Analysis Overview
SHA256
cc36ad76f4c4156dc8ab9aa8fe88a27039deb778949ac6e8ca078555f2c88fb0
Threat Level: Shows suspicious behavior
The file 2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy WMI provider
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 10:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 10:33
Reported
2024-05-15 10:36
Platform
win7-20240221-en
Max time kernel
138s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\a2a820c7ae4ef42b.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\policytool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F02EFD76-B175-4386-A9C5-C5AF299C03B8}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4FC5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP88FE.tmp\stdole.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3BF7.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP53EA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP516B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP55CE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{612BAF53-A521-49E7-987B-0D31C29DB256} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000050fc2b97b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e0 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 278 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1e0 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 1e0 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 1e0 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 200 -NGENProcess 1b0 -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 250 -NGENProcess 230 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 228 -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1b0 -Pipe 224 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 1bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1b0 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 260 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 230 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 278 -NGENProcess 260 -Pipe 1b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 260 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 280 -Pipe 200 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 280 -NGENProcess 278 -Pipe 230 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a0 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 278 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d4 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2dc -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2c0 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c0 -NGENProcess 2e8 -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2c0 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 308 -NGENProcess 2e0 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 308 -NGENProcess 2c0 -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 284 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 314 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2c0 -Pipe 310 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2c0 -Pipe 308 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e0 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2c0 -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 338 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 31c -NGENProcess 334 -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 330 -Pipe 1b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 334 -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 328 -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 334 -Pipe 344 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 334 -NGENProcess 354 -Pipe 330 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 364 -NGENProcess 328 -Pipe 34c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 374 -NGENProcess 354 -Pipe 370 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 348 -Pipe 36c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 348 -Pipe 364 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 378 -NGENProcess 360 -Pipe 38c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 368 -NGENProcess 388 -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 390 -NGENProcess 348 -Pipe 358 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 360 -Pipe 37c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 348 -Pipe 384 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 360 -Pipe 378 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 368 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 348 -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 360 -Pipe 394 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 388 -Pipe 398 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 348 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 360 -Pipe 3a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 388 -Pipe 3a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 348 -Pipe 3a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 360 -Pipe 3ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 388 -Pipe 3b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 348 -Pipe 3b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 360 -Pipe 3b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 388 -Pipe 3bc -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 34.41.229.245:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 54.157.24.8:80 | przvgke.biz | tcp |
| US | 54.157.24.8:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| CN | 112.20.151.0:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| IE | 2.18.24.25:80 | crl.microsoft.com | tcp |
| CN | 112.20.151.0:80 | tcp | |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 54.80.154.23:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
Files
memory/2804-0-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2804-1-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2804-6-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2804-7-0x0000000000230000-0x0000000000297000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 41c4089a83a3678d93c2f26936d9c42e |
| SHA1 | 1183e06179d52dd33768fdd4d4adbc329fc36e68 |
| SHA256 | ede1e3f1938fa52849af5ecd9f16a054bd2a54ce55995dff9464c56cb0111608 |
| SHA512 | c5f4f3cd5a5c07e24b1e3ddba08394cb2c361f6cf03980cfefe52953bcd25f33dbb29a14e5556a65d50514d227c2d43e964268dbc550edf3276b02a1a75b9eee |
memory/2804-19-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2980-20-0x0000000100000000-0x0000000100184000-memory.dmp
memory/2980-21-0x0000000000910000-0x0000000000970000-memory.dmp
memory/2980-27-0x0000000000910000-0x0000000000970000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 2afc649bf8ea2eb062ca48592fa7282f |
| SHA1 | 5d713e1822ec0c5df21d4fe61800d1604b2e7700 |
| SHA256 | cfc87a74045f38cc45e5b1d90bdf97b8ec11e735108a1c60d2cabc468c63cf12 |
| SHA512 | c4dabe8324cf5d1efdc8f5b87a0d1e7bd07c448dc076107ee1f0710e20cbdae26f83b9f2031028a9160343a952da67c9c03eaccb0009f22aec274aff88123dd8 |
memory/2624-33-0x0000000140000000-0x000000014017D000-memory.dmp
memory/2624-35-0x0000000000A70000-0x0000000000AD0000-memory.dmp
memory/2624-41-0x0000000000A70000-0x0000000000AD0000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 2fd6eac895146f7d8af9d75fa25a2b15 |
| SHA1 | 1255954c25f5dfef08ed6cc44cfd60aa43280de6 |
| SHA256 | 3d8dde02b8f6046c4599b5cdf33992237e38b04ea6c96a03781c1ab65d43b0a6 |
| SHA512 | ea0ab2d264909052a635d96058029748a09f913615b6515a8b9f0d62a8e4adf4be35d7f71a4dbf4a1b9272f231b46b6991a84e3bdbf7f669d1d05eb946327bd6 |
memory/2672-45-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2672-46-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2672-51-0x0000000000230000-0x0000000000297000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | febd2f4f4f9815e9ed0bcff8226b8109 |
| SHA1 | 1675c3d7817c338ad2a4984acad332b319a3670a |
| SHA256 | 4b7f5c9695d3c84f1e912fca626f9f01e5ef2d150f05532e9106dd7598d2333f |
| SHA512 | 66dbd8ab17cc7d8faed42eee0685a5859379743293d67d8895ac5db2d43e87644fecd7320615b3e7fee4722687590cc0f50763fa7153364ab0c3f8804ee827c6 |
memory/2432-66-0x0000000140000000-0x000000014018E000-memory.dmp
memory/2432-64-0x00000000005E0000-0x0000000000640000-memory.dmp
memory/2432-58-0x00000000005E0000-0x0000000000640000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 608a93d67db00c5a559234fd7216645d |
| SHA1 | 24f7d4e87167f77f43e7fb20fb1adfe4db72d2ad |
| SHA256 | f0622179358171c369f3618a349c198bfcbc3bc1a736cb2195d7824572b43e7e |
| SHA512 | 9abed71235e86205210005ac5a0d1cbba8f4b70f48ca7ec3904776f0ee3d5cd4668d633618b1644e33b3afd4013e446956b88107e861bb89218e882407d89242 |
memory/1884-82-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1884-74-0x00000000001F0000-0x0000000000250000-memory.dmp
memory/1884-80-0x00000000001F0000-0x0000000000250000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | c6103a17e36a4e009c607dc4650e8de7 |
| SHA1 | b252b686110a5110d869cfa659247f8234b471ac |
| SHA256 | aeba7369387cb533f6f8e22f4ab096af54fd9c5dcc127e8cb7fa3f5cb1596e19 |
| SHA512 | 7c5af802fb2a262baa8c218db5f7c9c977eb8ffd4f6ab4c456249e997d53e393850b7cfc99852f1cbc6add4f5ac4c9cd22e0dc11793221ef19b49ff2538b9a55 |
memory/2680-90-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2680-93-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 71d1e2e681562bff4587fa2db39200dc |
| SHA1 | 096c5283b35f2b7b4a2b8d9deb8ad075e9363ae0 |
| SHA256 | 520b9f7e2e8670e703c75dca5ddf1bf652fc64a759875bfe58ccd1fe73aa4a82 |
| SHA512 | 4690f308b7931d7519765d1632ac336d8c782761283ffaf59b0b139544b50ca46088cb5d39b8d7235288432e7d7629ff0088b1eb20f3866225f7ad98f27492f2 |
memory/2236-95-0x00000000008E0000-0x0000000000940000-memory.dmp
memory/2236-101-0x00000000008E0000-0x0000000000940000-memory.dmp
memory/2236-103-0x0000000140000000-0x00000001401AA000-memory.dmp
memory/1796-108-0x00000000002B0000-0x0000000000317000-memory.dmp
memory/2980-107-0x0000000100000000-0x0000000100184000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 6829c3109cfa134b3e66799864296043 |
| SHA1 | 71bc7a7ffde840a1950cb8bed4a12232a2d19d42 |
| SHA256 | 89c79c01ebf71e3c186761f86b3700008c778066ea2111a094555463e11ea436 |
| SHA512 | 22a91f0754afbcd9b78b3408f2114865df84f0476a485d0e3826e98811d30412763ae2cfe82eebea1dba53ecf34ddf82a1bfcdf57b04f752cf54d237ac4611ae |
memory/2236-118-0x0000000140000000-0x00000001401AA000-memory.dmp
memory/1796-115-0x000000002E000000-0x000000002E195000-memory.dmp
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | 5661d948e404be2ee9d78b5ea3ce6d6a |
| SHA1 | 20ae82190700edf8b6e02df1edddfe8a7f7bfca6 |
| SHA256 | 88799517386079ffa0290fc109c9ada54cb673dfcdef0226fc7776955f26f0de |
| SHA512 | b903cb4f1c990ee770c7226c44d7614881d8981a6b3f3005837b9526d283f294f345781633bb6669aaac91c766fcd9d9420145cab081cf7c4e8872d561761df5 |
memory/1624-129-0x0000000100000000-0x0000000100542000-memory.dmp
memory/2624-178-0x0000000140000000-0x000000014017D000-memory.dmp
memory/836-225-0x0000000140000000-0x000000014018E000-memory.dmp
memory/2672-226-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2924-236-0x0000000140000000-0x000000014018E000-memory.dmp
memory/836-239-0x0000000140000000-0x000000014018E000-memory.dmp
memory/2924-246-0x0000000140000000-0x000000014018E000-memory.dmp
memory/2888-276-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2432-274-0x0000000140000000-0x000000014018E000-memory.dmp
memory/1884-292-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2492-296-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2888-298-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2492-309-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2408-311-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2680-310-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/1040-330-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1796-329-0x000000002E000000-0x000000002E195000-memory.dmp
memory/2408-332-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2088-344-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1624-343-0x0000000100000000-0x0000000100542000-memory.dmp
memory/1040-347-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1104-366-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2088-367-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1104-387-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1656-392-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2032-404-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1656-409-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2756-429-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2440-439-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2460-433-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2560-450-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2440-454-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2560-459-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2584-477-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2528-488-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1284-489-0x0000000003CC0000-0x0000000003D7A000-memory.dmp
memory/948-500-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1284-501-0x0000000000400000-0x0000000000588000-memory.dmp
memory/948-506-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2996-524-0x0000000000400000-0x0000000000588000-memory.dmp
memory/240-525-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1088-536-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2996-537-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1616-548-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1088-549-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1616-555-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2308-563-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2308-574-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2696-584-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1612-588-0x0000000000400000-0x0000000000588000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 10e13df03ca02ca705e1c0af7ac318d0 |
| SHA1 | 73d0a5f63494f54e370a6a3daf0e3a7ad465c5ad |
| SHA256 | 215d7494df03b70668fcbbbf4590ad4d93f2bf50b1af8c96f2dd24d3a66bbb6c |
| SHA512 | 7af7b96d5b258ada389ae9287ca751b7627fc3762f48c4adaf1f810fbb1a151fb768f8d3f8971a1c01c3dcf69e2577c8b856c806ec14c76f4fdb642e01b39145 |
memory/1232-605-0x0000000010000000-0x000000001017F000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | a4594cac8c5f8dc8a8825b8eedc5ff0c |
| SHA1 | 032ef4ea63a0e5c174b9a2f2cd2c8026fd1a242d |
| SHA256 | 3076e35048a6261a58068d10ccb16cea19238a8fef9292cc8cee27efc4862d42 |
| SHA512 | 492d11f9d88eb41566c200158a223473f34cc8ad398ce01ae90114ba10647fb4dc7f59f3a1754f10f0fcdb531b1561ef1eada56b7a52680bee6b22e910716719 |
memory/2408-620-0x0000000010000000-0x0000000010187000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 79e7cf1dd3e2576fda72bd36703ee60c |
| SHA1 | 496acaf37e27fa1066790f93ba4a4b7875585f6f |
| SHA256 | 14d3135829ee2fb4d757ae439a6eb69a3ab0928f5b0874ec3e1bf64b4d253db8 |
| SHA512 | 4c32c869b22c36ea5b0c55e20da87121341bd069ee885d1bb33e9527bb4b7d2c480f0070cd21efb1fc7bdfc3614040ae3830a3b21d5783c767dc083ce095fba8 |
\Windows\System32\dllhost.exe
| MD5 | ed18a2f7188e77684a7be6954bfbf176 |
| SHA1 | 0dcb67ff0bf89e3df0aedc6a01f539d214132cb8 |
| SHA256 | e89aff74277d0918ad6996e92438a7450544c1303fb9879c26b8b20e1a9a276f |
| SHA512 | 58f4abf8f2b2cca53d75b642db5012e650002ea070b92b8adee68480a394ac515a9e411f7c6a6fc295dd353799af185b46fcaa27ed768922e155dda3aedd3df7 |
memory/1372-640-0x0000000100000000-0x0000000100175000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 5a74eb9c6696713a0314f1c597a5f5b3 |
| SHA1 | f5bb05c98ffe1a6f2ef4de2ffa87d14555105b4b |
| SHA256 | 4446a7c41fec860787883af908014a8c0aa7bf3ec7cac1d2c6f0f922642bc9fd |
| SHA512 | b0b906928624a4af7b14d0931b8f8ab13e2c08af825513eb8182ca97deffe04768daa9ae30746756b40c552f597f30c6d3ef42a7614fb0ee65e0bb0c67754458 |
memory/1232-644-0x0000000010000000-0x000000001017F000-memory.dmp
memory/2408-647-0x0000000010000000-0x0000000010187000-memory.dmp
C:\Windows\ehome\ehrecvr.exe
| MD5 | 204750f5943e40be234ae61bffa9249c |
| SHA1 | de02520044fb11c42c5a869dec1b4f8cf828a1a2 |
| SHA256 | 25265de0d039c876bdb0aa5f7935cdaaabbcdff77436198d1f06cb1e91784393 |
| SHA512 | 62e8ef6c534e34b8fc6b8e240c0b58f27fe6c26152614910365dc53fcfc931a9a5a94760e0dc53f2a8b6118b7c83e5d3a3bf3b1ee06cac82c6985591e45477b6 |
memory/400-656-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Windows\ehome\ehsched.exe
| MD5 | c1710b55743ad9f2eaae405264fda3f9 |
| SHA1 | 67cc4c3c7143f41308fa4d339757dddaaa49cdd6 |
| SHA256 | 99a2f9fe0f53ae2ca0072b296d4b4f0e29743a5f678917b01668cc6f09c90a82 |
| SHA512 | 3112bc0c2bfa8a6e4fab8eaa14e50bfddca206dc7b04305204e99c09302062d53104d36433ae5a8b41556448b0c82da20a146775d5aa249e9071fb0ea64e753e |
memory/2996-663-0x0000000140000000-0x0000000140192000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | ab962162961adf641f97e8835f2c8240 |
| SHA1 | dfd511d9d81ab0a6d5cfe5902ce7a45d157c477e |
| SHA256 | 72f91a11856c85dac8443ae25e992fc1356e9fc006492a720e7a7ff6fea124e2 |
| SHA512 | cadb1d6d74d082e0827140f83efa4f187cb91e382d972687a44f9fee59af7751c7acc3068107b069aa689f5b37a9bbfc9664c8c58c9fc00ccbd59f99c13d6d44 |
memory/1356-688-0x0000000140000000-0x000000014018E000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | 3977bf842c5a15f8a734ec21e9caf0f5 |
| SHA1 | dfe7570d37d8c9d85c0228c2707cf002abed8868 |
| SHA256 | 13c52f3e79ff455d59f8bc0d91d07b8abb447d1eb716a027a1abb5b79a52e091 |
| SHA512 | 6b5fb99961c85d94be3753591f4c96ae3876a27720d6314a5874eacce5e3b0ff0a70deddea03d5547b42c528f96ed25dd5784feb531c853279b53c1d86438843 |
memory/2284-697-0x0000000140000000-0x0000000140196000-memory.dmp
C:\Windows\System32\msiexec.exe
| MD5 | fb89d380bb41f05ecbf4a96197df95e4 |
| SHA1 | 8608385d638525bb4ee4a4898dc72c1d75c7595d |
| SHA256 | cf6a6df4ca20bc646a77e90d0741324564461f0d139c0e33ddaf9538d8123d06 |
| SHA512 | 2873734e33f480fdeaae927544a8664a34ee2723875100762e1f0c4fb4a0dd755cd1e1a0ae3421d7837ebbb34e406a8748d57f9b0af23cfab450f69fb9d566b6 |
memory/2924-704-0x0000000100000000-0x0000000100192000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | dda1a87c80f5d07cb179701691dde610 |
| SHA1 | a1524ce77e54b1f736038a914a2ac3eaca896e59 |
| SHA256 | b3dfa69849517b5f50b63a96235f59d3a426090178f54823016dac7dabb1da71 |
| SHA512 | fbc2294845b7c76f7fc1eabb55eded892fb8d11f1563a44982c1a3601f020c4f1cb46ebf8d31bae4b64c5151badcfc96dd75972da5f29cce1e61351778b3fa61 |
\Windows\System32\Locator.exe
| MD5 | c5574d5b80f5234d197be68240bd941e |
| SHA1 | c00697811f06d884f410fc2cdcedd2132eb486c0 |
| SHA256 | 277ea409c250006f6fb72cabf30a8b15975df48bec310bc55602ac84cd74c60d |
| SHA512 | 2f8d71d2c88f2f43123d79c03b26929aa3f99792b6a1795a9670e7570d86c4a32be8b5467b187209b9e0e39e34be4c2acf0a990ffbb0bcb2c57440e9000bb08e |
\Windows\System32\snmptrap.exe
| MD5 | 53566bae4c274bf0d6b26b0a8a4265b4 |
| SHA1 | 89c040b7d6e92a4222d65560a3767e1f349c1470 |
| SHA256 | 1c719056a569d5937f01efaca267a347f788178cefe5b2cddb14ce3573dd9250 |
| SHA512 | e63b4f25220185e80b12396ab88d2ed150928e7399cafd7d0f57070feaaa41593a06bcef0574ad62a2cc793525fdb4084f6a5a14db33ca5828c89e031f9a125c |
C:\Windows\System32\vds.exe
| MD5 | dbcbc873a5c7d974fa444a3b13ad7810 |
| SHA1 | faae829ed6d18a42b68686f0b22e310bf26bd83f |
| SHA256 | a2414e934aa356339a07f2c5afc0c96898c261e05e7a6fa9ab597bbfe1d2b811 |
| SHA512 | 76136d2b721502c2332c0093c88f0a859d6877097f13bbaa1b925309ced078f344b98b291f6348adb62f17721ade9e68af93957b00b98160314373c04b447eb8 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | e4e8bd22f7cb41cb482ed6d096f5454a |
| SHA1 | fd9e9fbb155380f3cebd918891f934e7e2b9939f |
| SHA256 | 4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7 |
| SHA512 | a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/2328-934-0x0000000000CA0000-0x0000000000CAE000-memory.dmp
memory/2328-935-0x00000000018C0000-0x00000000018CC000-memory.dmp
memory/2328-936-0x0000000001970000-0x00000000019B8000-memory.dmp
memory/2328-937-0x00000000019C0000-0x00000000019D6000-memory.dmp
memory/2024-949-0x000000001A950000-0x000000001A95E000-memory.dmp
memory/2024-950-0x000000001ACB0000-0x000000001ACBC000-memory.dmp
memory/2024-952-0x000000001AD10000-0x000000001AD26000-memory.dmp
memory/2024-951-0x000000001ACC0000-0x000000001AD08000-memory.dmp
memory/2024-954-0x000000001ADD0000-0x000000001ADDE000-memory.dmp
memory/2024-955-0x000000001ADD0000-0x000000001ADDE000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 5180107f98e16bdca63e67e7e3169d22 |
| SHA1 | dd2e82756dcda2f5a82125c4d743b4349955068d |
| SHA256 | d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01 |
| SHA512 | 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363 |
memory/1708-973-0x0000000001980000-0x0000000001998000-memory.dmp
memory/1708-974-0x0000000001B60000-0x0000000001B6E000-memory.dmp
memory/1708-975-0x000000001AD60000-0x000000001AD7A000-memory.dmp
memory/1708-976-0x000000001AD80000-0x000000001AD9E000-memory.dmp
memory/2856-988-0x00000000019A0000-0x00000000019B8000-memory.dmp
memory/2856-993-0x000000001AD60000-0x000000001AD7A000-memory.dmp
memory/2856-992-0x000000001AD10000-0x000000001AD58000-memory.dmp
memory/2856-991-0x000000001ACF0000-0x000000001AD06000-memory.dmp
memory/2856-990-0x000000001ACE0000-0x000000001ACEE000-memory.dmp
memory/2856-989-0x0000000001A00000-0x0000000001A0C000-memory.dmp
memory/2856-994-0x000000001B250000-0x000000001B26E000-memory.dmp
memory/2856-999-0x000000001B6B0000-0x000000001B6C8000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 5fd34a21f44ccbeda1bf502aa162a96a |
| SHA1 | 1f3b1286c01dea47be5e65cb72956a2355e1ae5e |
| SHA256 | 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01 |
| SHA512 | 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
| MD5 | 5b46f902ff5767959c40395a89ebab38 |
| SHA1 | 2ee515c4b11f9ad786616d24f0ef207c33c000a4 |
| SHA256 | b83f0c6a4465c822d1011601cc9e96d5ebebe8ed1d2683c034b3eb615ea72ccf |
| SHA512 | 679d3bc3f6ec96e31cde02eb47bb22b1eebb088a98bb16f4acefcf957975aa1abb775c5d0a0f0e52b0a0a426414d605d31974eadd933e567557b5adadbde25da |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 3d6987fc36386537669f2450761cdd9d |
| SHA1 | 7a35de593dce75d1cb6a50c68c96f200a93eb0c9 |
| SHA256 | 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb |
| SHA512 | 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | a8b651d9ae89d5e790ab8357edebbffe |
| SHA1 | 500cff2ba14e4c86c25c045a51aec8aa6e62d796 |
| SHA256 | 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7 |
| SHA512 | b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | 4bbf44ea6ee52d7af8e58ea9c0caa120 |
| SHA1 | f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2 |
| SHA256 | c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08 |
| SHA512 | c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | ed5c3f3402e320a8b4c6a33245a687d1 |
| SHA1 | 4da11c966616583a817e98f7ee6fce6cde381dae |
| SHA256 | b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88 |
| SHA512 | d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 9d9305a1998234e5a8f7047e1d8c0efe |
| SHA1 | ba7e589d4943cd4fc9f26c55e83c77559e7337a8 |
| SHA256 | 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268 |
| SHA512 | 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | dd1dfa421035fdfb6fd96d301a8c3d96 |
| SHA1 | d535030ad8d53d57f45bc14c7c7b69efd929efb3 |
| SHA256 | f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c |
| SHA512 | 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | 57b601497b76f8cd4f0486d8c8bf918e |
| SHA1 | da797c446d4ca5a328f6322219f14efe90a5be54 |
| SHA256 | 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d |
| SHA512 | 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | 68c51bcdc03e97a119431061273f045a |
| SHA1 | 6ecba97b7be73bf465adf3aa1d6798fedcc1e435 |
| SHA256 | 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf |
| SHA512 | d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0a41e63195a60814fe770be368b4992f |
| SHA1 | d826fd4e4d1c9256abd6c59ce8adb6074958a3e7 |
| SHA256 | 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1 |
| SHA512 | 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 2eeeff61d87428ae7a2e651822adfdc4 |
| SHA1 | 66f3811045a785626e6e1ea7bab7e42262f4c4c1 |
| SHA256 | 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047 |
| SHA512 | cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6bbdc6d725b803074062afc8399682a5\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | d95816566ebb1d893cde289a63c822d6 |
| SHA1 | f5ab5e4c5a69f0d11c06ae3de4f224aafbec45fb |
| SHA256 | d021c5ac81018dc9ed9ef49c8d55ca16a2e6979c6b3209cac874314c08c31503 |
| SHA512 | e3b658d516082b174828c471d762d914fea03e8340d6b0b25dd1bf1e387e2db0cc677e88861b4f635f909247106663f9d17e5bdf08b6c749ebfd90a6c905238e |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ac189ca1e341ec6ba475dc0f493db2b8\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | 6585731df93b6de9916d84343f93e95b |
| SHA1 | 20d41e7edc56f35955389d5c1949e30aecf9a0e7 |
| SHA256 | f95a763ecc664b9ce40ef78a696d8c60b8d09310113109fb1e3e1ab11b19c7cb |
| SHA512 | 7a7486e541188f52920ad1e39bc836a4036275e8680bbeaa1acc0b77fea139cccf629b05c4a1e7907a93836ac07c5499584990257cdf04f1ea10949629bfc46a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8d66a175baea8643cadeae11cad99b73\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | 155ca9b984a25959301acdb67fb55f2e |
| SHA1 | 1c178d1da461fb06f020b9ef65f97f770d6e56d4 |
| SHA256 | 6ae7c6a6b09fe3194f51ef5d7773b372a459970f916d1b4bd140541670034e0a |
| SHA512 | 755f4236db28cf5ddc3666ccee4d226c2d1d84e46d5c36402ac17f8fd86b43347ea5b21e2ec086a2d4f77c52a6e691af1931f894118b774bfcce4cd2ec509293 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5bb18fc3a9dea82b3e9710a0108508a8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | df03b9ee15a8d69501dd89f3582b6672 |
| SHA1 | 1c0a78d33899b478652ddcb8be3d41c539434a07 |
| SHA256 | 09738ea535fe7623735822016df7ee7f319599d121f160cd1ac704ba3f74d0b6 |
| SHA512 | f8e7759b62330c4c1b43dd3069c8a5275a1896a96242f4dec84dbd8f5586b5ece54fc72945825e6de12cb8805a607ee402bda3ac7a5f657ac77a92432e6a378b |
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
| MD5 | 10b5a285eafccdd35390bb49861657e7 |
| SHA1 | 62c05a4380e68418463529298058f3d2de19660d |
| SHA256 | 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a |
| SHA512 | 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
| MD5 | 1f394b5ca6924de6d9dbfb0e90ea50ef |
| SHA1 | 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920 |
| SHA256 | 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998 |
| SHA512 | e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
| MD5 | 929653b5b019b4555b25d55e6bf9987b |
| SHA1 | 993844805819ee445ff8136ee38c1aee70de3180 |
| SHA256 | 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2 |
| SHA512 | effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
| MD5 | d9c0055c0c93a681947027f5282d5dcd |
| SHA1 | 9bd104f4d6bd68d09ae2a55b1ffc30673850780f |
| SHA256 | dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed |
| SHA512 | 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 10:33
Reported
2024-05-15 10:35
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db | C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c75c884b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0b1a484b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af61b584b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead5e984b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c75c884b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005e9fc84b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2d22785b3a6da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 2580 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1740 wrote to memory of 2580 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1740 wrote to memory of 2296 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 1740 wrote to memory of 2296 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 34.41.229.245:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 54.157.24.8:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 54.157.24.8:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 8.24.157.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| KZ | 176.108.93.0:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| KZ | 176.108.93.0:80 | tcp | |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 54.80.154.23:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 23.154.80.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 200.78.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.168.225.46:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 54.80.154.23:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 34.67.9.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| ID | 34.128.82.12:80 | tcp |
Files
memory/4776-0-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4776-1-0x00000000022D0000-0x0000000002337000-memory.dmp
memory/4776-6-0x00000000022D0000-0x0000000002337000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 8fd34c521b8435729495f842ec2557e3 |
| SHA1 | 7b3bfbfb0e19347c42f0fe98e24ff6d5f6a10a83 |
| SHA256 | 03dc85c6cfed9ef29bd1dddc05baf0c2249ff9a9faebe034db65e62fb062b58f |
| SHA512 | 9e710d199bea858db89243a2dd0e2fb8c0506472fc97848e97636d33e272e5f25ade43ec9e2cbc796e0dc6c29d0e384d109f766f3ba0110ac6c6aa25ff6add3d |
memory/4776-17-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4076-18-0x0000000000500000-0x0000000000560000-memory.dmp
memory/4076-27-0x0000000000500000-0x0000000000560000-memory.dmp
memory/4076-26-0x0000000140000000-0x000000014018A000-memory.dmp
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
| MD5 | fcf45e1c882670dd2e78e5da77b93692 |
| SHA1 | 1d38b61231f79e2fe1731a3f0ad9ca71690eacb2 |
| SHA256 | 737887d659b44eb8edb0960a277aad287668ad5e5d3ac89d0cd686d96261fa77 |
| SHA512 | 621c7fe893c028644f84f27bc55bd9e4c5f8a75febf9ad2b4d4a546b2fa4a773905b0ede6816bdb2f6dd927e343b79c70f9145d0e840b4f27b9ec0e85ade5bf0 |
memory/5968-31-0x0000000000540000-0x00000000005A0000-memory.dmp
memory/5968-40-0x0000000000540000-0x00000000005A0000-memory.dmp
memory/5968-39-0x0000000140000000-0x000000014024B000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 24805374e5452e9106d158dc1e51dc55 |
| SHA1 | a778740d5c495b5cfe16e05457df6e4ea0ee7d91 |
| SHA256 | 92589680d89e3f6c61f63324e887a5d730591fef985eb19ac90355dc9eb9c1a5 |
| SHA512 | 3b5058eef541a64909d7e447349f974d1ebab7d89da4293846c117c79018f52e1b3d72a11633d38799281bbb31c96b542b960bc18cbc20f439ba1fac9fc11335 |
memory/3732-43-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/3732-52-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/3732-51-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 81e4aeb28a48338b16d36341938cdeb2 |
| SHA1 | 0bd3e831bdf20329ff3244f72cdaf74e8a393f66 |
| SHA256 | 95e64afa22f810e4f55c80974b673e9165799ae9230edac9aa4d760258e02dc7 |
| SHA512 | c02413734217b38810eb58987a64bb9c644bea6a3febd355c3fc1d9d2c09eb10022229fbc9fe7da4d8ec4231cb2183b37b1d688f1f377c9c0461172098552ba9 |
memory/960-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/960-63-0x0000000140000000-0x00000001401AF000-memory.dmp
memory/960-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/960-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/960-67-0x0000000140000000-0x00000001401AF000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 5367fb86dabc9c644036b850f86dbede |
| SHA1 | a43d1ebc5ae3c2a3625c3efcb318bab8f845d886 |
| SHA256 | d313dedca79fd24cff2dde21e6ed3c3eeb55a51ef5f748b9abc7a11d21c92417 |
| SHA512 | 7b1d0b3a7bb9342dbb2ad977ab623b10fb4a7ed2ccb97c1c1625dd69ce3cfdf95b2bc727d6b0bed219595c69df35baeb6381227d8c60c079bd18a4887ba155c3 |
memory/4688-70-0x0000000140000000-0x00000001401AF000-memory.dmp
memory/4688-77-0x0000000000800000-0x0000000000860000-memory.dmp
memory/4688-71-0x0000000000800000-0x0000000000860000-memory.dmp
memory/4076-237-0x0000000140000000-0x000000014018A000-memory.dmp
memory/5968-238-0x0000000140000000-0x000000014024B000-memory.dmp
memory/3732-241-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4688-242-0x0000000140000000-0x00000001401AF000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | cdd3655a1be1d6fb42b306d8d4e1e50c |
| SHA1 | 30ab03b9546193f23835eb68328db565a6fa4acd |
| SHA256 | 36e083d06d6d36168753d8baff2438d4da2a2da25c6d77b589503fc4a7d72f86 |
| SHA512 | afff697bf28301f56c37d0afb95d2b562f847c28054f43acc34b2473f28e3bab42250e794efb1aea032031f5eaf22109bb1788b15d669d9a047b275b1892218b |
memory/3832-247-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3832-248-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/3832-254-0x00000000006C0000-0x0000000000720000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 3ac5174d41ead2294a427a0e9e739c67 |
| SHA1 | 4f440ca4c8ff3ec0cdcad24fb24646eab9e4a2d1 |
| SHA256 | 36d870246e75e970861b672f97201a5cae7ebda592054285f2fd366d1be83ba7 |
| SHA512 | 3398ef0bd0028978e6a31d271f43d3bf875c2d8fde49b6fe94ef209f6130b4ba7aaabe4e846cd306a521540e46b28d7dde98bf481faca611bd9ab2701d255932 |
memory/5240-258-0x0000000140000000-0x0000000140135000-memory.dmp
memory/5240-259-0x0000000000EB0000-0x0000000000F10000-memory.dmp
memory/5240-271-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 6acb4e3ed022f89b6bbe7967a0d0ee43 |
| SHA1 | b6c40619392cc473d82410e50b453aea944e15b1 |
| SHA256 | b0b1f267af2ef26c4a4e0d64550f78186e062615f47409123ab961679176f1fd |
| SHA512 | ff173945f172d1ccc5626f70ed226a78771882c3e1fbaf2a9d8aaade7485952834536993ffc3b9fb388861a25829ba717da98be9402ca27715db40e3d3bdf4b1 |
memory/2520-273-0x0000000140000000-0x0000000140199000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 9c4173cc3b5ff45deaa40e502dfa6d77 |
| SHA1 | c917c0d317195dc00261943247bd3fe474185581 |
| SHA256 | 502f03e7cb81e25ad631112f8428265511bd17949980c37f5030955a706d186f |
| SHA512 | 4f7aef98968cda8a81e6780437e5676746f03c6be46b590eee96d817e0432f3de8395a9d298ef07702507abd8256586639c44e6dc1a0f1aecd11228b115af94e |
memory/2376-288-0x0000000140000000-0x000000014018B000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 697804019944f637af1a771636311218 |
| SHA1 | eb00aa95da9985196bcacb165a5ce18fa5aa27b3 |
| SHA256 | 85f1d4b03991d3e01ce88410c602db283c2bb1cb24c92b6d4faeddc5a6e56488 |
| SHA512 | a78ce4f4e637992d08f12e075b4d5666b4607fd3e3433495e5a687006305b68f33d6b480749f7f0cae875b5417a5fe23e9d7fe470db9c77294f0f72e652c374b |
memory/4780-299-0x0000000000400000-0x0000000000577000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 0196ffe0e3135587d46571b0e717ef79 |
| SHA1 | 6b60e196e39e29798e976d41418a0e16d25a3475 |
| SHA256 | d0fd828b16f5ccb98255bbc9838d63e90265dc3811288104ef7f11e5a1ee6fb2 |
| SHA512 | def702c3c0f90286d81cb7ab53f5e7d2d7347018f4e210c9630c5949da492ee60f3e68ccf0a6192253843333abf2fc4a35c22cf44233f7daf24f930b7c15bb23 |
memory/4132-302-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 625bdb126ab413da1ef84a8df8a9c36c |
| SHA1 | 58579dd71b7d017fc80f9fb660cdee7069e87315 |
| SHA256 | 5edd7d28edbed218ec17d26c75b3b40f8afebdf778e2a0b70f9ebc270ad131ac |
| SHA512 | 5f3a90daf6b00b05e05be8cd092254eb160938a2485ab94543a845d39c7e3c748a32b30cddc372f5d9775bc99c855002abed289b343c5bee215ed2057631ddee |
memory/2104-322-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 7d8d7728a376d216c1673f1c599204b2 |
| SHA1 | 6171c8a292b7805255cd4df742e05d62189ef261 |
| SHA256 | 2791ffd162b74aa21fc5f83b5df6d36b25ecb87f9eb1cd4f649a7ec61e1dd9c1 |
| SHA512 | 44c79eabdb1b5eedeb566abe00741ae9cb38b731338c73e54875fc92d4a1b4dd88c9064be56ac5c1fbc2fc5bbca981b5383364d74c804886432fc0377fe8b311 |
memory/5800-333-0x0000000140000000-0x0000000140176000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | 9470850ee29d69175fb0fa60ae3da9d6 |
| SHA1 | bd63b1124fcbd3a93ee0c3b21254db9834dd8326 |
| SHA256 | 4c96c1cce8df5fcca335511c0199b704f2586b2b0f87f3965d54934650c891fe |
| SHA512 | 3f541c330cc138dbd515fa8f572ded409bddc39e749167fe9b0911fa5dc1bcb6ce38bf43659e122735d940edf2a43a75433617f4c8ea803c3a2d3e5dface41af |
memory/2176-336-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | f60826683b9de81eb38b31fefda6c23d |
| SHA1 | 759b697aa35f1f3db448edaf0ca102a14e284f1d |
| SHA256 | 8d706fd6f439d828bcc645f4592d85eec59ff778d4fbcf2689271f74db93a593 |
| SHA512 | 7be781d5600e680dbc6c7b5438cc060dffa09297ab483ccd8053663b0ae3d4398c626ab0e4545dbf6d94619fe7433c27ec2c6da33b004b131918b583fdab6957 |
memory/736-348-0x0000000140000000-0x00000001401E2000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 8b474563a7b3fec62b9cbaed854b5e71 |
| SHA1 | 3a6166141b1349d3e108e6babdc85bd5a0ca8c34 |
| SHA256 | cc57e15600c136d9e1ed33e31142050f5a846bdc9a4569bb00433a4d0ab2f4f0 |
| SHA512 | 6a18abc82bce7025d810ecf3c0f56966f6f2aad771bad209307b9e1bfe12e68c92db5ea439ec2e7544f6843a24c63d64ff4ebeb11dfa4f629e19dd70822d102c |
memory/3832-367-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3228-368-0x0000000140000000-0x00000001401C2000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | ac52f1b912c68c83c81b7b4aa8bab57e |
| SHA1 | 44f7e91cee8fdc85706c8c89a9e8d25059f57db6 |
| SHA256 | fbf837b73a82853c679458538319c289f0c9a1056dcd61f4d521879f4424ce89 |
| SHA512 | 7cf645206a902783f99eca6cec81a02f01af6efb5d66110c2d7c7aba0029e15966e57be44f40a1744976df44c40be194e8453c71ffd61d45304e086bbd6c0c10 |
memory/5044-379-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/5044-383-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 8a76e1a1bf98a31bce32e346e9e89420 |
| SHA1 | 2b3dc2f0d91201492324a01c9d38687da25863d5 |
| SHA256 | 9680681180976987a73de0255a4dd3a451321369ba48af8d9deb62672c5e14cc |
| SHA512 | d35d113f013190fcdede4bf4e2a2af6bc64172527e7e92ba5f114dd09257d0f9a29b54888863cece4bc6d1dfee3275034328960fbd16a7d066adb6e1199dd09b |
memory/4552-386-0x0000000140000000-0x0000000140147000-memory.dmp
memory/2520-385-0x0000000140000000-0x0000000140199000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 5a6a5b6d52e0c8fe2dbc4792056bd4f7 |
| SHA1 | 2f6bf84aeab626752218f0f9935e3987d63cd5c1 |
| SHA256 | c803f355e3bebd41ccf46984426b280c222a0cfd72b7f6e4c862512c2a10c9fc |
| SHA512 | b0a16ed2bdee6ca01b425b46a248739f0d6918a90e36e001903ee5cea974dda5e5b1915b0809dcf334bbc436a851e76c61ad895bb0f199e5ca974a8f7b7b43d3 |
memory/2928-398-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2376-397-0x0000000140000000-0x000000014018B000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 2d55314e41e824d6fd9263516e0a2777 |
| SHA1 | 6debf36b259324e9c572aa864471e2ffef6b23c5 |
| SHA256 | 11331fd37a5886526352f92bea4fec9d89136b1650c426a3231920371ce088b5 |
| SHA512 | f4efd43fe9204bc9db7fd432edf643772602f011e306061ef8ef12dbad9dfa0a3db1b206b0520c7233aaca5017a5c48bf9777e7a0a0aefb4aa65775022616988 |
memory/4780-409-0x0000000000400000-0x0000000000577000-memory.dmp
memory/2368-418-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | cdafb0accd7d589f238a2a45671307bd |
| SHA1 | 42cfb4f33c8d95b257cd49621423d938ea3104b1 |
| SHA256 | 3915c7863c81e93ff860b276659507b5f6e4af2e44ad7ade6e1a03b0ddd6f681 |
| SHA512 | 3eb1c4a65e29329304099658fb4ba176d5b3ca3b793cdae39edeb62562a436db800882f4b6098aa7a7d3f32957a5e4e45ee4f006bb69ad25f8aaa60c728067d2 |
memory/2112-422-0x0000000140000000-0x00000001401A6000-memory.dmp
memory/4132-421-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 9351f7ed53338d49190ce1e23d8222c6 |
| SHA1 | 0c8aa8fc07b082de5f749eed2cb1a620081a7aea |
| SHA256 | fdb45bc401983d4fff270d29e611cd1414ae0a43c68dab81cb409a4337236f30 |
| SHA512 | 09d41a5313991ddf60d3db5009a6dec61b0ac295c585a80313b5ccca9a698c7c1057f4f32457a8727bdea6d3afe9dfd6c252d56bc846db93e4eff9114bc090d2 |
memory/1740-435-0x0000000140000000-0x0000000140179000-memory.dmp
memory/2104-434-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 6c056ca79b5caaeb7be79bb772ef95c8 |
| SHA1 | 9e48de58de1b875821043c22000cac37d0ff39b2 |
| SHA256 | fb12704bbb84cb9a754fe5361a4601b16c2d123ee667e480754a99bd65f7849a |
| SHA512 | 77156879a7efa4441aa469b313aedcce5819253226c50b3f2c317affad56d5148b55233538b02335fecf8b3cfa22ad63fad83d9aae9792bdceaae845a7961d86 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | cbcead92efada181894d9c5638ca4adb |
| SHA1 | 630140cd8c42ff67a036b47baaff217e16bef170 |
| SHA256 | 5e49b0501422f8c11c5b581dc5d530ddf838353c77824adcafdb8ef8312c3c27 |
| SHA512 | 228bf61506955cf9de7de470b370e056f33276ec58cba9421f31f1d8f0462356e57daeb543c3039e876d017d5bf1f89630da033e91f90e187a8c45664d9c5327 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 22ef18ee22f8f79c120c91918e637e95 |
| SHA1 | 0aa4805991d80a6fae2fc7debe79b26c5e82f119 |
| SHA256 | f35fd651ba2b9755de48c31020972fb0ef9734fce67f345101a10682575530fc |
| SHA512 | dd59e89524e0434c6c7fdcd08c480d3acb2ecee1a079a02193d67b0faa6b5700a9cb56c2e54ab9c570bc6a44a83aa22487ced6c3f44dae980b4c682820aeb41a |
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
| MD5 | e0a3f6719bace1d19495df23b8233ea4 |
| SHA1 | 2597e92c4f147f3ecc40f84466cf8059541d21ee |
| SHA256 | e88fceae8c35eb1ac08d9c0c7509cab40ab182deed2a7686833e8d8f173feb00 |
| SHA512 | edae3ba16020cb505bd7e2df4a9429e6e0544921b71084d6d21d3b350f00c3325b8a7783586235e8344c22ed9cc97070df1f10136753e969771cc3a405f83529 |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | 5c6428dbc49a13efd60eadb987a2651b |
| SHA1 | f27750a08faba88e02e84dcf1256f871f82f71c1 |
| SHA256 | 6ce124f6e1a0c1307fde4a0787d1a5a77954e534586becf6f88806c91472a15e |
| SHA512 | 57528c779144a6e06ef7e1c3e9794a3b8276e624b4eb39a34a44228cea93200ad850402550fd73738cb9cdc26a54e7b8b6bc494a581489a6d0e572206b924f33 |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | d9c0d5cdd5ba9bf3402a5c351da5e17c |
| SHA1 | f9fba8d0987c83605cb63c73e5c369efa05d8a37 |
| SHA256 | 80d4adbb5401eb5bd2620e896e118816f11e1e6b32bf75001baa056e5d1ac00a |
| SHA512 | 9d75dd09328354508875e05958d3d5af639693c514063ae32e31accba495155856041bb323c5579c4f2b45d4d1faf4c7fdbec396dcd621a7f701d17e4c3d2112 |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | b5f063670a8369dff6b5fd6a50be7ec3 |
| SHA1 | 4966e083ea04f2a116621db6030ab85c9fc8fc58 |
| SHA256 | 8466e4eea30fd656052921d174ac41ad2dfdca14e6c8e68e7c79ff4b2487a92d |
| SHA512 | 9f161a94b8701b7eea9a1be1fdac1dd113f78cb3f2fbc25b7746b49fae7179b6ce274170587160809deddcfbb28e2e89d50914f4023b7b55705fe3023593f018 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 7e80e15902ef499ed112c22a03bb4c6b |
| SHA1 | 30364713fc190d8af8fc24ff8c4ec9ab5e5f3369 |
| SHA256 | 70a3b30d6e0bcbde46154c16403e14b1c889b7e7103632d13ece1b3511c4a650 |
| SHA512 | 059af7e19839094365ff55758beb9be132eddb7af345b8d911e8655ce1be2adf469d900366192292e08e8061c3a52602defe30dc954a3a3eabbf65848310e57a |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | 11122717688ef00236fc3a83ff60860b |
| SHA1 | eeb748343de71af90cb710761fa9d475aaf038a8 |
| SHA256 | aaf209ff7df246d97bc7f9274ef721bde9a62a366ac1a8deb2f7b005de1b5705 |
| SHA512 | 95fd577bc915f34b85ddbadbf57727e504af6b41756ba5e67930b36eefa2bae55ac6b78348056d402a9b5692846b5f48c6f41f8159e82c9e9598d243d55d651f |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | c77069db9fa35061d670347b52a5c9b2 |
| SHA1 | e22c87787db349ce405adb63ca858c5cc89948f0 |
| SHA256 | e93d881262b8ffa836c28daf27cab9787503a7777b3e2493b133a4179d1039b9 |
| SHA512 | 14904ab900c898b5e04f8d15d9a5fdcef261190e8f804ad2fdaa570c90bb401e49062cd8b721b4579cfee354485c07cb795f70ea1f3a75fe62df007a7415fa0b |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 761fd0530d7ead74565c9443fb367c47 |
| SHA1 | e4556caf301e76ae24d2c90472e25dbb7ee40a72 |
| SHA256 | a589165706955d506adb8100c5b1ec62637b90f2b189155f408cb3ee996bc20e |
| SHA512 | 405f2b1673e68d656f56abea39937e51baa1c01966a44709cdc765be53b2c7e3b3843f0e3d0964755f86f7444347d4cea07141cee58274665403ff9483a33362 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | d97b09ab403e521ea6b4b8ee265a205a |
| SHA1 | bbe0918ff7c9f9cca50a02fc3f45cd81993c7b8c |
| SHA256 | cbca8fe9d7c0745e075fef57512e02b77e94b8c56f4255aa3757e0c1e2d42f6f |
| SHA512 | 56dbfb33a6739a98fd180278d877fe984303e0e5bd28f0f98c2b3391c7ce14b0babecec1fb7bf92fb6b5d5766ec93385c8632b177eef806265ffdf3d78ec8cbf |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 3c2ad556d9cabd72055a36a58dae6ac8 |
| SHA1 | 96cb48655a9f5c1efc701f2201cc218f6fe511c0 |
| SHA256 | 2874051a199269b4cd42e41395ec03317fd57aaf988b9dba2bf57439b642ba7d |
| SHA512 | 035627a058c3239839ff3bec4f7127d810f6cf9324e1a3ee137a20f7d10c2c21496c0810faa2dc22ee32c0346c3adb2e4c877a38b45347cc5fa6786cc9031531 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | af105b0674a5e23a35b9b4a6745d3b61 |
| SHA1 | a9506a87f880d888b2380be195d23a940a2fb403 |
| SHA256 | e64d96520bb255ef9bd0be31bed4db94e9d1c52a2de8be7171547b9b5daee25e |
| SHA512 | 3fc37040be37c2aa3372b323f3ee298b14a71b2fa4303295609a6cb5d71306d614fb37455245d73eca526b5894a6464135dccba3d41d8938f0d73744ec721893 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | ee690fed4468804789e204c7c8c5d8d5 |
| SHA1 | 1ecb5b92533e44c1126db951f5dd263bfbb3b59d |
| SHA256 | 32b77f44b32854bd2dfbe68e441c971f14647cfadcbd75f1f87854954d22c5fc |
| SHA512 | c1defcf0fb5043f667d7e8d00c3bce8eff6d942ddab2b1063770eb48d1ccd0dfba46541d24883f27549763681cecae7cc997418ccd02696b3c459a4c52684f42 |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | a18fa8282230164bf60cbbcee20e64e3 |
| SHA1 | 0f9e84b62efc78f78340bb5e1e3dd031ede5ef3b |
| SHA256 | f2af89a5aa5b85b55a3ee80363815d1105b9d3f715c24ee7eb3a3ec5c93e5dd2 |
| SHA512 | 9039135d9721cb51dad00d8690aaa5f2f1f89b75cd325e3037cd33c1a857c23692ec42da68651ace7c8b3a5d1941c26a339f3a7a82ca83f1eeae376162a74575 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 7c92fe023d248c1a2037b2e98f3e9327 |
| SHA1 | aa748ab42f2e1d547a3b810f4021f4f87ac57868 |
| SHA256 | 810d7fb47782f5b22b9b0ef4db9e78bcb483890f0a420f0a12eeedf87f3e2675 |
| SHA512 | 682783c1689b46ee7f85b484e5bf15e5ebf1d8b962d2f6559dda6a26d096b1ee1bfb2e9d6d8f2c77d77144432ffc3a05027b9d86f1138945cd8685d38ce00ff3 |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 72b4282c5dc5fa1d8730c221f6a6b2c1 |
| SHA1 | c3d0549c6b5a91b58792dbc035bb28d053f4a6d4 |
| SHA256 | cf240fbad12c818858e2c79bd11fb76ccc9ac87748bde9a0cb70c64aada4c081 |
| SHA512 | fb0c03157354269f59faf19daf49737a6e26c5086b1e450a7ce9885304982cfd22988476303de15fe4ae93e4a42ea5ba685e972e0d9c53ad0d8a4aa62fd12612 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | ecdbb6e4489b57f2632add366d793994 |
| SHA1 | e2aef2a19ba12df8e609c2b226b2b21b37ec57b3 |
| SHA256 | 6e41c0e810c4f816e0503fdaa850f939cdf9be5bfc8037039a6c1f674b2faa9a |
| SHA512 | 737a3c61bad0dac552e4c6028ac68224a2634151ff0fee3dcb4891a4823e8897649f2bdb995cae97ed25561622d076dc5a1904bc511a2b92ea9cff77034ba695 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 460b23b54dd449cc647bac7f169178eb |
| SHA1 | 1a2e35c46aec2b99a2317ce75f5989b2d3d9001c |
| SHA256 | 41bff49b735adb960cf68a55f5cc0f144f7fbe9483602fb61f208cd668d07bac |
| SHA512 | 5c4c25ab25db95400b58f4f02a49ef2f93c2e889b19071e06937e9bcf5d923277c7787b7c11144f811cc01a5e49a28b0565d26d5b5839b75e982a30f350bf727 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 56849df40edee15d1bbb85fa9e09887a |
| SHA1 | d6aa73ffa2d2b43b403accf44aeed12f8b4989f9 |
| SHA256 | 8335702649536773c0071839b0c526fed5ce2f9c2bfd8df90a111a287225253e |
| SHA512 | c6005f2d69f5986c30f9ad1bd1a146642ef7fc5d97ba412d75c49fd735dce0d1d2d547f8a9005dcf90423751e4decc89d229ce4ff3a5eaf311e5a36081f3384b |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 80a951fb67446d0d7e5d7c50c2febdc7 |
| SHA1 | 48af8ec418f0c57a2f26cccf84ed903fb36de801 |
| SHA256 | 4f3c9eb6570a0db68d7f9eb4acf8cdf48879f2751c00c4bae2ddad3871f6e770 |
| SHA512 | e4a7479b95800bb50c0cd5c0941c9d88c52e1ce437f203e09c022e2f4fdfb8a913dc042c5ecd1321f392460673811b7516d1ac815481c6c10f156674ca0cfe1e |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | be79cb5b0d28ee4a2296bf0f247c94c7 |
| SHA1 | 08ac216f3aa2773e19fefa26f838be8614cf6e47 |
| SHA256 | 5b1bb43401cb2ed466bf394075dc19ead4c3270116d47b5a550b28b9b89a35e7 |
| SHA512 | 6bcabc0c4db38ddec58d75d8bf3b497541cfa57ab1456d7295d5edcdce4013921cd84fac40279550422409a997b5997842c487fbb0a4eba53376d68c6faf2983 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 2292fc4e3f64a9e8f340a5f88ee785c7 |
| SHA1 | 4a5b22375feb5d4ce6d14bf9abe594504ac9ac5c |
| SHA256 | fc5ca7e0c1c2ed57d5e4e6de3435eea7baef30ae13f166477dde43322f9c55c1 |
| SHA512 | e7dddf7897c2aa5e4f67a82e331088ec3c9ed0f5346d6da494e8eacc715669eaf1cd2ce74daa40acfe92d676a5d1b8933b1ce75c9f1549f55d1a1793e46f4396 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | f929e690631d78c29342b6342bd133ba |
| SHA1 | 6893ab193b4c20f77f07c15ed6b6ce8ff58cb217 |
| SHA256 | 6b1f16baaf3b82039e6486cfcfd481493df3622ee5242c631934c8bedabef926 |
| SHA512 | fac80dfba1c780aa16308ac5740a9bff73fb666526e4292349b73e1f0189371251f62251fb0f0086e092f3fae2c4a2c690972009a468e16ac78ffdcb6e0933c4 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 9ef2ce7aec265cf6568a0ba9c0b48774 |
| SHA1 | a8e99117ce06588a938534443c581fc20ba6d777 |
| SHA256 | 47f65e4a1a82ba4a31c3c0121b48c29c3f550ad8a7f54f048bb3bc51cd54c7fc |
| SHA512 | 9a55368a4196171642005b01829df82f8afc5be8d646de915a44b77977d8ed2fe5a342422721c73ab30fd4324d9c6dfb24f8efc145e4f7697e0dded1b16b9af9 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | e092d755a17524b8082d7523452cf45f |
| SHA1 | 1bc2a30c9f7eba2091b30d202f6af215a7c0511a |
| SHA256 | 18be9522419f20f99f1fbb10879efa0ac1230001df4e508b47ced1798b775faa |
| SHA512 | 1324698aba993829e65012d03f0f8f6bf47ffacec448e6b08b3cda69e01c00ed692d8a431601a7609a7b02501c1f7ed0931c15c0f22bbfe8ab6727f365181754 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
| MD5 | 49905255c29d303ae71c64ff9c7c7ce2 |
| SHA1 | ec100d1bf9ceb71b9dba758a51b74edb45a0757f |
| SHA256 | 2695cc12b3f4904a046c9a5bc169963a5aa9cb328e78f56b4a66316d8f58b671 |
| SHA512 | 6c4cf028c9cd0f51abfe06ac20457c4487c7e85cdb8999f6a373c220d778e620a992c016692a3fb9429f31a9ca67ca18cc25f2b66041785f8d03176478ab65d5 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
| MD5 | 8069234e5dfd5bb7f9000c0e458f918c |
| SHA1 | 66166e6e0809e03644bb395fafb1f1a65c1717a1 |
| SHA256 | 2034df44d4cedc9311204324ee5120161294f71c202ff3522700c72f85741660 |
| SHA512 | 041dde4f31fb456865475eb9336ef8d4f4052fe409013760d4236dd968bcc7f336d86c46c3ac26ad78f322df3740552533ff7a527294323bf1708c51bcff15b4 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
| MD5 | 435c8a9e821e90514127dfcdca02fde2 |
| SHA1 | 21dc429605d756ca74885ab972f7b13be528268e |
| SHA256 | 83394a80c57e748b97a0a1bfd6c67043b6d13bf10e889daaa8bd0eaee386e6d6 |
| SHA512 | 76a49d74d37d7b64f6a6205f51469fe7f7c1cc3b3e95303393d08dc19bc0929bbe1736dd5de17bb5f8d0f62bd179fd9493c55ee6a99a9a16594803a9961996a2 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
| MD5 | c3a792882259a8f82a8f0177a778c408 |
| SHA1 | 3074e2969bdc40714f8f940145d1e60848f95cec |
| SHA256 | 2abf4edb4a07ba09d67c3e73a6d97aab74efd6738f73abc047689f90e938424d |
| SHA512 | f1285fd74ec07d7c532041ca656efa48d4c15909e72682fd3fe4813d7410712fbc6bf521f547218e8d8bd51d01c8197cce9e3be834a3e3f3d9b1c403106eace5 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 5b438b098e54c7534dc1e03a277f8e20 |
| SHA1 | 20c4bd1c4be714f604f55ae9882f39e5f8cae126 |
| SHA256 | b92207bef9ff484bf938b175e67ad56a6241e16bd9b7efb2ba93a08ca21735d1 |
| SHA512 | 27d69ad8f905fdcfe4b0f947d750dc382fe3f4747f9877c310411fdf452878b8e34cb1a7e39d2a5d5cea8ce92d87f8f5513c1d036079f3d6ff82765426caf625 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | bfbe90c20284dcc1ef76c09330911ea1 |
| SHA1 | 492ad4a65ed301eb47a3319dbab5d1662e8fe4dd |
| SHA256 | c9bb28c91fbe286fe56ca8a78f23e6b091ad43edbe043e6e0f4af912571d8837 |
| SHA512 | 2dd7c0546cd2f1bbf339ce459c7919048977638263f55dbf486cb55c23cc004be24b10617d01caac83ac01b4a29a1b57814a6a33d84ecd2921d4910f17a6cb92 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | f1a7fe336b1d8dfa329f3820cd9c38a3 |
| SHA1 | edff088cbf8f28b00eeb729db08477c3faa7eca3 |
| SHA256 | 421a3651f42dd61d8a6fe6272e1fd607e6261f6ba792aabef037103aada7c8c4 |
| SHA512 | 8f754554e2ee0bb0f4ad876ccf0bc82fb10dad9711e503230d39e98008301faa17919e63d65f6564617decfdde9d886baa608dbac534826583a1a21e7cb176fa |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 8bc2054a62f1f414bc7be7ef1a508547 |
| SHA1 | 3031f067a6504ceb5b206196c299c14bb8e77a17 |
| SHA256 | 791ab888f250de9ea4ab6b3967d5ada21d45c8cfb2610cafc1a8f7b886701ecd |
| SHA512 | ad6df639781fea826bd9ab792f9b506dddf4ddcc65f8ba98e76718c2806c2fcb264a806d285fe9838181f2f8dca7970859906f45ba7600fa254c77941941825a |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 5e751d41ba3897480c5c801f7f88bfe4 |
| SHA1 | c71d215771f1f301a7f22d13c45a5bf17ce61f7e |
| SHA256 | 8d7ac56c8546ce43574ad7ab9ebfb24e88103393cb931f7e12ddf1b1993f8b20 |
| SHA512 | 2cc66e497cb48005a7381c69abb912ec0c15adb91a47a01ff229718ac02010966f22531f2afe9cf65a2431f8d669d9995a2b1dcfdb15497edbd8229845dcafb9 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 434cb7b24c5255942a9f9436d4747722 |
| SHA1 | cc4bb6b66271db78e5ddb4665a0bc05e9633e036 |
| SHA256 | 01de26edc7ae3c5b36d50e56fc9bb98d8c68b08abedb1ecee7562f027b079e06 |
| SHA512 | b09fe3d3ee422970bba26be398375c9db0d1151398cc10623b3d57c58f9aa590132cc893270bfa65b8285b9029ad3e6e9955aac0d0dc1dac99dd0e96f8f979e2 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 2a716ecb654e7277e78593a482986237 |
| SHA1 | 99e87ee35dc12998d4fe27a864c08c3b41fb7bc4 |
| SHA256 | 40b775702edbb34b4d1ed0625b277a2a25e5f233717c7b4d70a73115a16c3735 |
| SHA512 | b1c165c2a658dafebcddb6ae8418c87e8a1659545065046ef5a26f2a5a0c4e904dd59ef2b9d6162dab9727a27fd7d6dd8edd98bde360337a533e350640504b3d |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | ae5abd7367a122f147b039bb9c7666cc |
| SHA1 | a7f95df1c6c1d5cb055ff7a0fbcdf9f2bd724d10 |
| SHA256 | 858485fce75abac1df1e857742f222559137ae7788b0005660d1d894c213a5ef |
| SHA512 | d0d3891591b5990272213a355d2de44161f8afa66c4068c19bb1f927487f8454327704eb2dc635c12286b8946539200192be68053a8fce36414f2b6cf51f3a21 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 0f073a810d6b3348c0b156d5cbdddf09 |
| SHA1 | 655b182724a7cbfce1628060980a2d265f4b200b |
| SHA256 | 02e8e6f2051957be257759900a4259e7e5e965a7ae957416751844dab8b4e086 |
| SHA512 | f86a2112ce7514cd3bfa78f78e934f025f797f961a9528eac3e7349515bdcda95efd1184ef685b77f5c5b171db768130464709df4c18f437bf0088e21a76fbf1 |
memory/5800-554-0x0000000140000000-0x0000000140176000-memory.dmp
memory/2176-603-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2104-606-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/736-607-0x0000000140000000-0x00000001401E2000-memory.dmp
memory/3228-608-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/4552-611-0x0000000140000000-0x0000000140147000-memory.dmp
memory/2928-612-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2368-613-0x0000000140000000-0x0000000140216000-memory.dmp
memory/2112-614-0x0000000140000000-0x00000001401A6000-memory.dmp
memory/1740-616-0x0000000140000000-0x0000000140179000-memory.dmp