 | 6927d2cc238510a8dbadd2100d3f54e44bcf75f0 |
| SHA256 | 8922198953fad23070f7c61fde83d30053b32b70e04bf387946eb3a2d100fe5e |
| SHA512 | 721b4416df6a95f693fd0bacc54f45d6df91d2994424e366af1e7010ae578613a93bd6b5ea6b8a8b489a8075e5831da546eeea2b89b189b4d8072ee76325148b |
memory/1144-100-0x0000000000DA0000-0x0000000000E00000-memory.dmp
memory/2116-104-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/1144-106-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1144-108-0x0000000000DA0000-0x0000000000E00000-memory.dmp
memory/2624-110-0x0000000140000000-0x000000014029D000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 4cd4672918178f84ee5581312de43a2a |
| SHA1 | ca22b5064e61003858b0b4f22c3a1b771806fa39 |
| SHA256 | 90ff6330250e220b298455a74ac75707917ff0e3beca4f1a60ae7daeea88ee5a |
| SHA512 | d747a3488f02620212bbf5eb4195098048e7912f5f495e384ce16a72bd60fb81253e95775298f258a78b9e5df2a646be9449eee036ad12e43a151e116de5942f |
memory/688-113-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/4500-117-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/688-119-0x0000000140000000-0x000000014022B000-memory.dmp
memory/688-122-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 6547ceb639dba32bf4c659dba7290376 |
| SHA1 | 8fc6a7ca5ae13baf7a6e3698383297d57be1705d |
| SHA256 | 8e2ca3354ddd4b1990dab6d3158afc740c84033cb6a548aa5948d8ec92f4e269 |
| SHA512 | 170e1bf6ab29686323d602e4db08445103a2280f9dd26df48b5b378cf8b6c916ae9ddc8235b2328d9c93931ac67dcb1a8f509d5b991e5460257cfa4320604838 |
memory/3336-127-0x0000000140000000-0x00000001402BD000-memory.dmp
memory/3336-133-0x0000000002690000-0x00000000026F0000-memory.dmp
memory/1028-135-0x0000000140000000-0x000000014029C000-memory.dmp
memory/3336-137-0x0000000002690000-0x00000000026F0000-memory.dmp
memory/3336-140-0x0000000140000000-0x00000001402BD000-memory.dmp
memory/3336-126-0x0000000002690000-0x00000000026F0000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 695710dff97449d17e524448c09d7b5f |
| SHA1 | f240c6a144730480345a108b776296ae889ffaa4 |
| SHA256 | 79c280ddfda5d974bf0e70669f71d05f4b8b5830613d2c170f1ce9c18dd99f89 |
| SHA512 | 1ece4ad3864b8a6f8f558f6ec7a2f21e65c06de4989c9e191b12a34cc0a4c050fac105a79ec328f152a303877779383d71f5f973dfcba50679af1e3fa24f9d39 |
memory/2420-143-0x0000000140000000-0x00000001402AC000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 807691f92531afb281f08a7f0d8a76cd |
| SHA1 | 2a38a8bee2adf90ee06e6fdfba92ae4485d1be99 |
| SHA256 | f27bfa6e20bf5241c35e76269a42318bbcda1be3380c24ba38f2d31c78705438 |
| SHA512 | 738b087e70a2ae10fcb6071f70886601b56235f9202a2a25484488c8f452a4965217879fcb87d69a530ba20e31c7b45bf66d1c7dd5b056c36dfe2879bc2f4067 |
memory/4892-147-0x0000000000740000-0x00000000007A0000-memory.dmp
memory/2812-156-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/4892-159-0x0000000140000000-0x00000001402C2000-memory.dmp
memory/4892-160-0x0000000000740000-0x00000000007A0000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | ec37ff3f5b53e70734f5b4159441c045 |
| SHA1 | cf22f5f4d8515125957417733d9855b309ea39e6 |
| SHA256 | 6df76eefe0052967b30143a07f41a0dd3fe49fa973f95931af9e2179190d7409 |
| SHA512 | abcfcaff450ecf1dedbc26e0e092fb15cdc7367a85c2def501044117623f3aff9aeb0bf9a328b4f22c8544a571f9d4665e56e6366cbbbaad4675bbfc0c116dda |
memory/2372-163-0x0000000140000000-0x000000014029E000-memory.dmp
memory/1144-171-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2372-173-0x0000000000BC0000-0x0000000000C20000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 8855f9ef5e03fd027569a0c859cb636f |
| SHA1 | 00fbfc4b324bab201bf9271d5f927700c1b68300 |
| SHA256 | f628959db1611a59e46bc45775d7ad6d78bd744a47911aad9fcf9f53e4b20913 |
| SHA512 | 0b3abb281c037c7de95dcb11da00fc2573294b2cbfd7ade55a1da70f992e60feeb2b42aa228e1c7166bbfda8c1f1899161afa8f36f6d6ea409e3ca4a83492631 |
memory/4148-176-0x0000000000400000-0x000000000068A000-memory.dmp
memory/4148-183-0x0000000000800000-0x0000000000866000-memory.dmp
memory/688-182-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 97e5dcfef1c46942d3325cd8e1afc979 |
| SHA1 | 72c8ae17fa33a9d38d41d3d4989ab263748a6491 |
| SHA256 | c18d4b9ce0b78300217b423eb9e1ed6698f25160a97a4e34dcc49cb59d8af099 |
| SHA512 | ab94efe5173b2f3818239a359531f88a18d726ca0c310ade0859834845064829d6cb98d2a292ac753acaa2481b9ab3ef4eacb6955b656af627897defcb9e55a3 |
memory/1512-188-0x0000000140000000-0x0000000140288000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 72308cbd3354bf4306ccf4e1cea5fb64 |
| SHA1 | b3e5b550a1965c5c681c7dca3ea6c6337adff2f1 |
| SHA256 | 77d8ebf5ca6079090673a66ac285e825f2cc527190e2ee64f0f8a9153c9ba66c |
| SHA512 | 5d510588fd14b0d71a78081b085c04b8024c14625e7442d803195db0657c9cfecc8105d1aff7c8dbdea3a9be77b18e35390c6f78c0832469ec99c7a2a083951f |
memory/4352-191-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 19603fb9ba3dbd2b369117be950c50a8 |
| SHA1 | 14d07fe7bf64901f85dc262037f219ddefdea04e |
| SHA256 | 8e715bc2d3bcf15459bec9033506f1933ca20be734018f32c23d9168f8d339f7 |
| SHA512 | 26e93b42c244e3515c6b3cb84dfc082be923edefa4a20cdd55b347b1eb946e587a2f7b3b3f6c0a9cadd13bab250a15b7c012d8241481fa46885642ef1215c8d8 |
memory/2536-195-0x0000000140000000-0x0000000140289000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | ab36a64677244dee02ed25ea6d24bff1 |
| SHA1 | 028dc6dc3c3ba24b7a1309d70336589c480b1f08 |
| SHA256 | 58d720fecc2bda5c881e224059519792901748136b8d97132d1d9a61b173fd10 |
| SHA512 | b5c0d06bdd7386f561c2a48ed32ce2a323c29fc81ebab0f83356aa0114e693e0604ce2d0c19c9791e1ec176e14ef02c6780251c721942f9781d36934b2bfcecd |
memory/2764-200-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2764-208-0x0000000000680000-0x00000000006E0000-memory.dmp
memory/4892-207-0x0000000140000000-0x00000001402C2000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 98f259000317ce76eb78efac69479f4f |
| SHA1 | 75e7ab401bfabe5c55a8cfaa1a072c5fb6468ab2 |
| SHA256 | c7b47b7e4524e4245a42affa6687429d9318a95e29d736a1a98416709edcff62 |
| SHA512 | 53b8dd0dfdf699e74be54eb0823c638836a8ba81ab5f77d0f8fb4493865eaa1be9601d0a9550d252695f4d96043ce243e3fa7f967652804b75b204c15c373cda |
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | e313c1f95253e45a3f5aae849a61af98 |
| SHA1 | f2883542d41313580ff772dbda6489ce98161b05 |
| SHA256 | 5ddcc4ff59517074fd6eda89ea8a01d6e5d5645436d26588de765b2254108bf1 |
| SHA512 | 2b859f6f174f51cf9704dd1fb6bce6f7997c0fcdcb6ced6c78a78ae93a2a27ed967edd7bd0c5b20ca0bf6da8cd99a4cdb91f7e97c4dadb2adfdfb573062ba887 |
memory/4280-212-0x0000000140000000-0x00000001402F5000-memory.dmp
memory/2372-220-0x0000000140000000-0x000000014029E000-memory.dmp
memory/4280-222-0x00000000008F0000-0x0000000000950000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | fc06f9ee33f2a7a652eaa626fe2218c3 |
| SHA1 | 1677f8320d98883b5ad58744a3667bf309602e82 |
| SHA256 | 790b129b861582e25d0cacf9e48e02f4a2a6b2e73b2e04da558346293990eccd |
| SHA512 | 21d8e28e547ef96132dd80c38f690d7b7332241bb25724785d489b3c822ed970e13e7ff1aca017e7eb738365863eb7b0462b2d53b22e9c6a2cd471b6aa85ca1e |
memory/1092-225-0x0000000140000000-0x00000001402D5000-memory.dmp
memory/4148-228-0x0000000000400000-0x000000000068A000-memory.dmp
memory/564-230-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/564-229-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4148-233-0x0000000000800000-0x0000000000866000-memory.dmp
memory/1748-234-0x0000000140000000-0x0000000140147000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | e0535fcae725d6e45ade82647504103f |
| SHA1 | 6b33f459233dec19782485a31f564b13c8afc86d |
| SHA256 | 929190a5bd03e07d01e39887d8df2971d8035c8263607f701a6dc90e5f53af15 |
| SHA512 | 608ab990c49000b232ec91e2371a771564bd6dd8eedb948ed14fefc54534f621f0e6e8643c4e8df445cd92b1670eaafdc38a785d5474ea01f91257b10b768d8f |
C:\Windows\System32\AgentService.exe
| MD5 | 5b81a30b6effce3f9928929ff2f18625 |
| SHA1 | 00f215c07564ec752887c5cd072f82cb9d82bab3 |
| SHA256 | 3ad56fd528379cc3a7df5ca952b3f29435e1e356ea4ff70cdb4b529fc5f60f90 |
| SHA512 | b101b35040671759582deeff66417713b4981c14afb38df9423b5c341f64e5234e80e6cd5fbfbc9ef6f8a3919af101afc0f7b8de0775eae35d6f44b7eeb97ab5 |
C:\Windows\System32\VSSVC.exe
| MD5 | 153547a20bd7bad3c5e2183a034a6a3d |
| SHA1 | c7d2890bea3bc8ca6ee827af8c4f878b630a9849 |
| SHA256 | f6582ce1d31946dc892b7bc367e87432595fe23754ff1a53842aeb712d79fa32 |
| SHA512 | 78ff38317b1e7697102f0f27a0c2be3b4984f993c73c505d88e7e715ff9d0a9964e652c3f0ac66af58cf4a8f1b4b7d467843fa49c295dbb4fda2c04931a1fe4c |
memory/1644-237-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 01e150394a3f9387678930ff2cc954da |
| SHA1 | 3b0f8a89333f9d6718788c4d6971cf777fd16d2d |
| SHA256 | 22fbf35010975b40850edf17cabae4a0826966fa7b66bd17d6f0d39885f0f1ed |
| SHA512 | 30c5b9736f17c986b3823e32ff16aea8667e6ab1368866645cdc89f37f1c57af11135ed981bbd77f54a87ce9fd03b3e77af71e6ae2bbaadfc6280329b3359d7a |
memory/4352-240-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1612-241-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | f57f146d714eb7caef0978352f2416eb |
| SHA1 | c774aec70d17e1b0dff2e11d7c3b4e3a5c67c7ca |
| SHA256 | 7ac813dfb9a37463de8582c2b3a4be9275ac033bb9005cf0412448afc51527eb |
| SHA512 | 1d7165c013631ef8d93b73932b03b950a9ac0179eb6e210f51cea2c22f84dc57a4816df4e103d30958eaa86b4d07c1ee628ec3977370738dbfb0b399b857921b |
memory/2536-244-0x0000000140000000-0x0000000140289000-memory.dmp
memory/1412-245-0x0000000140000000-0x00000001402B9000-memory.dmp
memory/2764-247-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | c20f248e9562a6e15962ecc6a29d4911 |
| SHA1 | b7f5217d10e93420a2c0bf14b9071c1ada6977a5 |
| SHA256 | df860892d6dc9dba848e14ff586b4a30c8a2f0972a9ad6903e85620e61bc0fa2 |
| SHA512 | 6100a4a35f3d681dfb72215370a244cb92800eee207b9e4ce42985415db46a0d0ba4acbc4a4aca5e19f9d31b5f8a4335cdd977e5ecf09fb81470316fa08fa08e |
memory/888-250-0x0000000140000000-0x0000000140179000-memory.dmp
memory/4280-251-0x0000000140000000-0x00000001402F5000-memory.dmp
memory/4352-268-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1092-287-0x0000000140000000-0x00000001402D5000-memory.dmp
memory/1748-288-0x0000000140000000-0x0000000140147000-memory.dmp
memory/1644-296-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1612-299-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1412-302-0x0000000140000000-0x00000001402B9000-memory.dmp
memory/888-315-0x0000000140000000-0x0000000140179000-memory.dmp
memory/4500-454-0x000001876A3A0000-0x000001876A3E0000-memory.dmp
memory/4500-455-0x000001876A3E0000-0x000001876A420000-memory.dmp
memory/4500-456-0x000001876A420000-0x000001876A460000-memory.dmp
memory/4500-459-0x000001876A7B0000-0x000001876A7F0000-memory.dmp
C:\Windows\System32\msiexec.exe
| MD5 | fa87d1d61d1afdda0074c69b7a973c28 |
| SHA1 | ef049e6e17f701172e09f83713eb3d138badcfef |
| SHA256 | 497b5ef22b8efe101ed276925c6ac30db1ba2353e672310dec43cd80aee51778 |
| SHA512 | 564b521b408827d1e53d9981429ec8474e3e325254ca9146ef440dfc47e4b6ec99310fdfe7f8ca41d82f272ce9af55d737bf0c369a88edf2d184cadb5badff0c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 11:30
Reported
2024-02-23 11:33
Platform
win7-20240221-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Detects executables packed with Dotfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Yano Obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\2b6b17faae4ef42b.bin | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\DVDMaker.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66AF.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP844D.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{763E2866-D76C-4433-A34A-DF6341DB4BBD}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{763E2866-D76C-4433-A34A-DF6341DB4BBD}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CC0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D89.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB931.tmp\stdole.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F3C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52D1.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73D9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB5C8.tmp\ehiVidCtl.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6B22.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61EE.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{7E8BBD78-8F7F-4840-BF84-DD27BBC9F1C5} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe | N/A |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x198,0x19c,0x1a0,0x190,0x1a4,0x140325960,0x140325970,0x140325980
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2460_JTXRMYFZPZJGBFUR" --sandboxed-process-id=2 --init-done-notifier=536 --sandbox-mojo-pipe-token=6547052856178696349 --mojo-platform-channel-handle=508 --engine=2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2460_JTXRMYFZPZJGBFUR" --sandboxed-process-id=3 --init-done-notifier=776 --sandbox-mojo-pipe-token=1132485580307653068 --mojo-platform-channel-handle=772
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 24c -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 1f4 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 254 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f4 -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 280 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 288 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 22c -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 270 -NGENProcess 218 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 1fc -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 21c -NGENProcess 1ec -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 21c -NGENProcess 1d8 -Pipe 1fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d8 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 228 -Pipe 21c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 250 -NGENProcess 280 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 260 -NGENProcess 254 -Pipe 218 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 228 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 254 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 254 -NGENProcess 288 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 1c8 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 2ac -NGENProcess 264 -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 264 -NGENProcess 254 -Pipe 1c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2c0 -NGENProcess 2b4 -Pipe 228 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b4 -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2c8 -NGENProcess 2b4 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2d8 -NGENProcess 1d8 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 1d8 -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1f4 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2dc -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 2d8 -Pipe 2a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 1f4 -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 250 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e0 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 1f4 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 1f4 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2f4 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 300 -NGENProcess 304 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 300 -NGENProcess 120 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 30c -Pipe 11c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 304 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 310 -NGENProcess 120 -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2dc -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 2c4 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 310 -NGENProcess 2f4 -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 2fc -NGENProcess 320 -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 320 -NGENProcess 2d0 -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2c4 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 32c -NGENProcess 2d0 -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 31c -NGENProcess 334 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 330 -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 310 -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 310 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 338 -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 334 -NGENProcess 340 -Pipe 1ac -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 34.41.229.245:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 34.41.229.245:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 3.141.96.53:80 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 3.141.96.53:443 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 34.162.170.92:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
Files
memory/2460-0-0x0000000001C90000-0x0000000001CF0000-memory.dmp
memory/2460-2-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/2460-8-0x0000000001C90000-0x0000000001CF0000-memory.dmp
memory/2484-11-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/2460-16-0x0000000002620000-0x0000000003524000-memory.dmp
memory/2484-19-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/2484-20-0x0000000140000000-0x0000000140F04000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | b8e1b265602c64b79b009618772f5cfe |
| SHA1 | eda7c4d0a3ad03480f75f7ad8c725b3c0f447394 |
| SHA256 | 683947245b9fe8f15d776714c9f0d1ece713dc9415261abc85189d8774fbb117 |
| SHA512 | 8d6de915703af67728b246db438963febc3538d4eaa9e17d0625a6d53740091658cf39cc6abc5c42597e9daf80b5f99c6d88b6846ced0fc4405e4f0a1cd1fc87 |
\Windows\System32\alg.exe
| MD5 | d41784147ef39bde4467d224ca09c7a3 |
| SHA1 | 1a726e624b5b24c07cdefbd9f12560ad96e11efb |
| SHA256 | e87cb49562b4e3013ecbe9981e5b98efbb012fe636de68b30da67d9a2b5905e5 |
| SHA512 | bfc7a8f276e129d87abefc11d1c54a14bfd80ef96705cbcd1a20c0998647feb5dee5d6a7bfc0494c0172a68396c6620fd053ad1855967a9b4abc882c17313bbf |
memory/1900-27-0x0000000100000000-0x0000000100297000-memory.dmp
memory/2460-31-0x0000000002C90000-0x0000000003B94000-memory.dmp
memory/2712-45-0x0000000000200000-0x0000000000260000-memory.dmp
memory/2712-49-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/2712-52-0x0000000000200000-0x0000000000260000-memory.dmp
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 14cdecf50f69be2ba93710a97cfc28d2 |
| SHA1 | 6aec40851bf15e1c1f89263f394f96e00c8a1027 |
| SHA256 | 29cfd85c06c30ae1d996b32f8caa9d97f2e0bdeba439b818765676bef2ffd065 |
| SHA512 | b2cd44111964e6ba62fab9ba86ee56a2c23b23b860a57890698f783ba60fb5e28b92c9bd4b1136cc82eb024f658764eecd6906c433b5b751071e5fbe780fd537 |
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 848bf1ebc4b014f3d1b31ce68a9655eb |
| SHA1 | 8fc8a965fcb9db8699858a891c096a67a48b4062 |
| SHA256 | 0971c4d4903dbb51643b5f729a1374e07e5f9ae0ba70778135d69dbf6c4843d6 |
| SHA512 | 172a054436e95fb9620eddc49b82f384064b219a619f474374bae181152a0aaf916a95357a471617ea4b246f6bf9efa22a34d7fa00806172961c068bca77e2bd |
memory/2100-61-0x0000000140000000-0x0000000140290000-memory.dmp
memory/2100-62-0x0000000000330000-0x0000000000390000-memory.dmp
memory/2100-68-0x0000000000330000-0x0000000000390000-memory.dmp
\Users\Admin\AppData\Local\Temp\em001_64.dll
| MD5 | 2affae8dab0e1c7a2115824e65f589b7 |
| SHA1 | f4eacff796f83ceddaebd06cdedc684c5699dcb4 |
| SHA256 | cf25dcd07e6f108399748d3204cc5e6b939f703dd30be8b4df2729525321d6b0 |
| SHA512 | 4a771a8e8ea81f5ab45b7c4492bd162fb8dff1127861a4b5fece112defd24010e7ff7fb0c4b4b435cfe429287c398b1cf0a03ddaa7475564adb97ba7687c70c5 |
\Users\Admin\AppData\Local\Temp\em002_64.dll
| MD5 | 02a6d21e7e296bd1f85ba44d0ef6e462 |
| SHA1 | 2997ecf46efd8fc97f506b22eacd92756ff06b49 |
| SHA256 | 0fc936c7b7cc4f72dd1e7d41f98329afa17e15365b0470d9e02883944180af5e |
| SHA512 | c2b5e8cc1f2802e485cc7eb457660e4a2b0596443595c93db95cb39562d9fc7f719d60c0e222de3a1e6a3375f326f7d4304bcf56347c7cf02f82553d63227724 |
\Users\Admin\AppData\Local\Temp\em004_64.dll
| MD5 | f90a395244a8cec4265d91d3abd3fbed |
| SHA1 | e406afee27c471a5fd079cf5b4e7afe0b6e45677 |
| SHA256 | c34a7ef5a91f50b77c7226a78c71b04adbabc1042875e06910e7efa180366929 |
| SHA512 | 0aa3f7fa973c57d59a9a6f3d76b454e0888a04ca807e847feb5df1f5b20ee4f7add4e9d4599878ac5b9716bb077982da9a8deedcef5a4d4bbea1aec083ff7d8b |
\Users\Admin\AppData\Local\Temp\em005_64.dll
| MD5 | 4328065d5f82d3ac5bb50fc4eed0d7bf |
| SHA1 | 4fb41c4c7eb3874bb84f162f4d8ba6036bf0e1df |
| SHA256 | f4cbef3af8946c255299caacb6270dcc935a4e9727a599b0ea1dd4eb796ee876 |
| SHA512 | e47842f4be5df174fdf0011c6649df0025d41f11159e43fe0bca6a3b24148a5990f173c6e8eb8a9857dae2ccde125ba7bdbf477d994c79905a0fed24b4afdfbf |
\Users\Admin\AppData\Local\Temp\em003_64.dll
| MD5 | 7c5ae2fa8fe6f40e070072fd5a82ca89 |
| SHA1 | 9b784abeadaec60adbd99be7447c5bf6f22cdd0d |
| SHA256 | 264d23d15f0379d00920824e2ca1cf806999d99ffdc2ea008528cff4a73ead18 |
| SHA512 | d0de333ec89295adcf6056db87e7d557126ca1f738332b2d6964ba0ebee46c63e6d87c46bb93e8607ebcbe13ff068d5f99ec46d5c5fbd50c06f984eea302a9fe |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 34a330a09cf12c9790d584b77096c569 |
| SHA1 | daf1fdcbb284a4fb9ca9778ee17ba89a6ba1db3f |
| SHA256 | 78d80d0b7b027c10e88186fe8c56e077413c8b96d26e5a458b18d007095053be |
| SHA512 | 97f7ad318862574c3fbc50a35b35104335ef85c0e56c8d998664f54ab496eb96b77c45a3d46214725717fea16e0b08e73cce4310714278aa52e8c02ff4657dc3 |
\Users\Admin\AppData\Local\Temp\em000_64.dll
| MD5 | f8b7cac6e9587baabf4045c34890c7ce |
| SHA1 | 61814262c6ee5ceaab2c0263c913cae52e203af7 |
| SHA256 | 8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30 |
| SHA512 | 4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211 |
\Users\Admin\AppData\Local\Temp\edls_64.dll
| MD5 | de076f80d8acfd8e6819e15a7ec857bd |
| SHA1 | 07c4fc29502befb83910a9cf529e37ed17ff0db0 |
| SHA256 | 899fac83a1bcda416c23d5338772bded462155004a772d366cc3ddfda40150bd |
| SHA512 | 22cf88a7b6e59f5d179fad6712dc26c79933af79a4512e08de21ad2ffd1d4b8f4077204b4836c0112bd4c72efff242b1f401038b3c39ae7f794d86a3dfa284c2 |
memory/2460-100-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/1768-104-0x0000000010000000-0x0000000010292000-memory.dmp
\??\c:\users\admin\appdata\local\temp\em003_64.dll
| MD5 | b7b31aaa85ff2424807fe025a87d898b |
| SHA1 | be9b1d92cf1969a3abcd21657acce20909feedfe |
| SHA256 | 09ca1ad47ed18bd399b82cbc8cd1d84755c51bb2751e1576c0ec034ea2171a70 |
| SHA512 | e84e0447fddd9f1e9d25a97211474bc01233d945920c55cc4b79a192da958f33c39874c818091fe254d1995edff3d1951fb7f1961d190152938bb05af4096250 |
\??\c:\users\admin\appdata\local\temp\em005_64.dll
| MD5 | 6394ce2f1cdea8420b4233ce6f794520 |
| SHA1 | 6774a5fa772d0e39a8c8277c3b24be61865dc417 |
| SHA256 | 57fd1e62fb6a94b1d358058bea5567c47750d769fdc50193b6be2920ff59d46b |
| SHA512 | e2967b4d361ab6d13bb6971b9e2641bd5c852518df39a771d4f49d3fbc79fc8a9afbccb636e086637a4805846461c915284c95474b7f04deaeddb0594941d9cd |
\??\c:\users\admin\appdata\local\temp\em004_64.dll
| MD5 | 134cfa7c20fa685ac6727666b94ef65b |
| SHA1 | b877d84f2d16bf1ccd92315913f69363e345df19 |
| SHA256 | db3561d1f07a690049792167de93ec735c00af9a532786749f865640394f7e18 |
| SHA512 | efb569c9bccda7f26d3ce4ba1f8049021dd4687dd8a72f1acd24a7c931ea8a7b928b95fd87a1758813c942a4a5f9cacad82b97eef174421f384ba695798f847b |
\??\c:\users\admin\appdata\local\temp\em002_64.dll
| MD5 | b3e9067c498e010b6222f349e9f609c4 |
| SHA1 | 405c46072065e15b873d0e0ca7cf971081e5aa41 |
| SHA256 | 390edeab69d4e08a02951c7e76849f31ab8020653c6de4421fcc6c06ed5a6623 |
| SHA512 | 951fdeaec5de28d04f6caca1ade33b07a54bc08aee7e2fbe73e4937f20da8007b60f7ba0801a09af827c3892355291ed2884edb11947ad8c445d119592786474 |
\??\c:\users\admin\appdata\local\temp\em001_64.dll
| MD5 | cda820a857be4983dc22ea479fdfc208 |
| SHA1 | eb62268d3c44b532987a788472cebc8cf6a72e04 |
| SHA256 | e4df048132de20a3e64705ea1a2e479eba8eacb82b898468929e91bc538158b7 |
| SHA512 | ebe94f8b33aab882f79e34e513688218a9ac5ac76772f68a8f52470e0a0121ad0c0f2c6421b4c488ff9abf8a38bd681f578917e773e1bf786aa36c096439b94d |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 6bb4d77f565767aefa30696c75ea8c87 |
| SHA1 | f5a8b25d2f04c02428b64867ca7e290fa11a26cf |
| SHA256 | 2f29e0aee5327ab7f73f92bdd7f8b7fb40d77c02a2c2a2bada83232fdb95aef2 |
| SHA512 | 29649421b6ba546213e9f581a7ec2a6ef7cb91bc380ed3f2c3501af4c479dfff8760d065a3699c4750d71f79ec71af25e836b791cebec23f481843dbeb8e0862 |
memory/2140-132-0x00000000009F0000-0x0000000000A50000-memory.dmp
memory/2140-138-0x00000000009F0000-0x0000000000A50000-memory.dmp
memory/2484-131-0x0000000140000000-0x0000000140F04000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | a1a283e3c0160b207f66d7deed46c6d5 |
| SHA1 | 48f8e3617d0b39810bd41b75822e9035f5155a07 |
| SHA256 | 8202830e8f0a1d4eb7ce2ef21a542b6bbb7a0aab59e11942e7604270cd1ef074 |
| SHA512 | 32cc9b4796e389973a5e41599d92985d5b6469b952273baf65611f89565c7076e8ed56ded07a4db75f21001f5d5388c6f7b69dda9ce8ceebdc3e50de541cf275 |
memory/2460-139-0x0000000003260000-0x0000000004164000-memory.dmp
memory/2460-140-0x0000000002620000-0x0000000003524000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
| MD5 | 44effd4a5d29ad61bf3118a4c319aa55 |
| SHA1 | 1335b2472fd8191d677b762e23e8ed5762e8914c |
| SHA256 | 41ed6be5d49abf9fc43a41e9c90ff3de21803b5850667993e6e079e368f5de25 |
| SHA512 | 4f03e1d8cb208f214d4e3ec6e8ec59f2e002819d8bfe02f47f948701a468e81110c92e38ae64c74db5f837ce53aa725e5b3a7a0abf1ecc8973a2d32b5b0967be |
memory/2140-144-0x0000000140000000-0x0000000140F04000-memory.dmp
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
| MD5 | 276d6abf8bfb0703ec60c92100735797 |
| SHA1 | 75bf53885b281e0f09ec431420939234105f1f2c |
| SHA256 | 3c039a0b5fbbb25532f4a3cd18c07340e0ff8b9c4acf06038dd2856e7fe0b60e |
| SHA512 | 12d66fee991d93e06e3d431145c4a6828c838aa113c80d40b435b6898418956091adfefb280bd41770ae89a00b56c53d2bfab6ffe906ab9bf2df9737000c81d0 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | b6a1be93782d78d98a47fab6bcd08ccd |
| SHA1 | 0780673b0f1d4d11c70446a32fef5dcfbf8fa76e |
| SHA256 | c2c93710ea65400a376d958c54e2912bd01f861b047e6b3eaed513214dbfca9c |
| SHA512 | 51518a9251c77f27d1411faf554fe12872556b82eab367e9e8299b559d306ff7c1f0d589c65ab4c355aff08f8c48348c2186871af55c1df2e5ded0729a139d2b |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 55d4937db90e416f32eed6f75c797411 |
| SHA1 | 2e474298b492ce05c7c9d08ee2937de30115b981 |
| SHA256 | b43aee17b182880c20daffd9dc60062bfd2d23ac03d8b03c6429e8c828f3773f |
| SHA512 | 1588d95b1daede34a3a97f3ec99c6e2aa5f17ed9fd67f0d88451018e5aa9c18b55f62a4e76ea7eb663826d576eb8fc5df320d06204ed4e9c07e33fbc4aee2f08 |
memory/1704-156-0x0000000010000000-0x000000001029A000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | ce7d0a9cd063119736f704c51924247d |
| SHA1 | 174cf2bce9199e1b076fcacca2534f1e1c60c613 |
| SHA256 | d5f77f4d2aefc54e1c18e718a92a42eb2bf90acecf2b2c9665dfb60ec51656a7 |
| SHA512 | eb370c30962a270ddab282871d7ec9b8dea01c25660eec2a7e7f212ec07b90a59d6d9e5a8b1792eca8ea1b0304c99f035fbd69c157462b47df61dff71fe675d7 |
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 301440434ef7f7e260d219c022902ad6 |
| SHA1 | 3383d4c5983d6183a580f99f38ffa6881601bdaa |
| SHA256 | c11412d2b11dc12a9335fd9991878c6dfdedba89308d19441b6b53eb00141fc6 |
| SHA512 | 88abb97b9432faa2597a63bf70606dfa255859e1b9c216c59ab478cf7f99eaf0433ef7e9edb1d459db11eeebe7a794961ef59a3f307f87d2ecdc804d30fbd491 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 784be9307687a2209fd35add98b3ef22 |
| SHA1 | 2bcd3271c73f748929bc05be5fb4fa83b32d922b |
| SHA256 | c6bbe86c5bdd06e6991530146aad75de8c05c00523ac2bbc2791b4f2d72ad109 |
| SHA512 | 47282804e30d51280d240c438f2fb0a248a77c7cf34cb7e65ef06e5401c49604c1e9105a14c7dddeb4e09bd5200eb39e46a3a0c6d323c5969909eb87c3b59fe3 |
memory/564-165-0x0000000000880000-0x00000000008E6000-memory.dmp
memory/564-160-0x0000000000880000-0x00000000008E6000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | cff6cf04f84e8b1ef2323957eb46266d |
| SHA1 | 69d69865e232b8317670cb204538a76f591990ae |
| SHA256 | a468e1002ba0b3d1a7a56f5632b1281d28d2d88031188ffd550d615ea8aa52b7 |
| SHA512 | 35759c43cd37a1b4f20efcbf8787a6f467a418503550ad6e9d70fe60ce28acf86238d8ede0c6e2c7c7951c02f6efc0889ccc57995be62f0d52b780b40cd864c5 |
memory/564-159-0x0000000000400000-0x000000000069B000-memory.dmp
memory/2772-173-0x00000000004C0000-0x0000000000520000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | f2b9e9ad3397507e4dcc76d0e230d5bd |
| SHA1 | 442872e91d03b88f783fb1e6a06ef4b11a097109 |
| SHA256 | b0c4aa3ba57d8422f39273e9b919620da14b9ef0467cf1ca5fcead51186124c0 |
| SHA512 | 36a2e5f6431da8abe92a0b916b8a3b31063443153f8360e4f8639b83dcf9b84b752fb0af67cdffca8d31be58194cbaa8ff5a06ea88dcc9232a6fcc03688f1220 |
memory/2712-176-0x0000000140000000-0x0000000140F04000-memory.dmp
memory/2772-181-0x00000000004C0000-0x0000000000520000-memory.dmp
memory/2772-179-0x0000000140000000-0x00000001402A1000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | f94e2ef0c1939fe085543d063d04ef5d |
| SHA1 | 20a14f203d0693114019e19a5ee8f433d5e66e48 |
| SHA256 | d7dd0c67e2069102436a7d8c24e6b3fb097362003b3be54dc9d2c442c53d67f4 |
| SHA512 | f1babca2b709dc981ea925fa4b50c81894864e3579d5493a39d9e224551e34f35f25b65b71eebbf18697d2b53f537c34eb9f8f926196c4bccf151c1449df709b |
C:\Windows\System32\dllhost.exe
| MD5 | 983a78834e90739bd8d4417477b10255 |
| SHA1 | 607affeea313cd7f8df7296820a15fa747a9824e |
| SHA256 | 388e077982cb52448690064c85dce4b3c61a71bfb9739453779c6bbcbcc91db4 |
| SHA512 | 929c2872ba27bf0b0bda1c6e774c89c06758b55a0c0d708f887c68353a672dcba003ddd51944c801bc63250e9e4f2b2e68de99cd2561bd170e1a72b817863d0b |
memory/2100-191-0x0000000140000000-0x0000000140290000-memory.dmp
memory/1448-193-0x0000000100000000-0x0000000100288000-memory.dmp
memory/1448-198-0x00000000004A0000-0x0000000000500000-memory.dmp
memory/1448-190-0x00000000004A0000-0x0000000000500000-memory.dmp
\Windows\System32\dllhost.exe
| MD5 | 9cb3e81ddcef95f18a805ba85631c997 |
| SHA1 | 75ecf4c93d2449f454fbf6de313d7a7b408eaa58 |
| SHA256 | c36967156da5ee8aac9afdc2e7ebde7e3c73ef2996a3f3c78567abe611fbdc30 |
| SHA512 | 91222f1d3fc19f763607ac22c1cff4a49f8aab60a89668899c102f11c1b328846a8b7803f3039e3a35a92399336d9e652be35e6b0cee1fea016c20f5d68b8bf9 |
\Windows\ehome\ehrecvr.exe
| MD5 | 545101f3d77450814bcf1b90172b1155 |
| SHA1 | 5f3389536b0157af72faee84fcf84e14460f41f0 |
| SHA256 | 9fbf0d8a92fda4e720ec4cb901ed2509a56a021222c24c614ad1819618b8e68d |
| SHA512 | 2cb2c6e1375ebb7b3012f241f25ee55ab626a8d8214af7e6558cc13033432246aa5b2de52c753dab68465d556ffd19f15c5bc19ba03f12769f5de706b2029d9e |
C:\Windows\ehome\ehrecvr.exe
| MD5 | 52c69682991ed3069cb77f0f8fabc028 |
| SHA1 | fc61401831bf499a5f1b1ce04c676d155b0e01fc |
| SHA256 | 8d8fa5693f3e3e422d1e470d0c0af6155d149fb76d5761e54466ef22d18d4bb7 |
| SHA512 | dadf0183cdb3622cee3b60755f5a054171f33d5953c944e394cad79b98c9c5640c184fe4a29464dfb1c2e4570f8f4674593b55ad6af589d2ea8fdcee7ef45e66 |
memory/1032-203-0x0000000000870000-0x00000000008D0000-memory.dmp
memory/2460-206-0x0000000003260000-0x0000000004164000-memory.dmp
memory/1032-207-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1032-212-0x0000000000870000-0x00000000008D0000-memory.dmp
memory/1032-217-0x0000000001430000-0x0000000001431000-memory.dmp
memory/2140-216-0x0000000140000000-0x0000000140F04000-memory.dmp
C:\Windows\ehome\ehsched.exe
| MD5 | f3a9128823a5715ff561820cfd449280 |
| SHA1 | d8b67a1244b7d57d165c317393b0343238fa5cf0 |
| SHA256 | 8543ce13fd22c9f32a13eaf9dda1c4bcdc85c5823965d4f279a69665fce14766 |
| SHA512 | 65d0079d1da49c5e7b84a9c616c40a474fa24bceeb2d3c31d16bc958850aaf12d5b32c271e4adaf8d9930e4cbb0eefe19c9eb418c298882f6853de8256c6fa95 |
\Windows\ehome\ehsched.exe
| MD5 | 36b0e29262f0e88a943f84e600eeb58d |
| SHA1 | 73e15a96ce97ae82db2f9472d0c60c234fb2928f |
| SHA256 | df1d0140386cff1d3172788bbfbc2cab672c76f8c8d966f276fbe2106b3ac101 |
| SHA512 | 3241ecce2445dd76280c2ffa34d5305ef92347c98d4aae65679693e1bd8e9df672ae264698fc50d9a23ed049d69cbe1dfb3f3ee0d4f86d5fea4d630bb30075ce |
memory/2996-222-0x0000000140000000-0x00000001402A5000-memory.dmp
memory/2996-231-0x0000000000170000-0x00000000001D0000-memory.dmp
memory/564-229-0x0000000000400000-0x000000000069B000-memory.dmp
memory/2560-232-0x000007FEF3F10000-0x000007FEF48AD000-memory.dmp
memory/2560-234-0x000007FEF3F10000-0x000007FEF48AD000-memory.dmp
memory/2560-233-0x0000000000E00000-0x0000000000E80000-memory.dmp
memory/2772-236-0x0000000140000000-0x00000001402A1000-memory.dmp
memory/2560-237-0x0000000000E00000-0x0000000000E80000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 66bef9e206b5d897f92a5a15521a8f3e |
| SHA1 | 82cf8f079c01dbf3cee76cac128e8e02609272ed |
| SHA256 | cd7d5a213eec1875a542c4ae59b421584bcd833e3fc974fbce2c3470e3d69fcb |
| SHA512 | 5b7f5d328146dd47977ebc2218e6911bf93bcb90998c7bf900e6a53f89c77ea1180a2540ad72edd7d0f9c0af38b9d99421571974ccaa7a1c717c2ce48de7057e |
memory/2428-246-0x0000000000400000-0x000000000069B000-memory.dmp
memory/2428-253-0x0000000000710000-0x0000000000776000-memory.dmp
memory/1448-252-0x0000000100000000-0x0000000100288000-memory.dmp
memory/2428-256-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/1032-258-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1324-261-0x0000000000400000-0x000000000069B000-memory.dmp
memory/1324-264-0x0000000000230000-0x0000000000296000-memory.dmp
memory/2428-269-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2428-268-0x0000000000400000-0x000000000069B000-memory.dmp
memory/2996-274-0x0000000140000000-0x00000001402A5000-memory.dmp
memory/1324-272-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2444-276-0x0000000000400000-0x000000000069B000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 61f6e2eb74b88247d3036a7ff7cb2f12 |
| SHA1 | 554a596c0a41f0c81eb5e0e02c7448df478d4dab |
| SHA256 | a8d3bdb1141884e05f217a1db35d6c2a9b335d5304fd1aa661fbd53d7560bb60 |
| SHA512 | 498e64218ef0d295b2fae4aa9e7a0c0f0ebc2ebd26a39aef84bc0fa477fe4bbc0c1189be38fe0d4b00169f32c0ee01b950a6ce64564b3e62c68afe148a895f3c |
memory/2444-281-0x0000000000790000-0x00000000007F6000-memory.dmp
memory/1324-285-0x0000000000400000-0x000000000069B000-memory.dmp
memory/1324-284-0x00000000746E0000-0x0000000074DCE000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 24db85b668544a313371c8b32ec90967 |
| SHA1 | b228a05e850b173487f984cd724dc9324919134a |
| SHA256 | 2a14e1bb6e636a11693c76cee408b3b78501ba375b1d86d27aecebd88cd80dbd |
| SHA512 | 0e515422a3492e56c51ea125798cf48512cc54c895b632aa4a48f4d524e664db5a68d4ffdfaa7002c9845ec310c6722c3f736aa8d26b984f8adeb67d0bbff5fd |
memory/2560-287-0x0000000000E00000-0x0000000000E80000-memory.dmp
memory/2560-286-0x000007FEF3F10000-0x000007FEF48AD000-memory.dmp
memory/2444-288-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2560-289-0x0000000000E00000-0x0000000000E80000-memory.dmp
memory/2560-290-0x0000000000E00000-0x0000000000E80000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 7fb9fa64baf4f95f43a3e3bd2678ffe5 |
| SHA1 | 63d70204c540333edf879973bb8626d7d0fd3730 |
| SHA256 | 70be7e4b402da24fd9262dce268e2850c8ecd37527e661590f04c03e770d4271 |
| SHA512 | 4e9abd42c2f83ea67ac3be47b6bebcea78fe9f518f803a5a1277b93b070d85f8d1f9a4d3bc72c4c3d3ae2ca13d4572f69505c0fe5d37a633ebee492745c9ce38 |
memory/2132-302-0x0000000000910000-0x0000000000976000-memory.dmp
memory/2444-311-0x0000000000400000-0x000000000069B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/2132-295-0x0000000000400000-0x000000000069B000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 524abb93abc7f354b25df7aedac1363a |
| SHA1 | 8b3357fafd97cd51d787baae4e986a86bd43572a |
| SHA256 | 720b45afab7985b95c73a397caf89de6592e5fb37b8e885e96bc039b53cce31c |
| SHA512 | 492ed8f073b357d896e68d885ef56e14a0e578cbdf73b1da51ea950877991edd233465f64809b220fb54ffda880dd794a6e15ecc9ea14011ea2312ad7e81b7eb |
memory/2056-316-0x0000000000400000-0x000000000069B000-memory.dmp
memory/2132-326-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2132-327-0x0000000000400000-0x000000000069B000-memory.dmp
memory/2056-324-0x0000000000C00000-0x0000000000C66000-memory.dmp
memory/2056-328-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2444-313-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2132-312-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2880-334-0x0000000000400000-0x000000000069B000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 1677dda9e652755f6ce688a659688f0a |
| SHA1 | 0e8098058415df2951b8d6af029403265af223e8 |
| SHA256 | 427ff782fd72dbdc01a46c51283e27a02148ab016ba84231ed8b824a9d4e7082 |
| SHA512 | 1a0e99afc2a85ecef7ea59be21653048f7925c770925f45a8038834a2d92a3360195af0ea5d0ee31676f074fae1f1d155da94dd0f2c571ac421805c6ca815135 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 5d5a010ea1b37cd1b5ff07f00e4b52c8 |
| SHA1 | 93afca8e855a91b427a55403c7c6531c67bfc384 |
| SHA256 | 197d6790dd4e06f354e036d952544abfd45a0c9ef4bfd5713c5cdb0e97de82d9 |
| SHA512 | cf88e63e4fbfe7b3c4dd19ca9d1a83ad060f831a274427818c25cd4fb9212c0aff44a171108a8dba7001759df8a3c4a4f59fe07d28cf04e89fb8b9f54bc47c09 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 1aaac4aaecdd5f1d80fe662ebed992c2 |
| SHA1 | d857b70e1599d1b2e3e6a86d94d26e444015b57e |
| SHA256 | a02bbea0ba316fb5918e8f1651b82f12621c722a96009168738ee3ac8944a7d7 |
| SHA512 | b6195786b8cc1d523ed1e2a8c99c4dfbbf8862cc00a9b2ae7f84dfe3566c729c1421c6f9971c43a38b005d3dfe048c1f09f43f01ced1ad2bf4ec8d4039934514 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 90f80ccfbb519384549bfcfcf4b162ee |
| SHA1 | 64dc2ec6256455fa777955a0adbd7cb2345d5f86 |
| SHA256 | 2e72c456dcdc51ea68c5cb7979f081bc5017cb2fa0c1582a405949071650752d |
| SHA512 | 144baed05d5866032c0f438428517c312834de746dbcc300ec8948e2b18928aa3349a4f177151d8c3767dc74a782054b819fd9cc1679f403d79b1415b450d8f0 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 592aba5e9c407c77bc4e999a92cfc36e |
| SHA1 | 60b847a729ebe543d9d836665a11b18f7006e8d3 |
| SHA256 | 7cb91b2ef97c1d2a8aa30da121909ac19754b50aca185480b119cbbe0a2689a9 |
| SHA512 | c7a38266d53c824411649afe678872570197173d8a316eeeb3f9cd5fe58207fe944482445641b1e3ef5c0c6473201d1e9ed4e0708c65ab5d483b0228eb6b8919 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 4ff32d25918348f4195525a9a4bac09c |
| SHA1 | 9390b9192df5bd22490f849b9882b79053811bc5 |
| SHA256 | aa6d67d9fa76d21535d76436bc6fbaa6249c0cb890bac1b6d8ec9e05191efda0 |
| SHA512 | e09533cc5dc83ed4fdff946fcdb8143bc65c00c1add57e0ab10477cbcd6280bc417d7284cb6ca8884c51a5a3604b185199f3ecfa7d4ddc122d0a40e4bc68af06 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | df3461ffc9626a87a8a6327d7366010d |
| SHA1 | 3037f96f0fd131b7a476c6bc48f1a72d9fda626a |
| SHA256 | eba17220b174615ad1262b94a6459ccd66873ab42592da9f7ad278a6557a18d3 |
| SHA512 | e0d2517c033b9b84d3841d0be3fed56d3630ead9d115433451c90290ac4e1f2a05adac1f273206cfffd71b31ed0ebacd25a5f8ecd9f77ad9d0f3a37e0acbe392 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 84ce8afd8ff4053d19f9448a43aa91b7 |
| SHA1 | 1caef04d1965381414d85171d449f2d1a7dfa49f |
| SHA256 | 154c77bc4779907355975fe8bef972fd2de29564687327dccfbd9d8a63cb0e46 |
| SHA512 | 33a9edf17509acb2c0f0a7947789cdf8f121fff98f2cd4eae7ab040c76eb6ff1184d5c211d63e5fcd0e84dadfc8932cb4e532cadf9e40d42e5300c34417bfedc |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | b4983497aa86f088f0eea904bbc9a5aa |
| SHA1 | 2b5fff4b4525054d28456a13b4dceedbee8f8f28 |
| SHA256 | c788bd6fc74cf47c713e841ec9a1f8f30baaf82b582dda984f787534e132a771 |
| SHA512 | 7dabb3942ee76081cfbf87d4a07951fd44ff893968fc9ef942b1fa5a93c89ee7e2662651c3ab4ef03dbe413e28e09f96b63c19525ce6adf4b79f31f28f71646d |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | e9bc491a5bbf32b82d24878f3e55b363 |
| SHA1 | d084000e7faeb2d1b7725247b2e88dc12c1ef1f9 |
| SHA256 | ea0773f93e1911a85ccb073215dbe468b2204712f3d245e33f19a51877afc088 |
| SHA512 | c542fcfd635ae240a58e81abe6d6c84f102aebd3891d7a002fcb542bad9720da656e290cf15eef671da663a0b43f55238efe03d931f9acff935c877bf4c8d502 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 2d15a6d268389cb06beb5e1f61a6c5d0 |
| SHA1 | 0fe363f6223b38d69c6570b251e1a696e8c40aa4 |
| SHA256 | 397ba9030cd5826386b3ac4a7c9c89f3b1829913243b931480bbfd2757ff9b24 |
| SHA512 | abe06233ca6e1767133d348f4f3d6ac2ecc386e6ce2cefccf988a44298f8a5c414cc9c5f6c921e459081733a521bf19a3a08d3dbbe1e350029f5d44d4b5d3599 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 043fb73f8db7d522eb6d9dc42bd47c19 |
| SHA1 | 14915b928c28d814368050cddc047af457d966c5 |
| SHA256 | 07cd9c73b66e8087c0bb74ad32a4cc5162398732104d79c906b1526e55abc7f2 |
| SHA512 | e02e821b8a78efb7edbbea6392901d76ac1a347c5ce9e6f31a561b86e438f5796860672eee9aa379cdbd8d2bceb93e61277e32aa4363c404347aff9d64bca28a |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 2f99e64e2c50f164a23015c1876db723 |
| SHA1 | cc03ff70e7780fdf4f4808927f8c8a7220614090 |
| SHA256 | f6335f259880b70062ea34d6ca084dbb15386da25e79348eaa4dc583c1e6686c |
| SHA512 | 7a386c91674fe8f0f5a7c554cfa876a2c56e638218694ee8b402ec372561666135314dfb97f97cbb30a2a21487840dc4d356b06be4870684cd322e9c42454e2c |
C:\Windows\System32\ieetwcollector.exe
| MD5 | 0de3081b080c6d88eafcaa8d3e2494df |
| SHA1 | 15dfb685da769b021fbb629cd06927a0edfbc040 |
| SHA256 | 19951ce55c206592b3894cd73a4b8e54499c6ada3607383fabcc83101481396a |
| SHA512 | 7b836989580a353739cd68d0804ca874a17d681a20bf69fe1356edab13f074bd300b3fb59a3f55ab621cc575643374a87e13e2834442d5d0330393b71cc979fc |
\Windows\System32\ieetwcollector.exe
| MD5 | 4c714e62937ac870744c7e9a8a380b61 |
| SHA1 | 1278fa841c0ea1fc12294e703b191de2da6579a9 |
| SHA256 | abbce32ee72921b17465adc3b66d189cfe48bcac92ed066f082b5c5c7e3638e4 |
| SHA512 | 756a9cc11088c2f0b6b3616063b8e40e3593fdaa656a371a877af80fa1f06ff1a1e7a4dbaf7dacff92f12fd1ced26441be306ad191857dda9f54f79fced8e5d8 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 3dbe947fcbecfb4b9029f5c41b03b8bb |
| SHA1 | ab1dac22d10fd18988e97eb1d016e272ce4b6819 |
| SHA256 | 877953f49739946b141452c41821f0c4cb3f8d568373a85e7842dc98e4a26186 |
| SHA512 | 1313123bf7d9148a30e68771982d9f882a41456fdd13f16de1fe1d32a8e2ad56af48ba99ed20bf2a2d9e7ef6606468f51106222c71d4b7f87cbd4348cc25f514 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 573c2dfc515701c903e39bb8b9aaecb9 |
| SHA1 | 97473da63b99e90e68b718d56aa32d9f639a59a1 |
| SHA256 | a1affe0028dae015dfb079274e3aad65bec90941195c37a2425f55ab14f0a8f4 |
| SHA512 | cada56bd67c7f1cff4ee93abe88ad38c1f3be2f5e9ca5393d80b126143187dcf5fcc0fb2c9f5dab827d17c68df1ff6ce4d307f6cc9665f5ce823f767a7bf5409 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 80a083b62e2fd48152fca9c33d346972 |
| SHA1 | 9e98797ee849d18d164a9db0c3918c97aa11b918 |
| SHA256 | 8e9d94a17dde135a34c41bcbc42fc8681363b6860ee22fae255a1ab544c0c48c |
| SHA512 | 03afd3646da9885732b8e4c06d7c3c61cfa7ea9f7fb65114fc495d430198a70b4b95cce2bc0780baeff16db3672cd57147143bb7ecfc4e53a21c106f83c0c624 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 8ddfee45fc8a64414bb6cb7b3204a79a |
| SHA1 | 6cf8b13f5ab81558f714c9e1536f57d5d934bd91 |
| SHA256 | d0e7ff33d78161657c85e5b51300fa96d8b53e9bc0e7a494b5a8503f3797c170 |
| SHA512 | 1028617027d233e02a9d539c531c39b9f6d0ba71e3531d9b4d60aa466a5958bfc89361118e1a6760ece2ed7701c4acaba03c160cb48d7fc9cb2f87c64abdfa23 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 97831a316a37397d032cbc7a934d8d8e |
| SHA1 | b43e0f347eb44b772c3b73cace5cbfd83f244ad5 |
| SHA256 | 01c2b3c0516f06bb91b0cb7731a38066dbb21218c0c508d7f762dbe4e3bb2a16 |
| SHA512 | 249faab76bad953348b1f91555c07792471a18916c2bb054dbc8df4dd208e11174531508081d42566d4a24e82e5d0398cf90e485464ecc735220147e4f6d08cd |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 170318d5389e35905a52be047a6c5f44 |
| SHA1 | c962536621ed66c97ab2c431cfd75ef4ac7ac191 |
| SHA256 | 0b2186914f947d965d359d26d10553ecfcf7e14e6de787707123939f87a69917 |
| SHA512 | b455f102852265bd84406cfa8cc3759f0b38a492f12b78ca41830c468c76a9c81fe09ec75c7b757f013ca6984a349f8faee598d06106a3876162e86100465edb |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 4e575e9223009450758a8caadcbf60c4 |
| SHA1 | 1e8c9b9eef6ce8b52e9ef8361224aa739f06488a |
| SHA256 | f90d3fbd50ea6f4168ba11b25482267ff7561b15f7802f2f86be7b773fd6f7d1 |
| SHA512 | 3df22768825587dbf24d6a8ce53c494d1d96494b24901c80dabe80bd1943f7bd89c02ac62e63a68c3d52931787ea662e2f5f75d62455fe1b8c828cb614c07f65 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | c5500246d1abe101eb79eccc2eee48de |
| SHA1 | 0a6e40ba8d84f60ad8a3e9b9e6a089723ad76192 |
| SHA256 | 882b02b8abbdc9e63116f734c08ac9ed29a3450808d9c4e5632378c7a8651172 |
| SHA512 | f084904bfd7cb84384444c27b946f41477c52bd406b9f792497121af2c3b8ec4b114de344a948bb662b55d019266f3e78f95adeebc1da37735bcd98bb29f4983 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 629fb08bb648e6d9fbe1efa8bc0f9d97 |
| SHA1 | d524a77fb103d6586403098a7d7d68605d48a1f6 |
| SHA256 | c16fb85b89a1b6b1d33b60663cc98883424174b14e37b1a7140602af3645e709 |
| SHA512 | 79d3b7cc0d7ed341a53b3114a43b048441407712bcf492da4a51c22821c6994baddb174be441d1e848afd05e30db5d79c802f43fe7f20e57a97c454d380c8285 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 8c69bbdfbc8cc3fa3fa5edcd79901e94 |
| SHA1 | b8028f0f557692221d5c0160ec6ce414b2bdf19b |
| SHA256 | a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d |
| SHA512 | 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 4f40997b51420653706cb0958086cd2d |
| SHA1 | 0069b956d17ce7d782a0e054995317f2f621b502 |
| SHA256 | 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553 |
| SHA512 | e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
| MD5 | e58ff44c6537b7ec4ddba44b9d5dac25 |
| SHA1 | 935f0a7bac6133b746ceeaac909895e3abe4b6c0 |
| SHA256 | 6082be2932d591459873522bb11ab2eaa1374a11521ad890813e6ed78355f88a |
| SHA512 | 8a79273efd52877f04c247aa3a2a57f3e450d44d156790ffee674545500700d501a3c5fd92bd406d827a269e3a9627e460f6820ac26bd1011e1961fa6c96eea9 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 71d4273e5b77cf01239a5d4f29e064fc |
| SHA1 | e8876dea4e4c4c099e27234742016be3c80d8b62 |
| SHA256 | f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575 |
| SHA512 | 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | 3c269caf88ccaf71660d8dc6c56f4873 |
| SHA1 | f9481bf17e10fe1914644e1b590b82a0ecc2c5c4 |
| SHA256 | de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48 |
| SHA512 | bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | ac901cf97363425059a50d1398e3454b |
| SHA1 | 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7 |
| SHA256 | f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58 |
| SHA512 | 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | e3a7a2b65afd8ab8b154fdc7897595c3 |
| SHA1 | b21eefd6e23231470b5cf0bd0d7363879a2ed228 |
| SHA256 | e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845 |
| SHA512 | 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 2735d2ab103beb0f7c1fbd6971838274 |
| SHA1 | 6063646bc072546798bf8bf347425834f2bfad71 |
| SHA256 | f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3 |
| SHA512 | fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | 9c60454398ce4bce7a52cbda4a45d364 |
| SHA1 | da1e5de264a6f6051b332f8f32fa876d297bf620 |
| SHA256 | edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1 |
| SHA512 | 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | c26b034a8d6ab845b41ed6e8a8d6001d |
| SHA1 | 3a55774cf22d3244d30f9eb5e26c0a6792a3e493 |
| SHA256 | 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3 |
| SHA512 | 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | aefc3f3c8e7499bad4d05284e8abd16c |
| SHA1 | 7ab718bde7fdb2d878d8725dc843cfeba44a71f7 |
| SHA256 | 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d |
| SHA512 | 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0fd0f978e977a4122b64ae8f8541de54 |
| SHA1 | 153d3390416fdeba1b150816cbbf968e355dc64f |
| SHA256 | 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60 |
| SHA512 | ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 6eaaa1f987d6e1d81badf8665c55a341 |
| SHA1 | e52db4ad92903ca03a5a54fdb66e2e6fad59efd5 |
| SHA256 | 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e |
| SHA512 | dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4f95c6c4df14a8bf03f641bca6ee97a7\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | 42a80081055d07fa48ff9bae8c3d3416 |
| SHA1 | c0c4821725f8ef06b04b53b512c142a7d5b12fab |
| SHA256 | 2373fee84bccc0caaa9a8f2cb6d867749f7bf4edd4986bf2dcd2fd12ee88d8da |
| SHA512 | 2d69c7e0dc7e8708b5758ef030945272e675afdbb242a217077c4fceef4304a8bf8c1c2417688eafcf8bd6bf64ff2aff191d1ac43c72ef284248bcef629924a4 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\651164228fa042cb8dbaad93b55c10be\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | b777b525fa2e9777f7b72ef9eedea118 |
| SHA1 | 37e1eb01784c02196ce3f3865389b3b085a655cd |
| SHA256 | 2d78937d86157ee906eb7f7b99b1ef393fb9c1ba2a56b65e4f56e5050b46eb6a |
| SHA512 | 2cac75d251ba554a1a767c6bdc7401e28d91777e679c5c5243a7abd181d67c011f9babaf48f6d3ae96fef92c43304c12787c9d8fa5c41d35cff42ca43863cb37 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0075e246794171ba10740e59bd8e4151\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | acd692fefa6fee21c184edeee0b7f40d |
| SHA1 | 6460167a24f2bea2b39fc2cec070843e26e60445 |
| SHA256 | 956e1e84cf23a0e3f9919032a058b3a61c70a303926e3cabd25b8557e3bc026c |
| SHA512 | db61a9256f4a13e4e7178cea103f047583d70879b1ac9589a4c3200a36aa325bb60e72210ffa5e45af103e6e7d421a198c174465e8ae2c3d7e739b73222e66ca |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\374be9bfd378f32831da3f12c8d4388f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | a842cfc2c68cbd16c3eec00f3a907658 |
| SHA1 | c28857d1771f70659ddfaa4cf8368282b11f5fff |
| SHA256 | afd4271c638e1a43ed0db7c203abbb306f51465ee999d2566e8b7a6cb1dcc743 |
| SHA512 | d0a412aed7cdabf1f125921437dba3848ea469a400993eefa8e07f66e57fb0c03a35ac3eeffaa7dea6ccd98ce939e176998b096c0dacc3f617ae2cad6386d586 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
| MD5 | 7812b0a90d92b4812d4063b89a970c58 |
| SHA1 | 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea |
| SHA256 | 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543 |
| SHA512 | 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed |
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
| MD5 | 3e72bdd0663c5b2bcd530f74139c83e3 |
| SHA1 | 66069bcac0207512b9e07320f4fa5934650677d2 |
| SHA256 | 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357 |
| SHA512 | b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626 |