Malware Analysis Report

2025-01-02 03:10

Sample ID 240815-r37vpa1gkr
Target 15082024132615082024Quotation.gz
SHA256 e0d62ebce780590ed7135092c914017436aa6402cc7a110c8c32386bd27e8083
Tags
remcos remotehost discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0d62ebce780590ed7135092c914017436aa6402cc7a110c8c32386bd27e8083

Threat Level: Known bad

The file 15082024132615082024Quotation.gz was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery rat spyware stealer

Remcos

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Runs regedit.exe

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 14:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 14:44

Reported

2024-08-15 14:46

Platform

win7-20240704-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f477f8d9d264f17b.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2532 set thread context of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39C6.tmp\ehiActivScp.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFF46.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1065.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF92E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP944.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\perfhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020e2c9c821efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2144 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2144 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2144 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2144 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2144 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2144 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 872 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2756 wrote to memory of 1736 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2756 wrote to memory of 1736 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2756 wrote to memory of 1736 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2756 wrote to memory of 1680 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2756 wrote to memory of 1680 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d8 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 204 -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 254 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 228 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 208 -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 230 -Pipe 1b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 208 -NGENProcess 230 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 230 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 27c -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 230 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 204 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 26c -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2cc -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 308 -NGENProcess 2c4 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e0 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2c4 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e0 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c4 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2e0 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2c4 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e0 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2c4 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 23.95.235.18:2557 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 geoplugin.net udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp

Files

memory/2532-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

memory/2532-1-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/2532-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

memory/2532-3-0x000000001B3B0000-0x000000001B5AE000-memory.dmp

memory/2404-5-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-10-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-6-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-8-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-12-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-11-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-9-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2404-13-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2532-47-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

memory/2832-49-0x0000000000170000-0x00000000001D7000-memory.dmp

memory/2832-48-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-45-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-38-0x0000000000170000-0x00000000001D7000-memory.dmp

memory/2832-37-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-36-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Windows\System32\alg.exe

MD5 56dd3fcc7e4b2c8e6980cdebc0d817b9
SHA1 8bc5aa18a434efba45e7c2d20b3270c88bc4ad9a
SHA256 8cde643dd7267b0b1a259778903d3ecce2ebd350300956f262129f336d1e39be
SHA512 b3ec20379268f023504db0363c85ee05aed50ee3babd65bfbbaba8d7d77398e031cc5b17fa1d4c60316cac00857ea93be026de27508e26d6fa06d300d6fd8507

memory/2788-55-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/2788-63-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/2788-54-0x0000000100000000-0x00000001001E3000-memory.dmp

memory/2832-67-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-66-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-68-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2832-70-0x0000000000400000-0x000000000064F000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 ac05bc3751ae34e0bc689d11475fe03c
SHA1 a829c99069fbed0b2edf72ccb4c1a859217afe35
SHA256 1e92e9e252423ce709a008052018dac951e92c547f4d4cfcafef91b83b3b0e7c
SHA512 2c2089b2d53a3e0212acf1dfbaed67fda202bff580235acde7ad0002074a12bdbb98ab81b3afb0428d312183b68253bb0831a4acb94c6a260bb00fcfe4e7afed

memory/2348-73-0x0000000140000000-0x00000001401DC000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 e13b9ba3321289e0d8440811df0cd917
SHA1 48bceac75eac699ce8e0863897206b7df129fcf2
SHA256 41da5369c5628958f15d398240a1af1ad14feacc7cf01de8858307ee1af7b574
SHA512 a7a87af3903ccf5d33ddabfc2ebd82b812a4cdbf2a69ffd2e8e14d9b011318371bf4e40d7f1c2590123b0d262373f0cbb1368ceb83305e08955069cb1c6c35a2

memory/2944-76-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2944-77-0x0000000000380000-0x00000000003E7000-memory.dmp

memory/2944-82-0x0000000000380000-0x00000000003E7000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 1f06f7510c384ae8d3c44dfc19e37385
SHA1 675da108527b8d79527c3ad519d5d80e941c257c
SHA256 75544ed88001da8d2cf572a10eb37bb212e6fae6aa78824d049f33eb9d4389d5
SHA512 0eccdb43a93f4352c84a57e318a147a97aeb19de356d1c49ba98bbb7bfb9c8fea7ae32604af944acef8912f8cc74b1f4ddc8c19a8e98cead6d61c84fe76e47a1

memory/2672-90-0x0000000010000000-0x00000000101E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 e1616847df4d086519464e105d0d6f91
SHA1 6e068621df45f029457bdbbc73230afbe86be18c
SHA256 b891d1705354bd48257942042941fe86b34ae2827553e9dc099bad99e38c1a5a
SHA512 c662d087a4637b9f5152a555d0db685bd0e93af53af402d450376228cf9abc2baeb39d991f7373933fed2d3962c38cce81407a62c6f0b0dbc870c1794b91e946

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 1dbe038fbfb3063d24b9de4874694d5b
SHA1 885036c2118a6553dc866c77f0ea9737ff308f04
SHA256 711d14108d131ad88abd45aacfa66315ac23e730756e95c04ff3e6f423a5ffba
SHA512 dca2abb01167d9e56231c594f18a40b3ed9dd44449f74aebc925aa6ffb9836231bf31e01c7ff20974bc8a5b80e0294ece05d8aa59b1bed53d925b15395939b5f

memory/2832-102-0x0000000000400000-0x000000000064F000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 c9737f6649da814dc40a362fd16a436a
SHA1 30d3787f480b97a2a7906890f4b24a721e080753
SHA256 d2bc3b5f71f6b55da3fcb46a7b5005b74aaba7e193bf4679930987a5e82c0bae
SHA512 90734c51ee79b001c389cafe8aa9f401abb1abbb37740410be9a8308ee68b2f840b13c15f853be568b385b64fb32a612545dc2d8b1ea63d14e1ee567d42499be

memory/872-103-0x0000000000370000-0x00000000003D7000-memory.dmp

memory/872-108-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2944-113-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2672-115-0x0000000010000000-0x00000000101E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 047c6dd4e1da87a3a18daa5dc7910264
SHA1 465276eaefec22cebab50836255820bf142d55fe
SHA256 c15451fec0c59009b6893332b10b2b4bd6f86a50449caf6036bd468710fb2b4d
SHA512 e917f14770ac0a5f453c189064d539b021693ef28e3ece8eafd743401823597a0c896104831ecd2b3936b52ff644aff087b97a3ab224dcd71886d7ddb32d3165

memory/2144-120-0x0000000140000000-0x00000001401ED000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 2af30778d59c7688fb4993515869927b
SHA1 e0943f665b478aef9fb98404a71901705bc9b9bb
SHA256 101deb178fd603202778fc368bf080bfd1f03cedab46632889a9397067ecaf1f
SHA512 a2747e2186eec7327a4ff48b852f2d2058ec623277c38636e33bc5a71b8cd46fd8dd0ff7e0661c9eee5e82594c37eb8f5c7d58b68e3f103edff768c2d193ed34

memory/540-146-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2788-143-0x0000000100000000-0x00000001001E3000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 e5b326b741c515a33145e84a9fdd51f5
SHA1 4751f997ceaf940ef80c8ac1cb4ba96a2801e460
SHA256 2d1363a094fc1d35b3ddee5cf2a1b9533bed2d5f0d997baee0399706a3b5c135
SHA512 5c26a61a7cb342b64722f109450e1f425add91dccaca5ddee51fd1980fa0dc5747acc43c20ced4e5282bf4b0c6e9fe01bee184a74b32870f5cfda739b819797f

memory/1988-153-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 54b333156c79d3993045d6b52b915f01
SHA1 14c84b042c826a6fdf5f90d64409afb9e08d3dfb
SHA256 f2d3540d75e6387af3b65731b5246890e8cf3660126fd95d752594374e019d2a
SHA512 bed6e326e08a4b61f1d5c8365fef1e28679222151fc786f8b9565315d7b9c5eb71618bd7330c197cf9703ccb49bb5505431656cc2221df7d9f9978687a33c6f1

memory/1820-164-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\System32\ieetwcollector.exe

MD5 e2c0470b754ae56d3bac421856756caf
SHA1 5e811e8004777b8449ea6a16a338f608137c6d24
SHA256 adc43d7243833b901ea1b97e53c79d55fe8092611b754b8d6c63dec9b4369db3
SHA512 ebd4c7051dc8aef45f54f6ce8f17252d842064d28ec7d9fd21289003ea47feaf16d4d38435cb485bd6aed1d764fdc9560d2c0de6e2d979e423da2d77062cb7d0

memory/1340-186-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2348-189-0x0000000140000000-0x00000001401DC000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 99c83f4260d5a838583bf6f306cb0aaf
SHA1 eaba8b1ce56d4ccf7f75c171142e072f392d2b02
SHA256 c035d58f042b7721a44498050502e6592d61216a8dbec39dad78210dd11f4d60
SHA512 86c352a7855341ac6b03daa458a8e3d0f743108e1a2a81f57e66866bf1657ffa55394e1032d5ddf381387b661c5245663ac0eb9ce99da38b0bc168ef18ccc04a

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a5f057b825148693a0afb61acbc73d02
SHA1 24a01e159a6925054ff6d9c128396ada08b791c5
SHA256 cdea8b6aeca7efc073fab189eafa7cdbbef26463528f8abdb79e8ab484c62e9b
SHA512 fbd788964dcab6cb7ec68d3a629729753811c8216845739e685b2acddd9dbe65f727d3e15e2205ff5fe36683b77e2ba9dae6d7756f2655fe6f88498288964c9e

memory/1568-208-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2276-210-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 658918c66d65064094b17f0691199b3d
SHA1 a902e1a4ac821a74b30af786280f635501ca1566
SHA256 d1efe3a955ad1cc6d174d2be05cf6570c58bca8d85eba2c7b585258fd50104f2
SHA512 030947ea3f46d618dd2df1f7fbe4327e0b50544522f942b90e1abbc9d785350f0ac8bef69718f0dcf72d8a85abd82f3057b932f5eee781989843747fa1fbcd7f

memory/948-214-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/2276-225-0x0000000140000000-0x0000000140209000-memory.dmp

memory/872-227-0x0000000000400000-0x00000000005E7000-memory.dmp

\Windows\System32\msiexec.exe

MD5 c700667ead533a91b0ee77e46e1e09f8
SHA1 1b9c423a7d8f751d9a3a3e68413803756346a780
SHA256 b920ea02c03e47e8f393f62bf18038628fde7380d1d52ba39491f6c52ad3595c
SHA512 d836958a5afeb57c396ca11895895878b174462c05907c697e90fd2857cd006580d20dc4d0407ccf552e6e6e6fd42c506aa4af13eecbb2515d68d83d55276d35

memory/540-254-0x0000000140000000-0x000000014013C000-memory.dmp

memory/800-253-0x0000000000600000-0x00000000007F1000-memory.dmp

memory/2668-250-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/800-255-0x0000000100000000-0x00000001001F1000-memory.dmp

memory/2144-232-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1988-256-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1820-257-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 1341ce4b75e12bbaeabf67db7f33112a
SHA1 e61d5043742bb98ca44f6c2391700892e5a61cb8
SHA256 e98062d1e6e6cba3ae1d0126f4ec184bcd51b49e49138b28de9b277a64f181bf
SHA512 c1840ba4aca48f7889c73127ea062a6af131deb191fd073ba17b1fb4eb5d566c16282806debb45e802edcec775bee7de84b91960731873d42efc7b586fb1ab31

memory/1340-260-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/916-268-0x000000002E000000-0x000000002E1F4000-memory.dmp

memory/1568-270-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 f6b8f7048458affe93a679ef92c73a48
SHA1 7d3bbd1fcfb93dea453be11c16fdbcc4ac2ee618
SHA256 084132ad2350df77e0f96367b9b9df26ce86495d0c731238de231e36118753f6
SHA512 8ed05b04e1c0f466af8d5b649970993f57a77da9e7903643be98a5c5e54a2ab00dbf9058edad25b222eb1f467367a06e1d169c098426d1fdee6316716a2daf5e

memory/2876-279-0x0000000001000000-0x00000000011D5000-memory.dmp

\Windows\System32\Locator.exe

MD5 8a73284e64211b4022d2e74f994f2f19
SHA1 5ca85164d6a8d0b137c2558d124ab3f78f82186f
SHA256 e5155e383d4b6767ada030fa383b46509d5533205936551f507d3272f1a33575
SHA512 c4ead4fd203e6ebf5d944158b5b3c76d79b6ad7b1e1cd964c2d697a259e45e7cce395fedb9ababcd78b7b826cc2d0eccd5e83466cc482f4da9d9783fea1c9932

memory/948-306-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/660-308-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/2668-310-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1484-309-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/800-312-0x0000000000600000-0x00000000007F1000-memory.dmp

\Windows\System32\snmptrap.exe

MD5 3f2d44b46f17349712ccfa8f28d3c29e
SHA1 88192aea4b009ea87fbe0f7cdea6f9a42f4d4230
SHA256 a39737b43adc0763c1e0669152332426a6dcf7447d80436872e47e6846884acd
SHA512 f003948981916fdf4b14a8ccdb9d08821de021af69fd722289069925cf81b6b47fad7f556d7cfbd46a35a9f9d5ae7639e5cd09099a6c3e08c0d5f1f61c504562

memory/800-321-0x0000000100000000-0x00000001001F1000-memory.dmp

memory/2792-324-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/1484-328-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\vds.exe

MD5 5c92ae4304143cb033c309267633a79b
SHA1 f5e6fdb4f97de6a8349426782046bb6cd1baaf21
SHA256 8888f7aa177397fc4627c31e7509d54f71a30cb3c81449ee200622b7036edc6a
SHA512 dba7b9cb7f04f017a7d525b65b88b5070646d60d6aaa54ce198bd067ace1e0539f9d8049f59fce1d24932cd00f9adadec9fe8f376295603a43516046e5acd9b0

memory/2896-332-0x0000000100000000-0x0000000100253000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 47bd4645450e9ff3f9868f7393e02429
SHA1 961e92676385d5ff420b76f07e32bb1d21bf44e7
SHA256 0e0c6443315c1b4153efdd4da06bd40566648720d84ae22ab638623946027fee
SHA512 010bef01e0f9566e8938157813b64f94cfec8d5d6c2acce69b6ef610e7ae9c634c6f879cecae0794d5f39c707ddf3441f5572ff8fdb763cd004019a0aebd83b6

memory/916-343-0x000000002E000000-0x000000002E1F4000-memory.dmp

memory/3064-344-0x0000000100000000-0x0000000100219000-memory.dmp

memory/1036-364-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2876-363-0x0000000001000000-0x00000000011D5000-memory.dmp

\Windows\System32\wbengine.exe

MD5 a985d36eea34919070501fef29d00312
SHA1 986638d74b318eb2b55e48350972441955633cca
SHA256 a10b15448ce3473ff6849d6c5569f22d0663c12c5f0e378dbd605114d66e9355
SHA512 df87189bc598aaaabde2bbb79423618f246a43c70dab7794de926b2f2bde04eba9bb32046e754baa7a42e4ff9fe5d98b0f12f1372b41ce8d3fcf8d2d5a78e260

memory/1144-367-0x0000000100000000-0x0000000100202000-memory.dmp

memory/660-377-0x0000000100000000-0x00000001001D4000-memory.dmp

\Windows\System32\wbem\WmiApSrv.exe

MD5 24bf89bd38ff2f419e0cdb90c79658ed
SHA1 8963d7df14566d58dcac0124ffb403d579e368f0
SHA256 4222afaa2499ee9805e1e7e39ec7b79dfe392b191070303f62962c5d5e6dbdf3
SHA512 05758be6edfb333b74327639682333809cb83f3787826a29344f548256885e65813ccc0b00f01ccce9b1a801d39259d18517b4a3ea87e6a570319b6afbcbe63b

memory/1724-388-0x0000000100000000-0x0000000100203000-memory.dmp

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 574bb474696d2968f7e366d3355fdb7c
SHA1 1dc94d359b6cd73a61303277ba0629841545b70b
SHA256 d2793261009fa1aeb4f7936807c7959e59b1f90a60bf3c4fe92b2221d95d2a72
SHA512 602161a1c4dab97f626219e8d43e4b5140c412441b0d94db66f75d9a8bbb68feff29e85ce12051ca1fbbfd73f1b1fe39db7e86d7472d328c2f2917578242830f

memory/672-400-0x0000000100000000-0x000000010020A000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 7f86ddb26a34505bfb7cf749cba5f7e1
SHA1 15bd469d4be72f3cc5de95db7a17b6ab5781b291
SHA256 eaa1f8ddf24b1a694d962e4c352ca2ad2241815645d004e456ac0ef7bc3202f0
SHA512 76d627ac5426d9404c445f15c2cb179eb884a96f57bed7aadc6641a809603e0aa97d20a95bd42db5ccb8066c60199a5efe79a4f18eb97b1841e4ef592caae9f9

memory/2792-404-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/2756-413-0x0000000100000000-0x0000000100123000-memory.dmp

memory/1036-418-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2256-427-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1988-433-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2912-448-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2256-449-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2896-482-0x0000000100000000-0x0000000100253000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 d10c27f59dfdc972c4de635687df4614
SHA1 3ebd0ac94d845bca26c36a05e3a70f75561fe3e4
SHA256 71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65
SHA512 4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

memory/3064-533-0x0000000100000000-0x0000000100219000-memory.dmp

memory/2360-545-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2912-553-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2360-572-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1144-588-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2340-589-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1744-594-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2032-617-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2340-620-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1724-630-0x0000000100000000-0x0000000100203000-memory.dmp

memory/2032-634-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2600-633-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/672-650-0x0000000100000000-0x000000010020A000-memory.dmp

memory/1684-649-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2600-655-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1684-664-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2856-673-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2756-675-0x0000000100000000-0x0000000100123000-memory.dmp

memory/2856-695-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1768-769-0x0000000003EB0000-0x0000000003F6A000-memory.dmp

memory/1340-782-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/540-943-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2636-1051-0x0000000001A00000-0x0000000001A0E000-memory.dmp

memory/2636-1052-0x0000000001A40000-0x0000000001A4C000-memory.dmp

memory/2636-1053-0x000000001ADC0000-0x000000001AE08000-memory.dmp

memory/2636-1054-0x000000001AE10000-0x000000001AE26000-memory.dmp

memory/1668-1066-0x0000000001890000-0x000000000189E000-memory.dmp

memory/1668-1067-0x00000000018E0000-0x00000000018EC000-memory.dmp

memory/1668-1068-0x000000001ACF0000-0x000000001AD38000-memory.dmp

memory/1668-1069-0x00000000018F0000-0x0000000001906000-memory.dmp

memory/1668-1071-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

memory/1668-1072-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 5180107f98e16bdca63e67e7e3169d22
SHA1 dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256 d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA512 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 5fd34a21f44ccbeda1bf502aa162a96a
SHA1 1f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA256 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA512 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

MD5 b44995b1b0c5eaa4395f45657a1b4e8a
SHA1 13e8941b0b1fec1834933ebcdf09e50223c19f73
SHA256 f599c123edf76ebcf192b0d1e323693751336b918aeb7768e8cf3c37905d1139
SHA512 6302814f56ba2aa0e00446bbe8b1a7b7b369337643be1458a4080c1d440a4a34f87aebfebe9e4fe5ebaf7f6baee27ce4245f88500119de6383b4760ebabe92d5

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 3d6987fc36386537669f2450761cdd9d
SHA1 7a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA256 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA512 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 a8b651d9ae89d5e790ab8357edebbffe
SHA1 500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA256 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512 b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

MD5 4bbf44ea6ee52d7af8e58ea9c0caa120
SHA1 f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256 c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512 c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 ed5c3f3402e320a8b4c6a33245a687d1
SHA1 4da11c966616583a817e98f7ee6fce6cde381dae
SHA256 b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512 d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 9d9305a1998234e5a8f7047e1d8c0efe
SHA1 ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA512 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 dd1dfa421035fdfb6fd96d301a8c3d96
SHA1 d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256 f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA512 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 57b601497b76f8cd4f0486d8c8bf918e
SHA1 da797c446d4ca5a328f6322219f14efe90a5be54
SHA256 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA512 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 68c51bcdc03e97a119431061273f045a
SHA1 6ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA256 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512 d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0a41e63195a60814fe770be368b4992f
SHA1 d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA256 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA512 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 2eeeff61d87428ae7a2e651822adfdc4
SHA1 66f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA256 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512 cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b68a6cc5c8f7d04deebb6d6643c43202\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 e8b4393dcd40bc00031c2341f7020c62
SHA1 fb76e84c93d16c524c24b2c935de6f81af16eef7
SHA256 f4898c3be9e615e230f64a8403b0fffa824dac2fc36fb8ebfa9314cb4716fbed
SHA512 dea64b080f8ad3bfa40843a71686001b88e6a00da1815586cfe81441a8684af04fa4fc0124a36c4297dc22d11657a8174943a3c76a9b5ba716a3039f6ed09713

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c9d7683dad650b4ac61adb999e066d7b\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 42d454e659281161ba82248ba4d06c5c
SHA1 91f3ee92daf0f951a73544726c4cf98a17b60148
SHA256 9d72f2d1c160c4fc9376cf7f122665ec9f934d5f3c44b80cbcd33c2e16b81068
SHA512 0593f6a94914faaa21cba3c7a539615d7654f50578f068cbbeb63472b5bf5c0c1f1a9d1cd02da630f3c6f35d4492ee33c1a386874c79596adeaf7e5e8a119f55

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3f489f0b3599f90308412d23482c08e7\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 3150343a93c433999bd31a2266844d5c
SHA1 5ea0d2aeaa17cb4487255ff9e95f8f93fb1fada6
SHA256 e6b627f45d6cec6e1742717f131eb88151eddb4d4d932a2dc67cb2110d6ea764
SHA512 3d4561cbc90fc3af3eb9da1c22d80964536923ef7e7eb2897efb08d26e91464dc693ccd96accd7b7695adc6fd9feb740ed892f37ff3d037388df28b4206fbbfa

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e5f16a5f03038abe41f0632384456e0b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 77f1cf48d9055674a728af828135bdfc
SHA1 ab1a60aa5b6fac6fa82236cbcac2a7d7e39adc59
SHA256 e4b89c4e5e2dc7e6ece1e53b581e74e0e0b52f01949ac412e430366a8c279e2e
SHA512 11b88455c11091e563fc1e28aa56607b4714525fd55780eb8b9d48d9cda28e9b38f9858e8a13492a739c012e348d4b6b2c0dadd601c268551dea265ec893a98c

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

MD5 10b5a285eafccdd35390bb49861657e7
SHA1 62c05a4380e68418463529298058f3d2de19660d
SHA256 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA512 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

MD5 1f394b5ca6924de6d9dbfb0e90ea50ef
SHA1 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA256 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512 e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

MD5 929653b5b019b4555b25d55e6bf9987b
SHA1 993844805819ee445ff8136ee38c1aee70de3180
SHA256 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512 effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 14:44

Reported

2024-08-15 14:46

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Signatures

Remcos

rat remcos

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\19d76088b36a5b05.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 464 set thread context of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0ca04a121efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eca23a121efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033e73ea021efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094cbe5a021efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008055efa021efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b6802a121efda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\regedit.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\cmd.exe
PID 464 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 464 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 464 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 464 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 464 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 464 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 464 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 464 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 464 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\System32\calc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 464 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2856 wrote to memory of 408 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2856 wrote to memory of 408 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2856 wrote to memory of 4124 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2856 wrote to memory of 4124 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\System32\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 23.95.235.18:2557 tcp
US 8.8.8.8:53 18.235.95.23.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp

Files

memory/464-0-0x000002142AF20000-0x000002142AF2A000-memory.dmp

memory/464-1-0x00007FFF10DE3000-0x00007FFF10DE5000-memory.dmp

memory/464-2-0x00007FFF10DE0000-0x00007FFF118A1000-memory.dmp

memory/464-3-0x0000021445670000-0x000002144586E000-memory.dmp

memory/4208-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/4208-5-0x0000000000400000-0x000000000064F000-memory.dmp

memory/4208-6-0x0000000000400000-0x000000000064F000-memory.dmp

memory/4208-7-0x0000000002EC0000-0x0000000002F27000-memory.dmp

memory/4208-15-0x0000000002EC0000-0x0000000002F27000-memory.dmp

memory/4208-12-0x0000000000400000-0x000000000064F000-memory.dmp

memory/4208-17-0x0000000000400000-0x000000000064F000-memory.dmp

memory/4208-18-0x0000000000400000-0x000000000064F000-memory.dmp

C:\Windows\System32\alg.exe

MD5 c906050352fb09f8fa8a1bdb89b45fa1
SHA1 ee4589bcdd8b9731b6a22c22cc49540021384b62
SHA256 faa4c7c5f8d0ae2fd8953f7edae4099bf66238b656bfa0f0b589b43bb3d8eecb
SHA512 02cfcb4fc4363658d5510d1b6343f66ce8cdb111b71a749018097e64283f5da9d5525a55f3c5080cb1c4b1117aa99d991bf791547969cb67bafeef31577ba71d

memory/1836-21-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/1836-30-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/1836-29-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 17fc27018f1480a4b25ae3e39fa5e838
SHA1 6db2f17abb05ea8ed3cb6a73282673a3a9a8ad61
SHA256 d8bce3898686e0c0ec7866df4fd174c2c9c1e121c31c4d0edf7e50799d293dbe
SHA512 c84ab206846054146d082cad8ad44dbee273233397808bd143e4e611d63ec2c8e71df8423858073b3eca168812f78b506134443dada14ad3cf2f4b1ad431efaf

memory/1300-44-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/1300-42-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/1300-36-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/464-35-0x00007FFF10DE3000-0x00007FFF10DE5000-memory.dmp

memory/1800-48-0x0000000000C90000-0x0000000000CF0000-memory.dmp

memory/1800-54-0x0000000000C90000-0x0000000000CF0000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 2cb9709869362d6a21b700e3eb0dfb93
SHA1 ac3213d3e46c0b7da03c4681aa311219e4292b30
SHA256 4d4df88972b72487548c9006d369e6dd17a5a1151063ed6d73e9cb80332ddcfa
SHA512 d81fcfafcfcfacda936fd19a3c125d062c2a2878d5fe551a7213386e31c8acd25ba560753b93d7a197b16f69d3e2110c8ac3113086c7ee7b256b651782e5ad7d

memory/4236-58-0x0000000000800000-0x0000000000860000-memory.dmp

memory/4236-64-0x0000000000800000-0x0000000000860000-memory.dmp

memory/1800-47-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 4d3dcadb05ba77b071ac6ebdcbdd8834
SHA1 12223b90f65b2d39d93b9eb089f138a5f08158fe
SHA256 6b75cc9047e122cdd78433da36d894a2d553643f8880bb14be50f10a11b3cf1d
SHA512 a730992a270dc2a775de39bbe36117d8b783457ebac98a121cbd04711867badc391a02efab6a267c0fb427bbbe645ecb4104c7008f55a865b83d7603fe8b9a45

memory/464-76-0x00007FFF10DE0000-0x00007FFF118A1000-memory.dmp

memory/2444-78-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1800-81-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1800-79-0x0000000000C90000-0x0000000000CF0000-memory.dmp

memory/1748-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1748-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1748-96-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 bbdf7345aa9614f7bf42282bc79b93f3
SHA1 959150740fd14f12de4d9a1f76472ac19c90219e
SHA256 fa3c7b1fe55ad9cb19e9c3080555c914e8292fddff3ea831a45eb8b234351701
SHA512 749f72fe877375c70730cd5e8b4cc6e488d660e24854498dcdcf698aa394b742463fca2fda5ecd80830322d8e50aa3e0685cccc7d052fed6fd115812fe1ea5b0

memory/3140-99-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1748-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1748-84-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 6536ffd5eebbb9ed06ebe3e689edf217
SHA1 8ce64d6a978abeb681e8ac4ef865061a2ef8d425
SHA256 8e37811dc3e857f464200c774e83c78fdba7018b6bdc36695f1ed2f6b777ac8b
SHA512 d241353fd7698d812eb2a9da95b563e84a8508b7ce0c3caf26d0deedb5c8c88ed67a6c0e2f3f3c9c644a7746fd429dc48ddb0a5123641d1add4e5c4c014678cb

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 ac1c2f65d951cf75487a6f665199be13
SHA1 fd732eef74ba2e29e84f0dd57345c095655eefc7
SHA256 0d463658ccb6c160f4532ec629ffa24fd0c77656d6828313c3f0363272585f71
SHA512 8bb5d5c28b28c94a8e95e81ba21970c53e814d3414546cae07ec80d8bcce9e5c5322d9004f87e85f07d7b0d9dc9ebeb10ab88becefb6797d5b56cd0629b30a70

memory/1692-121-0x0000000140000000-0x000000014020E000-memory.dmp

memory/4208-120-0x0000000000400000-0x000000000064F000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 9533947f74eeb87f261eef7a0b682e34
SHA1 88fe82183b6b07631fa04c3b3b3d897f3b51efd5
SHA256 0fd3cd7217e06fbcb9ed969ce583d12a72f2c698c177b94ea3e6745516df450b
SHA512 6c855db31eaf79d8ee8ecf17d22926315600910357f36933367229a94c66fcde1a513187b96c8c045bcf1ecf472670d77ef6b4f8c423ece3284a87e648df693f

memory/4272-136-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/1836-135-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/368-138-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4404-149-0x0000000140000000-0x00000001401D4000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 a9108f8f6465507023e4174ef02febd9
SHA1 763890e77d7de5339064651f9f8292c6bbf8f5de
SHA256 6988dc74ef8c17057424c7b1aeaa865acdba7ba25a578db4f49c8c3abf71adf6
SHA512 c7fd1601366aa5e99dd24447baf8f4d0958364e578f1815a924d5b4a6b30778a9c8d13accfb55ce4b77c17197b9eda3ba2b219357a97701384da44eac7259398

memory/3516-160-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 f9d0c8061d05d9e675ca9e46a80e95e4
SHA1 44c4e5057b4e1ee6fc1e720e53add2b56c60ff89
SHA256 b93e43730fc65e677432fba4394541d054b5b0a420e906bb18058e900f596768
SHA512 9886a16d34a7f5e398081b0d8e242a4be456fc475345257ae462be990ef75ddcc1aa0fa70ab2a685a6a379c24eb0665ce4171278eb295591a1619de0d78c0b1b

C:\Windows\System32\Locator.exe

MD5 8f99f29d118d7879584d99f545ad862f
SHA1 244db424138bb78ca000f1a1e4807445b577f062
SHA256 d6d812a22565131ec5c1f86d5b1ef2aa36acad2f69b5b2db70c382b5ecdd6d2a
SHA512 b9df4301efc6accc756c12b27f789a903c1346fb53e09c695df1202b17353d499e26c8e70f9f2b05c55675b2d6d6cdc57a77cff7c155edcccdd5870ff5b36427

C:\Windows\System32\Spectrum.exe

MD5 f356e0d1e96028d63bdfb98282c5a621
SHA1 386faa5a883b5c0d33499e73abf0d9cd63800f8c
SHA256 f6a5a5f6aa3da86b7f89dd8fc94525bb0f1eebb8d4ebc05ce7cfd8c3cc346d47
SHA512 396845a1d3ac25b31239006a2bc90c706abd17a821e899aefa5233cf9623cc498729a9f2d7d5d0e5c726b663d0b22158ff57d68e29434a732ca1a27db96bd296

C:\Windows\System32\TieringEngineService.exe

MD5 fe02b162205ea14de4fa3d2fd5e452bc
SHA1 9ae1c5e816ebd12395759f27d4cb6956027d3100
SHA256 09d0b663da90f7a75412a89822ad7c9538b5a1ec5bc5eaa0be216a78bf24c3a8
SHA512 b8a00d6107b70d4e3b5e9946725d16b4ad0f53feec134ebdf9150a5cb468ef0ecf0adbc6dee8b997dd14648abd2d4e749eed4a9f2ad4f04e1aabcea22d169e66

C:\Windows\System32\vds.exe

MD5 9d02ed67ede5a12e55c857c4a0857efa
SHA1 85727c6e005704d554dd968832b20b8952c8b2f8
SHA256 b7bd41de9b18a514d9a7a46be3d325b171b695bafb5e6b6671cc6ce7bb168f36
SHA512 908763b4ce90a4f93305ec5ed51c66d44eecbf429da69d04cbcae1f6634a0a369473654b20b9565ef3b3fea3e4e7f65f30fcdd99721d8d518f88598d6443a2d4

C:\Windows\System32\VSSVC.exe

MD5 5fba03cdd6c923feb727dae6073a0d51
SHA1 53d9980de5ef578b6e7aa7fa049a822082053180
SHA256 bbea98d152d58a3ee66bd4d8cd6cfc496434b935d208d61c73ff333e2f73682e
SHA512 0a930e9878ad5819f3c029669a4280fe307bbee5c69519a90d639d500097325ea0af7a26f2eaa0995d55e269dccc2679dc87918a3a0383f24806fc51f98f2042

memory/1792-216-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 9220e2dca0db96962bcc69791515bf8b
SHA1 f00f8c73c2fdc172def6f3787bfd927b62abbe60
SHA256 604f47bff393fa961d8584705ccd9edbb214f67a2c6a7f31be58a23b323cbb9f
SHA512 858d4cf30b92df72f34907ed48a8de6dfa0103277d549f69f5955dba00da0e1d318595681578373f5cf8b5ad72517d6f4c5b2fb9a7dc3a1dc75b180559e1b1fe

C:\Windows\System32\wbengine.exe

MD5 848286432359d6a16f8e79217284887c
SHA1 e5152d2fc219092262f75f1d6455a055894598da
SHA256 5f6341ca3d1d5555b410153ac7e2eceeeebbe914c45c7a46ceffdc98f10ac75e
SHA512 9630bdc8022ffc54d61795f15f552f995e57bd341ce297a616c13f2b7863a8ed64fb83c1fa5cbfad2c531bfecce1eb45d14488ae75b2191ab257547fc8f52a95

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 6acb982807c2ffe147726ab143a047af
SHA1 5ab9462b3d8e9643ff756f3059222c977eb9c8fa
SHA256 7055d7434165f3ad0b9d9d4ecec79f432ec6b28270857bf237cfddde41292716
SHA512 b7259a738ef7f6b3a9fc9a45115f8783e0d9f1523cbd2143113c29769af16e8545610ccbab2781a16ae833a6213c0001a36065e6380f1400976e22c98618db01

C:\Windows\System32\SearchIndexer.exe

MD5 28407bfa069e52f9f6b50adea40bb56e
SHA1 71ee3fd39f006bef0003ed2e81646947ae0f0816
SHA256 1d0dde17d95854d9a1e6810261caa35b3bc9a59c64dcddab4515cc2a73af2ac0
SHA512 d0d62b0dbddfd9edad05862dfc5dbddfcc6fa051ad27936f3f6e8dc1f5fd56e70241bf178b226736c4a77d3377eaf8d3829b43ef6133be35ef907dd251e3f206

memory/2496-270-0x0000000140000000-0x00000001401D5000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 2f6868ca2555d23954cbb390ab802019
SHA1 90dd7b6fed60abf65c7bf36f447a6d29e688a9ac
SHA256 8be5e7c1a87a71c2c6c127daac462cca3d59963d44f12935815e82a69fc462e0
SHA512 9a6e2d78f900fad23296e967687dba859c3fe5c3d617368d8c22a56983c16c13ade2fead2f49cd8822b45b68b19ffd87e2d7158306800dbba0bd0e68b8220145

memory/1160-275-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4536-274-0x0000000140000000-0x0000000140221000-memory.dmp

memory/2856-281-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3584-316-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4236-315-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2444-314-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4052-280-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1944-279-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4032-278-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4428-273-0x0000000140000000-0x0000000140241000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 b0b681c59d6d828e762c407e5a552c76
SHA1 50dd84fb499ca33018076b3107ce0e1838f561e6
SHA256 13d31f99128fca647ce49d732fbc75caa13b9c072e29c00d9a45ca5377ab2420
SHA512 85c2ee6279166447b4ce2392002a122533f7d78c60bc8d274e6c8ffe7554ff8b3718e4b0fc94bd374735fb4bd9ba4011b705b2086f45b3deaa66492435cd4647

memory/4236-77-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2444-74-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2444-68-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 e86e01635e6bb8dca778c304f2921016
SHA1 9012db42891c34c7ff9684915cc67c93eaf27a29
SHA256 7152a3b7d9169d3d513267d18d7cf6a600994dc39ae9ba4208a98e8a8651915e
SHA512 11e8d4a449413c0c4cedc239158fc3572b4eda9f179965ddf49a1b551c79854c71abdeb901a658c54100180c8579a8be3fc6e963f48eda96e360c30bbea8fda7

memory/3140-386-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1692-460-0x0000000140000000-0x000000014020E000-memory.dmp

memory/4272-486-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/368-505-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4404-519-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/3516-525-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2496-526-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/3516-530-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4032-531-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2856-533-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4052-532-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 c5f54884bc004fdffdb4ab3db4d8d4f6
SHA1 f01d3cb02589b9c985021ee94e15061f1d5ab56d
SHA256 1ce573cda8d57041a699751501d6704ae73597361f9ac7e00d53f4f0fa175fec
SHA512 d3c69a663afa4c1e2c92853db7dde0bfd62ff33eea10b134fd9ba1d830ea5924841ccb3250205d3bc001630741974277f0586971accfd51bdd6584ae5039a762

C:\Windows\system32\SgrmBroker.exe

MD5 026a807a9ad74526fad98b6d0448e982
SHA1 4062ee9bf367a1c6afdab92cdc12fcd8fc15761d
SHA256 049bcc4e9f70f426bcc2e06c8e05e2d68f5e4af085768d96cd2d634d700f7dae
SHA512 6d823f90e0d84e03336d4e5b0f9f65f3324c445786362176072b6ee12dc281a75f1f14dc2ed7c197e8e9f2f792f9e81f7a00dfcdaf40323b5f524c3d0e924c3d

C:\Windows\system32\msiexec.exe

MD5 28c791222ef1acd04db0a8a35d1305eb
SHA1 3e5e8cf621d0f3eaacb958f0afde586cfc2e46c4
SHA256 2ff21d0e47cf2b0fdf2d1696089e88ca55a1324fa19af1a91394ccd9c8b5999a
SHA512 1592389e4792f42a8f6b111e91049514a2694075ebd1e40729c94a28d99244a42e6b6a20938144ccbf0b1cb18ac7092b6ff6dd703e20f3af54be0c18edcb82da

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 0e633670a4d38214690038cfea40a507
SHA1 950245b6cada95acbafee55ef9ca914e63154ccd
SHA256 a29c4cf169387aa35f021d13328f4bd3e54e320fa83c85fdd62f44056c48101f
SHA512 accd31be69c4c0957150f972b8e79335c8639fde06e205be77c7c6b4a7105976a85c967d614e533baba8bf304b111196d5859a079a35f70b8d4f914d421f3cd1

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 6a11caf3689c25006ea022d49461ae76
SHA1 dcaec542f0aa5da8702cb6c524e28a081208e486
SHA256 78cd518d2c1422592fe6ff110f9f5aebeccbcd67ad36db7c27ca49cd7f9f01e3
SHA512 3afaa8fe72715662230e7748a27456b8407d4b48b4458441d87612e5dc7756c98f37f53ab1fa14711d001c0b270e3e643e8fba0cc4c92d06010e64faea77b3e7

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 544d78598ef4423e84621bb54e2b1755
SHA1 707ee5327cb3859363e102096bbe38cf807064c7
SHA256 eb3f5507789dd075b91131b32fdfd294434aed771f9b96214e593d2c72b651a5
SHA512 d74c3b7a3fa5383e4696379848baf3b85dd013b901be9f8f1798fda3e842e4d97a957bbcfd8940d140ad905de6cab0fafc63a0004974b94d8104ad6a1479958f

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 e210668d79ace0f907a0fde217e98417
SHA1 ed738732d93bee16d6dcce4feafffb2ec127dc9a
SHA256 2b425ca00fdb659f5896e70b03f5ba1e9ee796cf57bb53219f2815b21e354956
SHA512 1a8f0dc889c4240171ad33203b9d9b44fe1565482522a0e93b7c0dc9f54df6fddf8e57341dde14f130ec1665fdab6ce4c9d10466ae4ec985fed722f10415d937

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 c7c914a8cdecf626010f91a61537fc2a
SHA1 677eb8cef617a69880da8cd3f65d57715e15194f
SHA256 0a24a087d26ebd743e3eccf745b8832cf6f5caddda60f5e3dfd1617651cd4462
SHA512 c5617400ff14cd9aa22344f16ddc572edfb2fb0986eddfa06128385a786a227316bb7dd10139a2fe668f102bd69aee6683c75337a240b9968d4b594506ba7c13

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 ea8b81f2e656c7b877a9fb218e8c7d3b
SHA1 92a7fc6397d6155a36b109addaa4669dfdd50c9c
SHA256 4113cac80cd4263e695e0ffabb3828aef1904f45a52dc52749ec40b699c854eb
SHA512 6aff467c06a514342d4c07e33861ee1d85e71f522aeda189b05ccde3dd3016efbfcf670505c67e1230a5decde3fcc116c36b3faf29ada378e7f4b965f3e9096e

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 bb1df67b2f0fe2005913d7c139e76b82
SHA1 fb5c559fe393ecc116912c246530795b45305cef
SHA256 66c9010223f4559ee9a6b93aee464f79b8e83c1a037630dc833bf3de9b3457d9
SHA512 45a1c07b1d65dc4f680505f236c2ad5fbf7ec31f06ccec53a27f2523ffe3fef06fdc2a7b791f8b72eca2e0899a57b398418496a8a306956ec9131932af31d902

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 f664d19ea049bbb6584f5fd1c9254bdb
SHA1 7dd248ecb59c388397b53edd938721fcaa8ee4cb
SHA256 288937ad23a269ee13db122444d7dafb369e6ad76a36976d453466c98f938555
SHA512 01438769053150b0206a74e83f1b9b408614e772300ada987974255342ad8ac52daab362c09fb7dd399af4d0139ebce8097c981c8cf4d35a85584cbc06fa5f9a

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 cbc02a5a1afe316f85f5fee66e51fe8f
SHA1 9df89caf504ddc1a59206c422a62b7d629077b90
SHA256 56e82d7ca02254a69a25bd797fae7fd2b68f2dedd8abe55e02eca5784f340928
SHA512 f5724a162dca3483c59f1455a61ba93313238982f1b99243956158390c36884efc1f28df2a3363bea2fa869c9f0b9099d195f86d2fe1957b3a8bbe4defdcf13c

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 681add281c2193655ab54cedd7de7ed0
SHA1 587901e8c27b5dcbb3b70a62a701e6e9af93a396
SHA256 7ff2f96c7d7ade0d641b595d533bf96a423b3233e77137dafa9b39efb9661388
SHA512 821ea6f66123dda9f5ccf7935cd1b72f2e9e81884904bffcd87341907e6ee2d9572bcb0d042f5e4dc979df2258ac117663433194334ae23b28b590a8dc559804

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 a59e2d9e42caa90643bd4d6211ce4c75
SHA1 3d50821f3c436b57d5812372bda8be6bf3012793
SHA256 0cd26c3a12e5bacdb387d303e76563c785f472b8ec95aa2acf0992044bbbbcab
SHA512 7e283802e6e2a045ae30bef228efe107df502b783810b4c777f5c45f0e1f9bbe9e148b25491831731662507e92f3f20924446c7481a0b6ac8861ecac4b57f04d

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 0241a3ecfcd251d39214cae8bda8a6be
SHA1 65f58b56170e39fd5299e7cda1f11f866460b82a
SHA256 f48462218d9797f3cabf7b1a2fece6e6e05cd0bc42eb04d9378f9674c999f8d0
SHA512 f290aa729a14d2a9398b61656f47a9fcc9b196154de62fd90f7fa49e02b14400bdde499bceb54034d279b91a94f48963791f4754f47a61a4ec79f0ef5f08bab2

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 5d8dd80d39770ccea09a2d866958feff
SHA1 e4ec247a1c554712f14fc68d07f82f80157cb050
SHA256 63dbc6a9c382e4103daabcbad17efbf98da5e599a1ca9d0bf22fb7d7b2ee9203
SHA512 f3b73b463adcc4e75df5691e6718123a2c21b72d56364b053fc2371bb49d2f45e402aef5680fde7392f42704288989f8b67f98653aad6c95d417ae44753d0a06

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 543068b493038f8c56da5ab59e647ba8
SHA1 7fe06b5a5696eb09169a5d7f38fd1aa5a62351e9
SHA256 95cae63fe3649e15e46d276a265e22f05fbddfdf1c88ee320d666c5c814769d4
SHA512 fb54cb66c383ba2c1346203bc3571754a60b660ed36bb425b43b6de447c718ff324993376c099fef362f0de2104688580c4078d5c4109f68ad5520cf2e6c1d70

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 993a7ad2529eb9c72e0a587880745786
SHA1 0f5ab7868ec8d8d3ca7a56c4272438f219471f01
SHA256 a6cf571e604ef118a3c87ae3746e17bad397b5f2897f25fa414062137654ac5d
SHA512 96489d279979fc8761fdd828ffdc9acc818f811189a1b04e9601935a9005056991e3e4cf200821c46bb5b2541999068a8f64f83029f9ffb4b543e5663403189d

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 255d621e6b0d191f7759c75a067d0dbe
SHA1 db2ec0ee1919e847c5d28594825e5919f6083ae5
SHA256 7bee629c77069295036925f609d91b4870abc8b270b3247733f3b40374596d19
SHA512 1f12a2509f70113b4cf2fa76dc47157a0263c53be3b951301b5fe7062c2e7f323fbbdfab3b57f1cd52175de1c91fa353f4465841b66031f625f88edacd018546

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 bd7bcd06aed18ef254c51ca266a8b837
SHA1 3ed928e22e7274f455c08fc0a5e3614b7ca94d16
SHA256 600ad3c79e30dc178a7f1e7b744412d8c9d16fd6c4ca056aedc6f693805f4af9
SHA512 2ab28823b4987e73e8fa6fce41df878517713bef1f4fb6292da114b0466393ff44da16764631cd8cc7c37c234180b4213c5b66cc01c8d0065a410942cea42496

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 fe0868d1037fac2de3be0c65a8468523
SHA1 e4e6cf75888e1e81b4eab95632effde77adfa0fc
SHA256 37a71e34e2b443f828247b2f5cc4020512b3560d092584684430a17a8a26f514
SHA512 f88b0c6aaf611edd98fc9a6920f0e7e1f730175a860f175c712001342394ff53312f3f35605263587378659c259b6a49cd3fd54f6149c77fb56932fd1050554d

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 75373b91b60f8ee1899f4a7e8ce52152
SHA1 81c63cdc5149aa75391ba229982f73e95ecbccaf
SHA256 ad8bc3d2c4b6afd7fb02300312567ec9427d7412c36ab82abbf1af5799a7db15
SHA512 3ec6082f1b8db0e425a000086b96a3206bdd4a4f6b184363027b212a3e6ce9a2799386b29dbefc65b0cd087e4aba7853bcb76d31eec3fda2768653489b90f042

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 92d0ff5c98c0cbd57e2c524108404f64
SHA1 f67d422ea7ab0d9d77e777ae328198f2b769333b
SHA256 f307c84329325f0a4fb31969f207978cd0a63f40f428de53573777ba697c856c
SHA512 39178b0ec672cc6dcd23372cdd94e7d288aea860ebee95ee8bb945b03fef05dcc3bd39cc7e8c9f3743f3610108b2e076f920de365aec5204ba0dec3d4fdad3d2

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 2fc812a45d80c9a5b8ce99b20226e9ed
SHA1 6c83a1493ed1f0f457e02a8e6bd94dd2f4e873f7
SHA256 3b0cc1bc07d595d6129e8a94c3b85c2e660cc2a083789599258cfeb8da210c84
SHA512 d8adea141deb90aaab9b4a19a5fc25867dab4b7b5c06cf3453a5d709f4b6d62e608e8a483e85d9895d4d6cd1d78d552dadf2adf11977d67084817da5edc9d8e4

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 41b706822336660c56303c96ec6bf8c5
SHA1 1cef81470a9ca108ceb501dad985c1abb74ea3f3
SHA256 db4412303dc3907af069f4f3cc8044dcfa92bcbc2a6fcfabae2ddbc25693bb39
SHA512 a2fd42303ba173f1cb02b01641cdf24df914ffc555d3f451366ad0ccceab7f19173acce4380739284fcfd6ae3ac40cafcd059986ef24b26223b4f745f78bfe51

C:\Program Files\dotnet\dotnet.exe

MD5 ad33f5acd79c38db5fbc6007b878d3ba
SHA1 cb298f2169067ad4fb32c420cab188a90aba5491
SHA256 56b697e4a7c3da97b66cdf72f291e0337b8eb130fa77e68b2a60ace7fbe2a211
SHA512 ab0d5a34ea9e15891d158b10a575f5abb5de218344f7660cbe5df78300822ab205cfb58e647936a890050424cead0df4386f10d58cc8c7a528cd3afc25b3b424

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 f0c891ddd0309bebf187ec1e2c23e9ed
SHA1 6ce0df3f49c914d9b18cfb0e49f2672709d5f87e
SHA256 e1f42b189eb1ebf4efe568af0306fd20b788b03ee4facc78077728c098388ba7
SHA512 b2153be96bca9239a7d38f1a44ff7991ce104c5c5097a6c5388079666c8f5ef09c9e043d7a2e16773274dad6d389195a3b62ca9f56d306db92bd95281dcea849

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 c54fcef0f069f4a8f18c5e21a037a067
SHA1 11dc9e9a83c1b2d0625686407314c303714c959f
SHA256 7e502bd1292f76a34834578f188c565fc30a558754d175f3f243530f91620bbe
SHA512 5201c209178fb90fec318ee36b60a82bc261e9c2610f0b5d27d0b3b68c6b2f5774ca3536ffe3edeffe416179b4966bc9704802be024b4d55caafa095a4b9d0ee

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 b4f4ad42538d322cc7e2576cb41ffd4d
SHA1 478351ac23e05f57f3d4a785d2615cdc8edcb282
SHA256 ccd21593cf08ce3636dd3dbb2e7b518462ace297746b27a1130099c2b4e40c19
SHA512 dd128418886021d78ef69e0745d104c1c3bba894d01179aaebdec451175ff5d405b2ae0a32024bf71c8f8ed8e58606a76e83441a1b5bd0b7207600a9aebf167c

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 c5b20842332b0597ea5366e12f1e14e2
SHA1 dc14a9d1a576de6fadc23e88e59f061e40b3c784
SHA256 36cf432dbd35cbc1385733ea4b9440fe98e7365acd0e4a2208e2ed159bbadcdb
SHA512 4b10f5b1a84ebd00463947d10ec9618696fba50eb547b23aff82a029b16bb0a8e3534da1f75ee962279b3aa4b78725c6c64813e7598792af07cef2f20aeb21d3

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 a21ed12c84e72d893f6333fbf1088365
SHA1 6edde7ce23798532c6b8b35ebe4dd2c22edb6d09
SHA256 8d5d2f0b2c01660e87cd080db80423c794dab3d64e291b1947ce9e3a3b537efc
SHA512 c5b6a8f45871d119993020870cb9afa6f5125b600a60bd7c0325d5f9756226eea859f4d3625b4d574aa43d7604b619ba32b569af1f2f127d4982ba97a2be4057

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 e84cd80ddc20bef400f964dd145f8ee9
SHA1 c5924ecacfaa3159cef48050865c45cefaf498ce
SHA256 6b5aad861b5520846b816d76f36f1e5627fd4d1bea1abc1b7f529d16956beff0
SHA512 f51ffc07a63bbabfce1069164d3ac81f5324f1cf3d94fb4f0c48e7467b2a9d45fdf797dde46a6840b6f55888acae7a4e52bd002903f573bf3cf4b4c2a72b2293

C:\Program Files\7-Zip\Uninstall.exe

MD5 dfba81c3616fe01af6b1f343324eb96b
SHA1 f05bc2d7520e69ed35d7a3a68692c9c4625982a5
SHA256 ae2e3ddccd8bd1ca0a34a52c0518dc36465d22dcccb459d1f31d81a91c1baa7c
SHA512 3c2a6cd0d3c5fd2200938dbb70b90034f9a3a651201554bebe3d0437e6c0e5210ba53be0c08669190d3ad50e419ec13e4403096f271423013ef517134e370eb7

C:\Program Files\7-Zip\7zG.exe

MD5 0679f231f737a61767041556fc74740f
SHA1 78678738189b63bd2aecc6042d5dcde25ef31781
SHA256 a5943182396ab8fc42b79d381367094ceb682284d18013963c30538b6b2b6080
SHA512 d01bf70f891e2d9ade1b072111bb775c1efb0b9f16091642ce8b25eea2119ffd9d86e2777331d841e2e61a2733728dc47725e5b4ac863c3651a241925531d1de

C:\Program Files\7-Zip\7zFM.exe

MD5 5227766036e4f36c666d299b42bff956
SHA1 dbdeb1bc8d09c28f2bae49d43874ad2480e7ede5
SHA256 c9dbeced3ebb326de11aad7c55e2f793f5db0e5f85121614fa7cf79e5530083a
SHA512 301c0e8abaa496dd14e26667e6d26e1798e8eb9a7dea241ea16ccee666fe692462ab68700e8a4c52b6569f25c8721b7d5c62456af8ee28ef94cd14720c4a12b2

C:\Program Files\7-Zip\7z.exe

MD5 4b8c8fb82ee2f7f197e71b14bf5e201b
SHA1 056c1960879239863da9047d93c3d6310af5d39c
SHA256 bda90420c3d6ae60fb7059fb915cf26f6a11387bcf8b4d1326e94c659c591276
SHA512 9e6e8c4410a12fd73709a527b14f0947a44ceea8b8b68bd877d135e38e344f68a5bb3dd78e4b818154bf76f48b1057201ae4875a25cf188fa17f95f9bfce06de

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 ee2c2f910b53cb501ec94643853b084f
SHA1 016d91ee82bb50d9f179789bb1b2bb22beee59b2
SHA256 0899caf329618e6424126535cc56600e5193d7dbb2a6124bd055c13e04accb64
SHA512 8e6f1298221909da1b7a0b3d4556d7ef6c89e6773c05f5898894a7e1049764b3d453c935602e4ae585b5324f544e80f3ac5748b9a5263c4108452f4988082025