Analysis Overview
SHA256
cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48ba
Threat Level: Shows suspicious behavior
The file cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 13:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 13:50
Reported
2024-10-21 13:52
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\servertool.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBECD.tmp\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70BD.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6D25.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB07B.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP698C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB7DA.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP67D7.tmp\Microsoft.Office.Tools.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6AA5.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe
"C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe"
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x118,0x120,0x124,0x110,0x128,0x1401ba6a0,0x1401ba6b0,0x1401ba6c0
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 258 -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 268 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2d4 -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 258 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2bc -NGENProcess 2f0 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 304 -NGENProcess 2dc -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 304 -NGENProcess 2bc -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2cc -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 258 -NGENProcess 304 -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 320 -NGENProcess 2bc -Pipe 31c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 308 -NGENProcess 258 -Pipe 2ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2f4 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 324 -NGENProcess 308 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 308 -NGENProcess 258 -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 318 -NGENProcess 2bc -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 318 -NGENProcess 308 -Pipe 2f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 304 -NGENProcess 2bc -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2a4 -NGENProcess 2c8 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 348 -NGENProcess 324 -Pipe 344 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 320 -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 320 -NGENProcess 250 -Pipe 21c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 358 -NGENProcess 218 -Pipe 354 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 250 -NGENProcess 218 -Pipe 1bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 35c -NGENProcess 358 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 360 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 364 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 36c -NGENProcess 370 -Pipe 218 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 384 -NGENProcess 330 -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 37c -NGENProcess 378 -Pipe 330 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 394 -NGENProcess 34c -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 37c -NGENProcess 350 -Pipe 368 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 388 -NGENProcess 398 -Pipe 364 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 38c -NGENProcess 34c -Pipe 384 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a8 -NGENProcess 388 -Pipe 3a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 388 -NGENProcess 374 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3b4 -NGENProcess 34c -Pipe 3b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 34c -NGENProcess 3a8 -Pipe 378 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 36c -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 38c -NGENProcess 388 -Pipe 350 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3c8 -NGENProcess 36c -Pipe 3c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3ac -NGENProcess 3d0 -Pipe 38c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 2a4 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 36c -NGENProcess 3cc -Pipe 3c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3dc -NGENProcess 34c -Pipe 3d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3d4 -NGENProcess 3a0 -Pipe 3c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 3ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3dc -NGENProcess 388 -Pipe 3e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3f0 -Pipe 3a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 3c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 408 -NGENProcess 3b8 -Pipe 3f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 36c -NGENProcess 40c -Pipe 388 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 414 -NGENProcess 3d4 -Pipe 410 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b8 -NGENProcess 3e0 -Pipe 3d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3dc -NGENProcess 3bc -Pipe 3b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 42c -NGENProcess 3f0 -Pipe 428 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 404 -Pipe 41c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3bc -NGENProcess 42c -Pipe 430 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 42c -NGENProcess 424 -Pipe 3e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 438 -NGENProcess 444 -Pipe 3bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 418 -NGENProcess 424 -Pipe 434 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 448 -NGENProcess 42c -Pipe 420 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 444 -Pipe 404 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 444 -NGENProcess 40c -Pipe 3dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 3d0 -NGENProcess 44c -Pipe 440 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 40c -NGENProcess 454 -Pipe 42c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 468 -NGENProcess 418 -Pipe 45c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 458 -Pipe 3f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 454 -Pipe 460 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 418 -Pipe 450 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 478 -NGENProcess 458 -Pipe 44c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 47c -NGENProcess 454 -Pipe 40c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 418 -NGENProcess 478 -Pipe 47c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 418 -NGENProcess 454 -Pipe 470 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 484 -NGENProcess 474 -Pipe 488 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 494 -NGENProcess 444 -Pipe 484 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 458 -NGENProcess 494 -Pipe 48c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 4a0 -NGENProcess 498 -Pipe 49c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4a4 -NGENProcess 454 -Pipe 468 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4a4 -NGENProcess 4a0 -Pipe 494 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 478 -NGENProcess 454 -Pipe 490 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4a8 -NGENProcess 4b4 -Pipe 4a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 4b4 -NGENProcess 3d0 -Pipe 418 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4b4 -NGENProcess 480 -Pipe 498 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 3d0 -Pipe 4ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4b8 -NGENProcess 4b4 -Pipe 4c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 4bc -NGENProcess 4b4 -Pipe 474 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4d0 -NGENProcess 4c8 -Pipe 4cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 480 -NGENProcess 4d0 -Pipe 46c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 4dc -NGENProcess 4b8 -Pipe 4d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 4b4 -Pipe 4a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 4d0 -Pipe 454 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4b8 -NGENProcess 4a8 -Pipe 4dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4b4 -NGENProcess 4b0 -Pipe 458 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4d4 -NGENProcess 4a8 -Pipe 4d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4a8 -NGENProcess 4b8 -Pipe 4e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4e0 -NGENProcess 4ec -Pipe 480 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 3d0 -NGENProcess 504 -Pipe 4a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4b8 -NGENProcess 4b4 -Pipe 4f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4b4 -NGENProcess 4d4 -Pipe 500 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 50c -NGENProcess 4c8 -Pipe 444 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 4d4 -NGENProcess 508 -Pipe 220 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 508 -NGENProcess 4b4 -Pipe 4ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 4f0 -NGENProcess 4c8 -Pipe 4fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4b0 -NGENProcess 4e0 -Pipe 4b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 510 -NGENProcess 4b4 -Pipe 50c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 4c8 -Pipe 4f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 4e0 -Pipe 4d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 530 -NGENProcess 4b4 -Pipe 52c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 514 -NGENProcess 538 -Pipe 518 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 528 -NGENProcess 4b4 -Pipe 51c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 534 -NGENProcess 540 -Pipe 514 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 524 -NGENProcess 4b4 -Pipe 510 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 530 -NGENProcess 528 -Pipe 548 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 4e0 -NGENProcess 544 -Pipe 520 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 544 -NGENProcess 534 -Pipe 550 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 538 -NGENProcess 54c -Pipe 53c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 554 -NGENProcess 530 -Pipe 540 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 530 -NGENProcess 4e0 -Pipe 55c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 4b4 -NGENProcess 558 -Pipe 524 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 560 -NGENProcess 554 -Pipe 4b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 528 -NGENProcess 558 -Pipe 534 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 558 -NGENProcess 544 -Pipe 530 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 54c -NGENProcess 568 -Pipe 564 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 568 -NGENProcess 528 -Pipe 538 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 4e0 -NGENProcess 578 -Pipe 54c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 560 -NGENProcess 528 -Pipe 56c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 57c -NGENProcess 568 -Pipe 554 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 574 -NGENProcess 578 -Pipe 584 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 558 -NGENProcess 580 -Pipe 544 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 580 -NGENProcess 57c -Pipe 568 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 58c -NGENProcess 578 -Pipe 4e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 578 -NGENProcess 558 -Pipe 588 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 594 -NGENProcess 57c -Pipe 574 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 590 -Pipe 570 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 578 -NGENProcess 5a0 -Pipe 594 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 558 -NGENProcess 508 -Pipe 578 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 59c -NGENProcess 560 -Pipe 598 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 528 -NGENProcess 580 -Pipe 58c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 4f0 -NGENProcess 560 -Pipe 504 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 5a4 -NGENProcess 57c -Pipe 4b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a4 -InterruptEvent 57c -NGENProcess 528 -Pipe 580 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a4 -InterruptEvent 528 -NGENProcess 57c -Pipe 5ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 57c -NGENProcess 560 -Pipe 5a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 5b4 -NGENProcess 590 -Pipe 4f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 5b8 -NGENProcess 5b0 -Pipe 508 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
Files
memory/2760-6-0x0000000001C30000-0x0000000001C90000-memory.dmp
memory/2752-10-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/2752-16-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/2760-17-0x0000000002710000-0x00000000029E1000-memory.dmp
memory/2760-9-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/2760-23-0x0000000001C30000-0x0000000001C90000-memory.dmp
memory/2752-26-0x0000000140000000-0x00000001402D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\46127ccc1073980.bin
| MD5 | bb5f850c893e2c909fff0f81bc2319ff |
| SHA1 | 9cd3381bd0e2185a6532168cbf4e972925daaf45 |
| SHA256 | 4c25b674d8092bdd85846cb7dc0c79651316f2a4bf71f18ec02b599e1fc1bcb1 |
| SHA512 | 53adaff4ea3d5c81f673351531217a76185018f875100fc0cf6fd74c63c912baabcedf94e09297b8c304b682a128ebe77ad668bff91daf06aa7f0ddfa8122137 |
memory/2760-24-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/2760-0-0x0000000001C30000-0x0000000001C90000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 1413af5ac3183570a898f15e41d43c9a |
| SHA1 | 33b2dc1f447e9acdfdd5efe0918e818e7c332a2c |
| SHA256 | e14628c1d7d5c42d6d63a9f7c99281be0bdd1ea8de2f2d1508b99120ae16a548 |
| SHA512 | d1e50c8260a37f16c5e96f0671dc730ca1bba2ee793b48bf18fb0aab42b3dbc4254db5f404d16b76f9b890cc11174c015ca19c43c0c55fab1b8ad451173ee49f |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 1801164a79c18ad641e753c8fb2cd7be |
| SHA1 | 4b1002c7532a7f5a6ddfe8585d78df230ad0b704 |
| SHA256 | 3a5779acc21c282477e4c389da188d68a326c48275c4b61b804350a8998fb0a0 |
| SHA512 | 0e8a6032f15beda3fcb090ee9b24c28fd4ed0f3ec1069f74af3f62cd834c6f8a47fe8fcb240bcafb9c1ff57e7a0f14592e6f2806750d0d09ff3d8a15bffb8d21 |
memory/2716-33-0x0000000140000000-0x0000000140123000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | e098adb569b45a9c7623cc380baae6ab |
| SHA1 | ffa545e2bae9baccea6955446bb6ef4adec50862 |
| SHA256 | f963128fd4cabec0de135c8ef1c6533e00c01e81959f396885f566362ded93e8 |
| SHA512 | aea2d1491a23a561c0609bb85625e1a0477053c2e8a76234c2132d4894cd2b4feca16c719a5abcf2a18b8120b8ffd0dbb1e3e92371fbb672fc0492d63e510dbc |
memory/2424-36-0x0000000010000000-0x0000000010125000-memory.dmp
memory/2424-37-0x0000000000650000-0x00000000006B7000-memory.dmp
memory/2424-42-0x0000000000650000-0x00000000006B7000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 347c0c4b6b69430ff9c1716969278a2a |
| SHA1 | 53347bb53902424a8f08850752a9034fa155e189 |
| SHA256 | d0549f5f1a2d8c248b39429b7cf97bdad0b527027a8cb15baa1c09c2ab8db4cf |
| SHA512 | b8b0cfb34710deb0a06f0fc3d412334a66ab9e75fb770aa2090fcc9abb9dca75d68d2392d663901d47ffe5fa79ea2b1545a27643403b1d3ec2200b908c417032 |
memory/2004-51-0x0000000010000000-0x000000001012D000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | c3932872a2b10a0db3abc6cc450da1f3 |
| SHA1 | 4be5c6d03c7c87122f96914daea8a104e2725604 |
| SHA256 | 03456bdbe060ccf463121b4d80d81b762356eb56f2fe91f853594b756c2477d5 |
| SHA512 | f6250622acb90bd833aeeb7b104841aee3a9418c6201734034ddf2c4df6966f0b80871fe432092d8d9231057640e05666a152ca8dfe1a204a040ffaeb720628f |
memory/2004-59-0x0000000010000000-0x000000001012D000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | df86894b276cb3b43928fb9c815f4452 |
| SHA1 | 6e41e2e2b97da5a4bc05b655650dde127ae6e2ab |
| SHA256 | b395f92146d8958654e94553c8cf9db217ecde594668ef11b19870a16e274c2e |
| SHA512 | c2ca967281d471cc418877eef54228d143c2d5b6d7a389e0eb8d273ff11110fa4f65d28e48e09cc8eab2e7d12b253d3f5b7185bdb9df92a571f69c7510ecac92 |
memory/848-63-0x0000000000400000-0x000000000052E000-memory.dmp
memory/848-64-0x0000000000380000-0x00000000003E7000-memory.dmp
memory/848-69-0x0000000000380000-0x00000000003E7000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 93163610d388e1b77ef0e6911e105487 |
| SHA1 | b0084702fbb767d1c72f18fd88a5e31c35db2757 |
| SHA256 | d89297501d0dcd8bedfd5d0ad6304a884e14d9a05fc63e4fb4ffa8c714666439 |
| SHA512 | 34b6a6a52d7b5ce787138f264030b41fd6668384cca01ce846cba753b8db74b81703d69cc801dd83dbdf463ed3a57bd1d24aa82df613d5e827e85e461f4d1088 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 88e84f05886044c8b22e81cbd168def6 |
| SHA1 | 3e7a3f6449afac165bd4531ea631d627bf03fb89 |
| SHA256 | 9cbd8094b4abc34353cf078996d752b945093cb465645bc5d046a83a29fb8e37 |
| SHA512 | dd00fdd99c00ab428b94e0140901b0a6e4aa8c74073494c7adae16bc8d5214d2ceaf2552a85c7329c45d8bd2a3c279d8beaf6e947e2d61b9db6e4b3ccf858ea1 |
memory/2828-77-0x0000000000620000-0x0000000000680000-memory.dmp
memory/2828-85-0x0000000140000000-0x0000000140134000-memory.dmp
memory/2828-83-0x0000000000620000-0x0000000000680000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\46127ccc1073980.bin
| MD5 | 88c927e592d42dbfefdda563564e5db1 |
| SHA1 | 64c38de2c3cb05653657268ec00574267d93716a |
| SHA256 | 9ed5cae3026857a4b3e861bfbfca45ee674e0a2acae103b199f28f9d21e4b46f |
| SHA512 | a7673caabdb47381beae8685f3e18a7f81b481cf963dd7d2f87d1c170fc5f244177aebc73516501c195e0f3383e45ea26652f5a70f8c33ed9105ff08dabe7f19 |
memory/2424-88-0x0000000010000000-0x0000000010125000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 0ca6114190abb94c21baa4dcf1222643 |
| SHA1 | a78ba6ad7e1cc58c807a9442ff2e59ddc7e89dde |
| SHA256 | 0ebfed907a7f13bdc6cab6e18c7cbeda3b815428ba32a514511a1e8f06f59022 |
| SHA512 | 4102be18e00faea1ac4772bd6f6be272721fa0432076715fd9f5d04635ee86cea34a23973951ce8b589f5f3c9ca03a96b1e9b238b9fc52d38d6bbc7e86132982 |
memory/2228-98-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2228-105-0x0000000000290000-0x00000000002F0000-memory.dmp
memory/2228-99-0x0000000000290000-0x00000000002F0000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | bcf97f4f1658e16606cc17f98aae7921 |
| SHA1 | 31d64ae0531cf6e9d5a3b754f053523af7ab4cc5 |
| SHA256 | bb8c82505de76929467d4c3c96b9db05f3ca48b4a73ab66282278e28ebcce751 |
| SHA512 | 8d2f8c42ee9de33f5f8d80828133d6c5906b06e8352f62c89fe188be49244323f2a49c3f409e97ad9fd2a8bbe8ce33e087e6842e1232d58621070e19eddad67e |
memory/2340-110-0x0000000140000000-0x0000000140138000-memory.dmp
memory/2228-112-0x0000000001990000-0x00000000019A0000-memory.dmp
memory/2228-111-0x0000000001980000-0x0000000001990000-memory.dmp
memory/2340-119-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/2340-113-0x0000000000BC0000-0x0000000000C20000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 28bf622bc973b3cad4ba8c3305c0a5ea |
| SHA1 | 2298c2303ed5ba881e42b296544751ea5c7c5c53 |
| SHA256 | 633829c912421131c27e8ae482dba525a0d49becfa0a354905f7056b3013bb6d |
| SHA512 | 74c8d5abc32746e22079d3bae66130737c4e9fd7540262b6702b98868646f23607c6640abb2d4e1b75dc6895a250a67155d71a7109774d92902866735b24d109 |
memory/912-124-0x0000000000430000-0x0000000000490000-memory.dmp
memory/912-130-0x0000000140000000-0x0000000140237000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | 22d4d52a27c0820bf922f1a44e8af8f9 |
| SHA1 | fe594994a8d4b9a972fb17467cea15df6f6feb1e |
| SHA256 | 8b8f2ccf1232fe61cf5d60e06de9f8d0ffa5f8e9ab7acf71a35dcab8aa57b711 |
| SHA512 | ec404172347fed69e1b15d86ec534e9e9ee4a0ace3f4ffd3a5e5fbc518b7ccac9dd09662db4142bc104ad9b3330c962c8ff16290179b919eebcf40a0a066599f |
memory/2752-136-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1160-137-0x0000000140000000-0x0000000140134000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | c41f5988ee95da73b2f91523d2817a4f |
| SHA1 | 03024af9fcdb4ff30e190c735d0949f0d4581329 |
| SHA256 | 68073495205a91966ace509b1f34e604f368a9b75dfa5bd2ef3eb1b66adfb6d7 |
| SHA512 | 5c946383e63c90a85b776b13a437f5741fceec462abd6933cf9734a6bb1a646872dc4317c3f32c70498bf0634b94900f638a30d68d1b9ece33cc2b187942a76a |
memory/348-156-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 1943e0a9c5528ba9f14a89f400d6f2bf |
| SHA1 | a2f898b08fae2b40e550db824ac6b112d5931f8f |
| SHA256 | 0aa1a91120e86cfbb257cd5a277ee4287c9db62cc56cf719aa685417efb2392a |
| SHA512 | a8ddce75ebf56fc5934ca57d128dccd7031ad65f4940429aed192a1a6f77972f168e47a543d40ee11bc54dd70b8cb4552d1bd567309e393217eee0e516d4bd18 |
memory/2716-157-0x0000000140000000-0x0000000140123000-memory.dmp
memory/1680-159-0x0000000140000000-0x0000000140150000-memory.dmp
memory/1680-172-0x0000000140000000-0x0000000140150000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | 7cad8dc11143d15b5f2cd1e09ef1a027 |
| SHA1 | ad1821445cd826d41722293baaf3a9374c8a3b62 |
| SHA256 | e985da084576f4483783b74a1af3b02011be112480f8ad07dfc969551ee49e4e |
| SHA512 | 6b96e196f51d7df9c03c9b1dba169583061edb9a69fd12dded0dc012e0d4161a3674a87629388056338e13172530c2b525b68d8a3395dab57ede9c2cf28ffc00 |
memory/2684-176-0x0000000140000000-0x000000014013C000-memory.dmp
\Windows\System32\msiexec.exe
| MD5 | 562297a3253febaaac4f5dec254b81b1 |
| SHA1 | f7bd8ccb659b0d2911ead316f2ee7b3d68fe1d81 |
| SHA256 | 1392115652c4619323ad909315107ae3c15c119f9edea00eba95e071fd0705b6 |
| SHA512 | 04349ebb2c68bf1f2d9e5c90ad943378415600b70cb670dd90121d9a662ed7366d6dd5eb63ee5d3b2487cce2909629e9f1d5289d4924ec898705b56ea9331626 |
memory/1388-195-0x0000000100000000-0x0000000100138000-memory.dmp
memory/2828-194-0x0000000140000000-0x0000000140134000-memory.dmp
memory/848-192-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1388-207-0x00000000005A0000-0x00000000006D8000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 8b26e1ffa755c4a658845a213d75d7fa |
| SHA1 | d4919ef9a28037e4457d827d4db1df3f74e5cb39 |
| SHA256 | 51965780d03ed42d17201458c365229ab3ac9f316ad262cc22421e296e7ef6a4 |
| SHA512 | 35a21f74a4a2a967b4d0dd3fda5e7f0fb4cc8d03a4e5bf302ac6478fd60bd925b181cd6b9f5ef78fee6431b9f79a28624663dbcaf35225dece1924ad8a5beb3c |
memory/2340-210-0x0000000140000000-0x0000000140138000-memory.dmp
memory/2600-211-0x000000002E000000-0x000000002E13B000-memory.dmp
memory/2228-198-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 8d4f33a8b13a5372bcc177c8a38a7177 |
| SHA1 | 0fbb5b2a8fd87e75c90a75be6e753708c2a1813f |
| SHA256 | 440aaae645eea1b31a37b747dcf1d9ee9dc2b292ef13a76131e099f470eb48ac |
| SHA512 | ac527e694d8fcf35aa815c285b2aab4f2f04fc18bfc6783c3309769862e78b8c44863b7441493d93e4579ccc79c3d60d31e56dc1b78f05a8b751c678ebd76923 |
memory/912-221-0x0000000140000000-0x0000000140237000-memory.dmp
memory/832-230-0x0000000001000000-0x000000000111C000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 6b095b35716ba76a4dbeb93930c62aae |
| SHA1 | 5b27769944f93047335fbed4b35efb2d9b144f3c |
| SHA256 | 0641520c8ca0b677ac6ab1d8510350e601a7fd31c2df88d2b83f782fc8bc6b5c |
| SHA512 | 19c70ab1174645bf9e3c897f90012621c95faa01f5495cc178d907ea8a32e3e51b1d346642dc759f76a849bfecbf4e3f23a499df6a4de9cfbab00db6d69c52fa |
memory/1160-243-0x0000000140000000-0x0000000140134000-memory.dmp
memory/2700-244-0x0000000100000000-0x000000010011B000-memory.dmp
\Windows\System32\snmptrap.exe
| MD5 | 16f76cf422bf4352da474bd0b06ad643 |
| SHA1 | 35effd86b04f4904ea86e730aec7d1076f50b8b1 |
| SHA256 | 0a65004ba60cb77e9478ce45bd2048af42aae77624e32970cecd0cf5bf911faa |
| SHA512 | 65a7e69b7a9a123de7f63de048155ba8e30916028659ae58eb70e76d2d2f321b83726e35f7f614f6615f17e4e24f292a2987ea09daa020bcea7c333431e03b89 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/2992-258-0x0000000100000000-0x000000010011C000-memory.dmp
memory/348-257-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | acf1194a8553b41a092df8a09824cb78 |
| SHA1 | da760b2eea033474a1b0f0715884819a70e6fcd7 |
| SHA256 | 2ac35d5d974cdee81cfc4a10eb79910fe74dcd3b0c0ec535cfb933de6504cc14 |
| SHA512 | a494b3385579d467b358f717da6380981cfd025e7db3d8351e644bc6f2cfe4d4366d697339d57a3f03790f6df49bf90d329dc031dff27191cbb4965874c53ff7 |
memory/1520-276-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1864-277-0x0000000100000000-0x000000010019A000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | b2c95e3875ed0b48cc771860ed75790c |
| SHA1 | cd4c64950b8b76693d4dff3c985ca1caecbb41f3 |
| SHA256 | 80e57badbec7f3fb1b78000e78768e1c42f30330ef797ef3082f8667e61a7213 |
| SHA512 | bc8f1f916c2629a30b3281cad8470f601cc23384e5a6651916d5b3b723b9b53dadf253d69f53f1feeb4a71eda8a1011e23ddcd754733ea05b7133c2e001aa4c3 |
memory/2684-288-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1948-289-0x0000000100000000-0x0000000100219000-memory.dmp
memory/1520-308-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 6932e4738a968a312fd58450123c9819 |
| SHA1 | 91bf3468ffe3aefc09dc2b98a2a781b6a69ed10f |
| SHA256 | 21fc7b449b71eb48011c4918a1aa711e1311cd0facfd0517dcc8822c0c3b1275 |
| SHA512 | e5242c66eed09a935e3c74154823685bf1f098a1c92ee54122c7613c70bcdcd5b2951131274ee05faa85d774398b5907c31839c555daaf5286beaeaceb648253 |
\Windows\System32\wbem\WmiApSrv.exe
| MD5 | f38f6d78557b4f3fe83bde009318c688 |
| SHA1 | da4abf6bd3bb38b26d9dd8150c193129cbc839be |
| SHA256 | 8579b715392f8b3770f0a78d46b58ba556c4076870ec699555c6d732e138ca07 |
| SHA512 | f97c6e3ef85a381cc5d43eec67d1cbaface6db74e336bd5d3e74a563607900712e4ed5598bc8fa4243577152bd0d24d366ac24c21954ce22fc2c144ffc2294b4 |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 780584e70e3e70fdbf9cbf034c7f93ce |
| SHA1 | 814237006ca23cac1f9ca565c762785ceb310bc4 |
| SHA256 | 3e3f8f48da21de8b4ac35c7110159a5aeb6c94c42be411ada3e4b2ac3357fc2a |
| SHA512 | 34f935dfcc756db50ea43f5f37326c4e0df19ddb522bf7c3148c588de14dbe4df8fc32467fac0a5c86225366c38cba79e5ce645fde41d97d08d5928434c2d411 |
memory/556-354-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2416-355-0x0000000100000000-0x000000010014A000-memory.dmp
memory/2580-362-0x0000000100000000-0x0000000100123000-memory.dmp
memory/1388-361-0x00000000005A0000-0x00000000006D8000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 84b6c4d86bb929571e98f9840e9f3d0b |
| SHA1 | 218c7b31a83bed3c02b9f747cd1f2474956f518e |
| SHA256 | 13ca52ed0553f0b05fd3ab6035d4878b25384328d22eaf779aa315dd654e4df2 |
| SHA512 | 7563cd5bfd66fa1b15c93824b2d231ee11b0d2c7f70809f2423e6a073e9adf832bbf5ca002a2f0d82cde34d77c2865fbc361ee4f46a9340df154ec3405138da5 |
memory/2624-359-0x0000000100000000-0x0000000100202000-memory.dmp
memory/1540-358-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1388-357-0x0000000100000000-0x0000000100138000-memory.dmp
memory/2888-356-0x0000000100000000-0x000000010020A000-memory.dmp
memory/1052-430-0x0000000000400000-0x000000000052E000-memory.dmp
memory/832-435-0x0000000001000000-0x000000000111C000-memory.dmp
memory/3024-441-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1052-445-0x0000000000400000-0x000000000052E000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | caf8f218586873174f42104ffc1c41f1 |
| SHA1 | 27e82cf8fce3970ecf5c5df3c9e799183d8a1722 |
| SHA256 | a598be6eba2b333030ef9e601af5e8db79d82c7747866586e167341aae0de53d |
| SHA512 | 35a84e9fe72cf8c9d7c2cb4be028afb0521960d9db1acbf9b6cdd25866cc6775174955c4399e8efcfc993a2ce2739c74d0936e92c974e8512aef5c300358a8a7 |
memory/1540-429-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2600-395-0x000000002E000000-0x000000002E13B000-memory.dmp
memory/1488-532-0x0000000000400000-0x000000000052E000-memory.dmp
memory/3024-536-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2700-530-0x0000000100000000-0x000000010011B000-memory.dmp
memory/2992-573-0x0000000100000000-0x000000010011C000-memory.dmp
memory/1488-584-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1688-580-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2084-616-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1864-615-0x0000000100000000-0x000000010019A000-memory.dmp
memory/1688-620-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2084-631-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2280-632-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1948-649-0x0000000100000000-0x0000000100219000-memory.dmp
memory/2460-653-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2280-656-0x0000000000400000-0x000000000052E000-memory.dmp
memory/556-652-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2460-673-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1032-677-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2888-676-0x0000000100000000-0x000000010020A000-memory.dmp
memory/1748-694-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1032-699-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2580-710-0x0000000100000000-0x0000000100123000-memory.dmp
memory/2272-755-0x0000000000400000-0x000000000052E000-memory.dmp
memory/280-753-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2272-743-0x0000000001A20000-0x0000000001ADA000-memory.dmp
memory/1980-742-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2272-739-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1980-730-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1488-729-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1748-718-0x0000000000400000-0x000000000052E000-memory.dmp
memory/280-768-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1996-779-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1284-791-0x0000000000400000-0x000000000052E000-memory.dmp
memory/880-803-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1240-813-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2372-816-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2248-833-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2140-838-0x0000000000400000-0x000000000052E000-memory.dmp
memory/888-839-0x0000000140000000-0x0000000140134000-memory.dmp
memory/876-856-0x0000000140000000-0x0000000140134000-memory.dmp
memory/888-859-0x0000000140000000-0x0000000140134000-memory.dmp
memory/876-862-0x0000000140000000-0x0000000140134000-memory.dmp
memory/2340-872-0x0000000140000000-0x0000000140138000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 8c69bbdfbc8cc3fa3fa5edcd79901e94 |
| SHA1 | b8028f0f557692221d5c0160ec6ce414b2bdf19b |
| SHA256 | a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d |
| SHA512 | 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
| MD5 | 9fc7a046608176a7bec4899130bb765c |
| SHA1 | 2b03bd8b333ff39fe62369bce0b0e4b88399906e |
| SHA256 | 2a3e62e2e71d2e95f37f1fc75a453a0830565538e3abfe4f717693cde743ee83 |
| SHA512 | aa5fbc9107dc6081c4b63c906c4f30838a2abe7b8aca0b68005220eb864a589785993a3eeeaa0b995d9d0a90fe0d18cf9fb9f0745abdab77bb23d144d9f4fb97 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 4f40997b51420653706cb0958086cd2d |
| SHA1 | 0069b956d17ce7d782a0e054995317f2f621b502 |
| SHA256 | 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553 |
| SHA512 | e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 71d4273e5b77cf01239a5d4f29e064fc |
| SHA1 | e8876dea4e4c4c099e27234742016be3c80d8b62 |
| SHA256 | f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575 |
| SHA512 | 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | 3c269caf88ccaf71660d8dc6c56f4873 |
| SHA1 | f9481bf17e10fe1914644e1b590b82a0ecc2c5c4 |
| SHA256 | de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48 |
| SHA512 | bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | ac901cf97363425059a50d1398e3454b |
| SHA1 | 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7 |
| SHA256 | f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58 |
| SHA512 | 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | e3a7a2b65afd8ab8b154fdc7897595c3 |
| SHA1 | b21eefd6e23231470b5cf0bd0d7363879a2ed228 |
| SHA256 | e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845 |
| SHA512 | 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 2735d2ab103beb0f7c1fbd6971838274 |
| SHA1 | 6063646bc072546798bf8bf347425834f2bfad71 |
| SHA256 | f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3 |
| SHA512 | fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | 9c60454398ce4bce7a52cbda4a45d364 |
| SHA1 | da1e5de264a6f6051b332f8f32fa876d297bf620 |
| SHA256 | edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1 |
| SHA512 | 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | c26b034a8d6ab845b41ed6e8a8d6001d |
| SHA1 | 3a55774cf22d3244d30f9eb5e26c0a6792a3e493 |
| SHA256 | 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3 |
| SHA512 | 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | aefc3f3c8e7499bad4d05284e8abd16c |
| SHA1 | 7ab718bde7fdb2d878d8725dc843cfeba44a71f7 |
| SHA256 | 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d |
| SHA512 | 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0fd0f978e977a4122b64ae8f8541de54 |
| SHA1 | 153d3390416fdeba1b150816cbbf968e355dc64f |
| SHA256 | 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60 |
| SHA512 | ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 6eaaa1f987d6e1d81badf8665c55a341 |
| SHA1 | e52db4ad92903ca03a5a54fdb66e2e6fad59efd5 |
| SHA256 | 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e |
| SHA512 | dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\80678b15b3321cce2851b23eba2e7195\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | 73f2270c420d91bee23e3e91122de19c |
| SHA1 | 73b6c4576c5c7515a19ac8ebb6052d37f001f0cc |
| SHA256 | 77135609d7bae2f9470595d86b0231c50240a427a50dd8ee06d1f3cb6935016f |
| SHA512 | e0189142766c36fe7d78df3c3bf8b728b3054a3fe3eee0f5bfc3bacb76ad988cbb52efd806f5d00376e31915b8025a1826cbb28aa9f910732f4a7ed1d63fd7f5 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | f786ebe6116b55d4dc62a63dfede2ca6 |
| SHA1 | ab82f3b24229cf9ad31484b3811cdb84d5e916e9 |
| SHA256 | 9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12 |
| SHA512 | 80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03c2aa6abfd911c4474c01c44f2b01dd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | 2d67811555de605d1962cf7e7d160198 |
| SHA1 | 26dd4ef67c45b62835b4cf0453afa06ab162b855 |
| SHA256 | aa18a783f3fe5da49f8ae8fdb91457b58b6ccf6fd5674b6f4d274e414a3ff96d |
| SHA512 | e53ed9302a954afae32272b28df0d56de7ba3472b7941bdf5526e65b37a83fdaf8a633158b20076fc186a9600e9f880259b1dfcf153c6532443ba87b6512e8f3 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ad2683870b8d91203cbe9cd71a434440\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | b35874a5a3fc84f4e19d2973954ee3c0 |
| SHA1 | d229888e66d01ff5b71a6be0355f7790e64edcc1 |
| SHA256 | cee2f361eedc926d150eb86eda8721ffc2a56390c28e58bc0d2a0d06347cca07 |
| SHA512 | 7ba87ee5d258a713b1d1a70af07dfefaa890ecfc69dd1a6368743f478b5ffa1156e9f0a0d74947d924972788ce4c193e6e6aff15ab816b09fc8ed921118c42c1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
| MD5 | 7812b0a90d92b4812d4063b89a970c58 |
| SHA1 | 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea |
| SHA256 | 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543 |
| SHA512 | 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed |
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
| MD5 | 3e72bdd0663c5b2bcd530f74139c83e3 |
| SHA1 | 66069bcac0207512b9e07320f4fa5934650677d2 |
| SHA256 | 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357 |
| SHA512 | b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
| MD5 | aeb0b6e6c5d32d1ada231285ff2ae881 |
| SHA1 | 1f04a1c059503896336406aed1dc93340e90b742 |
| SHA256 | 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263 |
| SHA512 | e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
| MD5 | 006498313e139299a5383f0892c954b9 |
| SHA1 | 7b3aa10930da9f29272154e2674b86876957ce3a |
| SHA256 | 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c |
| SHA512 | 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
| MD5 | e88828b5a35063aa16c68ffb8322215d |
| SHA1 | 8225660ba3a9f528cf6ac32038ae3e0ec98d2331 |
| SHA256 | 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142 |
| SHA512 | e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
| MD5 | c76656b09bb7df6bd2ac1a6177a0027c |
| SHA1 | 0c296994a249e8649b19be84dce27c9ddafef3e0 |
| SHA256 | a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0 |
| SHA512 | 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
| MD5 | 0637ad2bf6fc5ac1d29e547155bc818c |
| SHA1 | a502879466b6dd37eae5881bbb18353f97623852 |
| SHA256 | 868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f |
| SHA512 | 1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
| MD5 | da9f9a01a99bd98104b19a95eeef256c |
| SHA1 | 272071d5bbc0c234bc2f63dfcd5a90f83079bbab |
| SHA256 | b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d |
| SHA512 | dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
| MD5 | 87111e9d98dc79165dfc98a1fb93100b |
| SHA1 | 4f5182e5ce810f6ba3bdb3418ad33c916b6013c8 |
| SHA256 | 971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42 |
| SHA512 | abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
| MD5 | d74d434aa70ce827715b5e0ac7eda5be |
| SHA1 | b53f3374be4c96af51c78fd873de1360f17c200f |
| SHA256 | 54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496 |
| SHA512 | 631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
| MD5 | 7ebbba07bc6d54efd912bcd78b560b7b |
| SHA1 | a6aee1a80ddcdf201301ac29293c62d58bcc941d |
| SHA256 | 637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a |
| SHA512 | 2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
| MD5 | eb09a7062a66a50fe2cb16c4a80561a7 |
| SHA1 | 33b4c71ced7644be9802374a4f04c866394daaca |
| SHA256 | e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256 |
| SHA512 | c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
| MD5 | 7687295a6e19cc656b077e6a61629d4e |
| SHA1 | fa1025de5cffb56a3d1f8cae9d09b7171b33326e |
| SHA256 | ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86 |
| SHA512 | 19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
| MD5 | 58cacef7cbc000bb5ddeedc08a598f36 |
| SHA1 | f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7 |
| SHA256 | 124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270 |
| SHA512 | 9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 13:50
Reported
2024-10-21 13:52
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043f8e436c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002baad636c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f1fec36c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6e20f37c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007905e37c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048b4a337c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f1fec36c023db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe |
| PID 1260 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe | C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe |
| PID 3980 wrote to memory of 3620 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 3980 wrote to memory of 3620 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 3980 wrote to memory of 5076 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 3980 wrote to memory of 5076 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe
"C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe"
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c0
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | 212.31.129.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.78.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | 86.104.213.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 44.213.104.86:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| SG | 47.129.31.212:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | 185.94.254.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| SG | 47.129.31.212:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/64-18-0x0000000140000000-0x00000001402D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\34e13f30db05c3ba.bin
| MD5 | 777f0fcf269160b8f46966c329315886 |
| SHA1 | 559fb43c8c4328a065948828103151bde1710856 |
| SHA256 | 740902bcdbd8ccba18f141ad21399bdb649c75d92cde8170037d7d96a0c5e11d |
| SHA512 | 72cdd0dd1be61fe9a948558eacb14c3af74fd4af9e15d1a37a2ad4ba92c79ecc5352768fc530df6da6d74f1860b1ef19cdbe6f753c417f1232cf8410463b6e88 |
memory/1260-27-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1260-26-0x0000000001FA0000-0x0000000002000000-memory.dmp
memory/64-12-0x00000000007F0000-0x0000000000850000-memory.dmp
memory/64-21-0x00000000007F0000-0x0000000000850000-memory.dmp
memory/1260-9-0x0000000001FA0000-0x0000000002000000-memory.dmp
memory/1260-8-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1260-0-0x0000000001FA0000-0x0000000002000000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 5210d448554779b94ff42193a1693f32 |
| SHA1 | 31ab75297bd1b7c43be3c19d384de43dd6677f06 |
| SHA256 | 46d0809e5f34ea489659217e6cebcd1d8ba6dbe77f99912bf979585246b01df3 |
| SHA512 | 51325a912fed8d196275f77bd608aeca44f6971f06d867de5e9777e5bf866aff65b43fed4309bee9cbcd0089cbd6fe9e9ff93dfddf3546a4f79fc7ad5fc220b4 |
memory/3604-40-0x0000000000720000-0x0000000000780000-memory.dmp
memory/3604-39-0x0000000140000000-0x0000000140130000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 578934a8aea8db37cb42027dc508ca95 |
| SHA1 | 94d8798df7c8feae1cdf9881406e741a73d2adac |
| SHA256 | ef0372667357e2913bacf429d1b310e8f0601d049b46575c5ec5980fc10cf6d9 |
| SHA512 | 177c506d1be47c8a9bd8de93500622d1c9a4213a2d80b2fa883640c1f84f7b3fa4b1e4298cdf153097b22f39c5117ad0c3119c56e14a6e23d265d082af35e85c |
memory/3384-45-0x0000000140000000-0x000000014012F000-memory.dmp
memory/3604-31-0x0000000000720000-0x0000000000780000-memory.dmp
memory/3384-46-0x0000000000690000-0x00000000006F0000-memory.dmp
memory/3384-54-0x0000000000690000-0x00000000006F0000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 81ae1f265d06bf65425443ab38468280 |
| SHA1 | 8ca96ce591cd2a8928fdd33c4b781904e071d79f |
| SHA256 | c10c0c785d2aeeb8f789f728755a09ee0230d8ef83c0e9f50f60bec01fb14a6b |
| SHA512 | 154770ceaef59f06ac03d5070d7dff546fe23cffae0a31f9716e2ac9d16e881ba9e2edf15b6c6108f2994ebd539583888c0ffb4ce3824ab13fde75b11428f314 |
memory/2600-57-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2600-58-0x0000000000830000-0x0000000000890000-memory.dmp
memory/2600-64-0x0000000000830000-0x0000000000890000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | 0f5ccdb2e00a8d47896cbdb9c036cffd |
| SHA1 | a7159ac32ef339bc12886f2262bf2b603a105a39 |
| SHA256 | 193f784052421939cae30816a3eac090c0ec3c73af5572c291f2d732a77c898c |
| SHA512 | b5e2546d25c795e46a2214bc3cb312b44cd18a4aa423a7b03b17abf54cc223a7535f611130900f41bd84c9eb3493177a7829fc6fb363baeda64ce67caca53dcf |
memory/212-75-0x0000000000750000-0x00000000007B0000-memory.dmp
memory/212-68-0x0000000000750000-0x00000000007B0000-memory.dmp
memory/212-76-0x0000000140000000-0x0000000140234000-memory.dmp
memory/2600-78-0x0000000000830000-0x0000000000890000-memory.dmp
memory/2600-80-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 30a1ca897820a5d4f1e8cc41e925a10c |
| SHA1 | ad1523a992ea0d2a7e5e33ab32f107a37f070430 |
| SHA256 | 624f3615033c317bba0cfd8109bd67e4bde27ef5c192f28dde26619e00c95d10 |
| SHA512 | 106f405fd28b3a57d76fc9e32ed1fd83c5675ffceefbaad9b414de28c5b89e8d20cdff5473819646e21394c262d52d73ca39417b6c407028e3c475f23ef46435 |
memory/3660-90-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3660-88-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/3660-82-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | fbe743ec3e250893356522dd6d2d9e57 |
| SHA1 | bd2f3dbc534bcf5f4d756f38cb1597c1fb68fe69 |
| SHA256 | 4832f7774833597509813eed9bc7150ebb2a0bc5b470c0c37cec677cbeff8b70 |
| SHA512 | 6a3d873157d987ef1614eb9f6be210606026e86bd6085a90ffcab364fcab54d03bd4824c2bbd14df9bdbe875199408eb6e69b7b04b0bf311575ad0492385deb6 |
memory/1004-94-0x0000000140000000-0x0000000140155000-memory.dmp
memory/64-93-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1004-95-0x0000000002280000-0x00000000022E0000-memory.dmp
memory/1004-107-0x0000000140000000-0x0000000140155000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 150a7c837329532fb1d3b6817b1564ce |
| SHA1 | 0fc80b75d1d64db675ef951b1cd34efe66c20d32 |
| SHA256 | 8cef70a45c266dd66b60168f76f030e55d5ed5c75c070bd6e648de55564cb93a |
| SHA512 | d650d5db4a26e7798134a0729e018f9d6479f2620f81894500d4ba5186c3ca9b7fec55806514e44f06cd2c0e72716d75071e3076442f5e74bf1a00b9a1eaa464 |
memory/2032-109-0x0000000140000000-0x000000014013F000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 173fdcd6ccdf41583468e1c41d79ef80 |
| SHA1 | 4a4db0fb7b01fda4787de5e357a6a8cfb85006cb |
| SHA256 | 12dc86850065b7749345b58598a3b4295febbe4914e37471b3331e7436c8d3e0 |
| SHA512 | c0e82c4008a536748eaa2cd57f02427306975915abbb757a84593f289ee71ed4193be30fd0c6739b490c1127f852f4792d600317653583f07963e4f2b9edbd8a |
memory/4724-121-0x0000000140000000-0x0000000140155000-memory.dmp
memory/3604-135-0x0000000140000000-0x0000000140130000-memory.dmp
memory/388-144-0x0000000140000000-0x0000000140131000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 31b8792572251fb50e14ca7bd31b5f22 |
| SHA1 | c860f57924352a5ac9b6c0954bc4d4dfa2e1ae36 |
| SHA256 | 933ecc10ddd30e840608ccca52c45dbab87dec68c053f22547de599939a9bd65 |
| SHA512 | d4c726d3779bee1fa2f407d83e636cf9962e97d74a5c5469a99a16829b5f978753157a436a7a0c2c4fe4da19a2fdd329d1b328c17c697a54e9e77f1a47712db6 |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 0fa4eea7965c8357a4c564e8edfda2e9 |
| SHA1 | ca6a66208b972642506eb758591378decee44396 |
| SHA256 | 6514712eab71d50dbc6d23999024eecae4c27547befb75cd5bccd05e9142f02f |
| SHA512 | 9a373182af53585beacd7ab29aa7d66f41f8dd9593737230bd776b08dbb100e5b807aa9dd7fce103e03206c138182526deafbb81159d7b5a2b1fb387a2e592f3 |
memory/3664-147-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 0e80a1a8275cc12689d7463193ca529b |
| SHA1 | 3fb55b2503722794469ee7347c58372ece02638f |
| SHA256 | 2c037f8c16d6def9f7384ec3b7c82b93d9f31ea39d9e93e705c73a71b2a97c6e |
| SHA512 | 29e3d1cda87e007553a08bdae17ee9dac7af58be5e3ca0a0211f2e3e0b627517d5b4b8282d79601256b1fe8a3c330a03bb146085b192fc8b8e797ee6d63835e1 |
memory/3384-150-0x0000000140000000-0x000000014012F000-memory.dmp
memory/2236-159-0x0000000140000000-0x000000014011B000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 7b978c352b9fd47bbc9d3ccd95f4f88d |
| SHA1 | 18f65e202cc0ab01ee20e2f9bbe10686d68b245a |
| SHA256 | 8a68a12e2e4e912bffb625b9f2ab14d54e530514408de78bcc41b7f5e01c3dee |
| SHA512 | 16bd4adb1bef245895fb04c55ff010b8e47f317bd6fe00e270f7d674314b76474966bb6df809f70c84656418ab8ba408b1e94682c5013bfdafff068376c72c70 |
memory/3780-162-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 382b96da6098552f0f162a0da9fc36b4 |
| SHA1 | 3621fc141a2040b54f2e5e751ec66623f634274b |
| SHA256 | d38e1d5769eff006917883a0e435818cfa60513ad2da25b0238756ba77175dde |
| SHA512 | 1859aeac4337f043f807c3d377c61f2d562cb3156975c667b23da426f076016b92506c2222f1a26f49f603f723f45d9d23610dc0dd0e1764b2c88466a1847984 |
memory/4328-182-0x0000000140000000-0x000000014011C000-memory.dmp
memory/4448-186-0x0000000140000000-0x0000000140169000-memory.dmp
memory/212-185-0x0000000140000000-0x0000000140234000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | e3142cb4b4c91f6e11f61a3d53b52502 |
| SHA1 | ae75ad1acf96fe42686e4eeca95a2971acc13675 |
| SHA256 | 122af534fe0a877f4a442e238ff9e4de3e6016e9a92658691e647cb2cf9f876c |
| SHA512 | 36d745a1a8e657afd96fa6a0360ff8e7f6678e4dd48100aef417517a4952773707daa22a0c9fe2e4fe8d2231e0c299f2629024a1210ae9ba766a670eada980b3 |
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | b0978c430278cf04dd387fe47a4b1cc9 |
| SHA1 | f0f85e7bfa09d6d4e05d219f5b3b7180f05b7bc4 |
| SHA256 | 927b3b78e192d773928b9bc5669c377bd4fcfb2e26ff7594f18d5d00f0f09384 |
| SHA512 | 2dd2fb0419a41a0ae713d13653c25b0cf184b35d1aa857a20926e570089360a307b1ee8e6486def39bfd4e758200fadc54b6065d2f98a4d04bea296dda7a0643 |
memory/3660-198-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3760-199-0x0000000140000000-0x0000000140188000-memory.dmp
memory/1828-218-0x0000000140000000-0x0000000140168000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 0110e10ba65ed52ad612615609929e5f |
| SHA1 | ca1571ca64b7cd87a45f47843e57dacf27e054b2 |
| SHA256 | 69c68600c57850dda6683ab95156924757485733027e5067a4266eef5afd8df7 |
| SHA512 | 5e32d9b82ed0de687905d25dee07e25f9619a1a0bd18f8109cbff6a9e71e56f40e603bcadad3f61243ff58b6bb60a998552e2b75c82e9d23b38e53471a66424b |
C:\Windows\System32\AgentService.exe
| MD5 | ed183fae04b86529c471f89c4da8b6d0 |
| SHA1 | e1f606f24cff09d01e1391a5e94b3bad2385035f |
| SHA256 | 4e060bc878821ab6c16aaa12b6f6af05d7a16cbbbaafc7246edccab8ec691b5a |
| SHA512 | da6f16f27abc66af11bfe74bfeb6ac1635813a41a72271d13fc7ee2422563db573d1be71a7a93c6f347f88c9a8f9e7d81da03f8c9dfa4b0173c3923b9b1ae40a |
memory/2032-221-0x0000000140000000-0x000000014013F000-memory.dmp
memory/4732-230-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4732-234-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 3de6a2f32dc2699c051d90d4d6d65d11 |
| SHA1 | 862b829329e8139fa84c0ba77113dec3ab8d6bec |
| SHA256 | 1cd0275e6cec8ea214552738b22921a8f3807a91a4d45f6b23fba5dd03ea2e7d |
| SHA512 | 56303a971ccf13e5a79a330db280d5caf35764b7d7a4bc5966f40305caf7271268c0c1e4689bd26fd734a944d2bc7b1ff1e34647ba91d99aea696a0640aac002 |
memory/2720-245-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4724-236-0x0000000140000000-0x0000000140155000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | ccc416fc949287959cc7c6b6fd25792e |
| SHA1 | 38bada03f0302651cc9c7db9f2029718c88a5eac |
| SHA256 | 80e6007d3e1d6a05a5764778d058045d4299e20292586b763133b84f3ac4dad8 |
| SHA512 | c657270ea01f774ff77aa15c9e4cf6df182b6cdced62d174937515d1d6b115cb0667b97bf8b139517e77546aecd57d2a21147e325f2170f1578de84169463749 |
memory/388-248-0x0000000140000000-0x0000000140131000-memory.dmp
memory/2212-249-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 7b279be5ea2d9679098ddd42120d600c |
| SHA1 | f85d04c3eedc30adfb74941b3bdcba5e25082ad3 |
| SHA256 | 8651ea11364d301afd68cbd407cbfbcff3d18c5e7f04623649824c51b2639062 |
| SHA512 | e645da0396a4d42481149049b1df0c9b01ec2c5f8ccf791a16ac026a81b54a3995a911210664354b51659e6f48ac56337abd271331a502e7d6203a374c837c5b |
memory/4248-261-0x0000000140000000-0x0000000140216000-memory.dmp
memory/3664-260-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 03d3752e205a701dbc961d04fc063829 |
| SHA1 | 88d967cc85d00ff7d28292b4d2551acdce1a2ff6 |
| SHA256 | f6edca067c27abca4c33af8a918838b02b49ba301418fa12701c84b21b20aee3 |
| SHA512 | a82568cf26f0996904f04244c5c32335d957ddefcd2cc5cdfee0a71de894013e552e5085538db4b264b1c8e3164072dd3e26131e8e3847609bfb87d17f2c0fc4 |
memory/2236-272-0x0000000140000000-0x000000014011B000-memory.dmp
memory/4368-279-0x0000000140000000-0x000000014014C000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | dfaf9d9692ebfc7c624ff49c3180c19d |
| SHA1 | a6be6e7a7e90f5cafca1ad340feac2a438d249cc |
| SHA256 | 887e83c0004616ba87240f3fc0c686c34853bf89d0dadab86f6bbdfac0738f13 |
| SHA512 | 0e76da2e8cde8a043420c29c4d0913c024fc65e3eb875f0719cd169b68b4619d3a11c736929a625298b5c8e833847400a3bc2858837c504bc895fda8c690bf9a |
memory/3980-294-0x0000000140000000-0x0000000140179000-memory.dmp
memory/3780-293-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4328-399-0x0000000140000000-0x000000014011C000-memory.dmp
memory/4448-454-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3760-486-0x0000000140000000-0x0000000140188000-memory.dmp
memory/1828-488-0x0000000140000000-0x0000000140168000-memory.dmp
memory/2720-492-0x0000000140000000-0x0000000140147000-memory.dmp
memory/2212-509-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3780-512-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4248-513-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4368-514-0x0000000140000000-0x000000014014C000-memory.dmp
memory/3980-517-0x0000000140000000-0x0000000140179000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 9ca1b9fca05d2e585919589c7b437d99 |
| SHA1 | 530375ecb47dc1c13179218132a21d6685bdcb35 |
| SHA256 | 40654ca4bee2ce6acd9950df587368ab3827a7bb28d67e9de11ac7533d835e5d |
| SHA512 | 409d37d60f009f7c14d0abc0add27083254f83e2881c3180f5226457f008291b18e5ef6a05267fe154fa47d93d3b2337962c4b6e5600d6c7e1985abb18c90356 |
C:\Windows\system32\msiexec.exe
| MD5 | dfbee1ca8c8a03f2726f40ee5d68be09 |
| SHA1 | d9a018a6aa7bc5bce4caa641cac30c234b6d4159 |
| SHA256 | 4a22c189d1c0ee8431a102cc6dcd8c9a5b965fcaf75075b35b643ce1cb5b4c1c |
| SHA512 | 2d33caec79a746251574910c6b520f4e20a2820fe591560e6fe921e050a028d6032b3187333c525c182d375992d2bd0a082a821c23baa609bf5bf04a5f2cfc6f |
C:\Windows\system32\SgrmBroker.exe
| MD5 | 272fb59b549879c3c8bfff5e6c862096 |
| SHA1 | 2cdf16f11e50ec80937574bcdbf6dc5cfbb7b8c1 |
| SHA256 | 56c10c69abc5c540a4fad78c319e9739604a79c9f8a1eaca4b4354c42bbd26c8 |
| SHA512 | c0a7337e9a85524b3c9e6363e7f8eb41b25c1e9b25aa09c176e5d15be821d96dca1ef9677a1d66dd362a39203ca76f3598133a2c69842f478847197370eed4aa |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | dde4378aa4c3cecd3d55889e0b15049e |
| SHA1 | f716bb0b2abff712c4278ab9a77be95e9b2a1731 |
| SHA256 | 4f0e4f3d74bd04ae7ee8f2cba51316026348eddfe08daac8d14401f619e20d16 |
| SHA512 | e4b765b62a55d3fece0698d1259ce8fb19c38537d79d8277a643210b79f7aa87217aa439f1233bc35d0aacf7ecc66f14a677861f2b691157677a387c75c57d96 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | b4df05633e4b677e808199396192c634 |
| SHA1 | 27fa33b6595aa3c5e475681251a5543bd88f60ae |
| SHA256 | 1f3bf65a652e6fa2adcfcb7f1139134c10c0d3f9f6b0b18ec419fc63d23f3afd |
| SHA512 | 9410ef3e48b4964699404acec93ec56ef8eab130cf23767dd5733972711277af532acac11449016fc5066b681cf643c65ff164c831392d3182c1fecee8ed7df1 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | fad73521a47453adf352c1dccdd20ded |
| SHA1 | 0a6e2288c22fdbff790a15423a80ff0e1a229413 |
| SHA256 | 3b803378d3125027fd053d4c84d4098c75f5ec7e3a15be6d5aa1f8ef87917df0 |
| SHA512 | 135872f48c847b08d469d1a41ca38f54833b95089074fd8b475fc1f6fcac0d2cdef64bd0f3c25936591a6410d71571403448a2a1004b82edea72d8a270f2723e |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 94cda35fb7a979eccce9d6a836c89fd7 |
| SHA1 | 3a7b960712516fa7ecd728e6d4b60ec3fcde34c3 |
| SHA256 | ea284a0f3f46d00657fd83f6eb1cff514d09195c72e2184ae32b08722bb858e2 |
| SHA512 | f4fffd2519b3af860e11fa33be1cdec03842cb1fd2774f02266cf306ab8a6e70d521f3f123b7df73df8476506f3e45be664eed3af6e47105cdb343dc494b7706 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | e8e30ce8117a9fc174f953a6d6333687 |
| SHA1 | 770ea8b8fa5f9a26e415dedc1943ebad96e1fc59 |
| SHA256 | bf35fc980d7b26a82ec66d8ab6f307237b57fc02cac854b6a57c6f2ff2030589 |
| SHA512 | 432eb24204786aff09f1a81a0467f5a1ed000a4005ae933156d5e35aee50cd46b79edcac3ba838f50d7699ffec54ff34af558ed3135bb585fc09e86e7d18150d |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 22d4e8d4b8e03aebf29f219036f3770b |
| SHA1 | 5c9c98634df644f0d11b248c395cdf2db18f5690 |
| SHA256 | 5ca8640cc703d53f3fd360608042bee9bc478e8f34e87b09efb32954895b8f27 |
| SHA512 | 489c76e198815bf06bb045c0c29aa78d4db13ce0aaac8cdbbbcf1acf1f76da7df04e97b0ee9bb72111b00564aae886ceb83b5c4cb1c7cec5820bd45488ac9901 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 7f7eb2d8ff2be9d5e3f69cd90ef32872 |
| SHA1 | 7a26f90a844fe93b1bc70a07800f6475916c9ab5 |
| SHA256 | 15a3aa35e39fc79cc2a7d2d19655f962542d4fdf55e587c8d26daa0e5f25e346 |
| SHA512 | d62b6ba4efc0b257fc5fece2a86344b34f048226b780d196d69a8caa1b5c986cd686bd3b6e01d14a99e9adb927397509b9dbab772f750d850146d4a8b5a9d15c |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 6ac311ef67914bf62edf82d79eef5220 |
| SHA1 | 663afc8c95842b4912b6158d94f14504731182fc |
| SHA256 | ed995d1a65140095691c312eb7ec1ad60678226675f5d77df880c30194008d73 |
| SHA512 | 58ce7effcc4192a2272e36cff463fc1cad17c326a2291d1a37ac943a4fbabad1eee5317f383edb0382288c97a1154d2aa01257cc87f7106339c602d2e969d823 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 30389edc40afc151dda9f2109826c901 |
| SHA1 | de1c2dfb168d1c6d54857f6b0e1cddfe2940fef5 |
| SHA256 | 9601b7396a5fe2b1d425c3113f6b35f1d7a8cd0f45a625f5399f686a25bc2e95 |
| SHA512 | c5fd28928495debdb0e6ca4dbff9b25ca85abee3c4ddca607e0c0db0c1f92f736a0d2d600616334741886017275f87f60f46b12020a2369240f1e70c0a53ad7f |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | e384e42803768bcf3f7a9fdb2a5d0f00 |
| SHA1 | b652ce8ff8b752c9b16377fc07def637bbbe60a7 |
| SHA256 | 48d65004a0bc0f5852838f6d3967fe924e9309dce34b7ec6b6d0fd59b9f19d05 |
| SHA512 | 975bd53326e5971c37f767bb0668d5b0122a888b23436be3639c2c70a401b63254257973ce0ba6be491af3912169350b2659614287ae0025a1be18e0779ff191 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | acd5aeac65b9b37274441fe1cd582a9c |
| SHA1 | 7d8a4f0430b0683cec7c57b39a4ed7929e16a099 |
| SHA256 | 010bd47e73ed467ca18edfc313d3868cd89e67f09a6d393e69077cabef2d13d4 |
| SHA512 | 52f9d9eb3dd15b7339b7141a223b9567d252c9f312afb686468bc7f39a6910a567dd0518631f47a5db2aa3fbacfd1b32ef9fec429bc8e8c9047148930c961cb9 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 9d4224d6dfaadf11b2722c6cf1f3745c |
| SHA1 | b52539a9da4c4a304c7e4bff50d824fca00b3b33 |
| SHA256 | 9f29483d039e11cc03de79d1c404d55e30468d7ce44f5cd777b1fff1532a8e11 |
| SHA512 | bfdf2db7bc4c812cd089d41da0450458ff3ebd568e3ffbc581578d76d7d78e9f2aa8a433f1ad895c9cdc6c22b5b59f72a432065ab22d54570ce3228b25ad3f63 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | d3be4dc4ade986ece0aa4478d8d15856 |
| SHA1 | 91ab43d7955844aef3117b6bbe1d017dc7f93fb7 |
| SHA256 | b08a7fa6557a6736daf335bb796bd0619fe9f76b7babb5e5f11b55490fd47607 |
| SHA512 | 2b74624cadb266c7ef0ee99ee23d257daf0cbc31b96b6eab0c5858abd3d206cec1f05b301dd262d558725f0192246a2dc268e73eed56578f6747f8c9db4d8432 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | ade4d4b9fcfe1e6cdd2f8657132f2ecc |
| SHA1 | 30084d5af6a94ab446ed7fdfdfb397468783e331 |
| SHA256 | 93717e4a0250835e848a0747ebaffcec6b206a5daee4a559c80b3413d516b56c |
| SHA512 | 756b65457fdca7a1a71c82cd68ff998e7f4bfff41cd12e4596325f2891ac6412fc7ab222f7eaa2b6d95b1c4e7fdf230cf81fd48a3556b33a0658b61625dee477 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | a3ce161cb9ece6dd116b287dea678b3b |
| SHA1 | ded02ee5dc23d5586a19adc1ea737d3e0ff52ce3 |
| SHA256 | edfeb846d0518521fc47bf91bcc2ec98b5abb9f81de7808c27872fe46cca4299 |
| SHA512 | 0646380d849eb28f043156e64909dea1f983e57fac714fa89c2fd8248f23d13cde67cfc2f678cea0a00c5f2854d2ba5aedc729e8917c92405f7ad5ee5a283139 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 8de0497b8a3faee11b12dea660ec1e87 |
| SHA1 | d7f7b2a801353c63a1189565c987fe0e5ca6c844 |
| SHA256 | 690e6c2f70acb716f40685d26b651da3c0790ac12419e5d13df84a3891d454e5 |
| SHA512 | 07f62119ecca90bd0a9933300c5ef678ec248d5ec748e6a7edb34af9d8183aa2f6d8d15a8506febb1dd6ffcf8d8fce1936c1003c91f4076fc9b3f85fb4c44419 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 23e16aea74eb54f4ffd1baa37893215b |
| SHA1 | 13b4cbc4763cc8ccd2749de62d39f01e0dd923d2 |
| SHA256 | 2084e5e4538096433e5baea468db3c6f9e9fa7efab96659a6ff696cecc846653 |
| SHA512 | c849c7811f3c8bb815fd8e22bbb5261e8f377c2c6680016cf1ba5b446ae3e45bb5371dcbee07fc5503dc01d43b2feb1eb8980d78c8675aef6f653a9c98f3f543 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | da2b2fe3e57e31f6a3816169676d51b9 |
| SHA1 | ed57aa1b0f13f03d7560cbcccf93193379607462 |
| SHA256 | e5797c4714c864b27e00afa48f6d222264006de02049fbdc778af8233ff2ad39 |
| SHA512 | d65c07ac157159f6f6bb419ee9869cae4635da5160f8f617cae0a31c04abe1da58d7e398da9463843e131e02bf8de558ff93fae78e64f663d185b68a3ab7a20b |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 1cff8f89050f8a09534b7cf2955dcea9 |
| SHA1 | 2cb1703d26fc2367739c23a4fc0cbf7f4ffec8be |
| SHA256 | 115c1387c4e7f9e2ca6f034c5bd46f7a42e29b5c3892e9efcc907c47e38fa8d3 |
| SHA512 | 9e9cb89dbff2677debc81c51afc96e514049fb34312bd2bba90063ef98bee8371f280a7ae3e77d5ccb42fc548cdbda29f7ee42b56923ae532830309909fb2382 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | 34dbafe9682a55e9a1fd0f31c73c3989 |
| SHA1 | 437389b18d4865e487f134bbc818af1ddb6b926e |
| SHA256 | 2ff759ca21c5de514b593cb39cb94aa1baea4d10e49a680e88a97bd87ddc17c2 |
| SHA512 | 533b23c899e2e00ee066c53a392db7452abcf1e238b074af5241d25f07b556ac9622476da0b0814ac06aa19757f1a04377d86bbbc8d0972b5ec4a3d910923611 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | 44624ac4ab7698af05b5016471fb8bfe |
| SHA1 | f29c6a2d9379bca16486f9b5bfa16de3c4178bb3 |
| SHA256 | bcf20e4c34bffee8490984aed139a1e54bf7db26a49821dff72e323bd9b7d779 |
| SHA512 | d2de29b63f14e29471f403024fef76c8daba24f4c38026176cb5ce4832fa65d256f70d39bb072bac3dfdf6b6f0c535d1a1ffa8833c8df0a3970fe52bc12f91b4 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | 8bfc28c48e3a061a59546a3300bb9998 |
| SHA1 | 1feb390062d1ba72ba9e8d2152850b8ea010f272 |
| SHA256 | d779b2ca94dce874fe8459487d9baa056093044210c96ce47b2c661f566bd885 |
| SHA512 | 05a98fb0ce4cf10ffb01c211a9f73ed53cdf8817cbe82875811dfb4d9a9de3de1dcb1fb2375b5ba141fb617b0e54b5733b0b9862535ee599be5a540baad4b10e |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | 870723170b9e9c055624016cff678856 |
| SHA1 | f9e02c9eb60e5d84f0abbc9b8b43a2df62430ea5 |
| SHA256 | 5f3d2b08a85fffca9e2fbe09cdbac1231a63d7a6944d318844cbbefb97db5b58 |
| SHA512 | b98a893a73974323ae77b44e195d8269909696c2ecef8234672046f145a3020fb5e72e1ee0a060d76b98048e358aa833a3d18aaea1b561aee2c8e71f294f31d6 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | b39d40b0835de83bbc911aa6bd09acea |
| SHA1 | c4553fa9e257b55bdaf1eb9ba39511efd2ef5c03 |
| SHA256 | 89e649443deb6d30214934cb16541f7667a20b6187d138d77a2a38ae61f8c901 |
| SHA512 | 3f40b7c56925bb1b0ea8076af7cf58d12b0ec2bd11f8a871f0532836984a7222e2f91ef13eaab6fc948093905047bcafcc7e34acc37cba42b5a05b304cda566c |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 94a530f0ad4047b0ff3775151ad474df |
| SHA1 | 1cd58e513a09799ce2a5b1f2662f499aee0dc54f |
| SHA256 | 9f57230fd32e376987eb73be40d6b01c0ccf7de8606ad3e30ebbb019e8cca417 |
| SHA512 | 2635b330b8591e47d33ef80e468221d613790195e5c713daa61b1a1d78bd67a343768b1ac8ef3e40992bd6d917670b59db4f21b4b611ca16ddd5e52600fb4814 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 92aec187a4fba74542bd65a7880dff18 |
| SHA1 | d079f97bb45756b44c96b346c7947aae3be82398 |
| SHA256 | 87f22ca267dc2100a192fe2c25c1309cccaf292a7728d55dd41b27be922ffa9a |
| SHA512 | 59a8752c50dc180e99ca7fca4405793294db8d5f485bdc93e74a09566182489d35f042dae8a57f3fa14204103dc002923b2cfd4319cea7939e2378d17d6688b8 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | ef08deadb14f0a31f9f349da3867b234 |
| SHA1 | 2509c63006aa3d67d26660e70c059206cbccbd91 |
| SHA256 | fa5f026eb7f0cbd13ede0477722422af20662e15ec3b76c334139f69f6ce628d |
| SHA512 | a0df9a5f07dd7ff1a7e90d90e16468a66a82def54a97cfa9da371c0c0a3d08c7c7eb59f4beff0fa54887ce58428e5ac3e81376870944f2f9169bef8b78932f60 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | a40f9b6cc5ab6f9dd62e15717ad6a7dd |
| SHA1 | ea330346fd469d07a7448253fdedb7d249f12bfe |
| SHA256 | d537c6cb8a288b92656e4426b686aeaefbf8dafc0415e4e436ab0b54db45dbe3 |
| SHA512 | 4302988898782cd8dda13fc2fb110cff0f9363d7b74bdcf431bc850af89c28d2fbb274434d5dc3225b19d0e556d6a09f99e841834afb95ad0b8b5cc017442b8a |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 6c592d726678f4b3da23fbc82954873e |
| SHA1 | e868a5cd4158819c6de2ab89f3aab70f914dc939 |
| SHA256 | a92bd56aee44e6cb1cd4817a8901ed6425af9861a04706429d0bb9e20908c854 |
| SHA512 | 9d7db70e6a034b47ceddb84435fa7c4e988392c52b98f3a295ee407521f22633409697d95ff4e02c96ee74e8b06a03ed630c1831efff14705ab05674af15e767 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 415a63424f6b8a40f941b3ebb7edd78c |
| SHA1 | 515b0e67e2ebd433fa85f6399686dcabc19c576a |
| SHA256 | 66406505f0cfce9b3866c6049e684b6c20212a59d03ef76cf5684ad894ca3d6a |
| SHA512 | 4486f4aa5b4b8d4a1b22685b1563a7ae98ad764b9168abfd0767fb4ef052fcfafeddc355e5368a8b3754639c10a202d5027b9275ed31cf59bbe29c95ad00d3ec |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 87bc0e962c06da8b921238c3a8347c81 |
| SHA1 | 5320507ff3a10c0d654cfa939185db3fd3fc1930 |
| SHA256 | 34b2369705cb0bafe2f7df9cd95b92bb3b1d50f729be2583aabf5066db02ef1a |
| SHA512 | 6f81a358c367784790e46cba6bd1482dca191738a044884b942a6d4eab628b9953e71c9ae04a460a49ef659e510b65bc3efe25a3066cc5f8e2b5c644a7e9786f |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | c460d6b8216d65f69bf249b0bb766056 |
| SHA1 | b7207a0ff89b3ecd11bb1b12182cd8973d92feeb |
| SHA256 | beea9134780e6165f3e41afbef4ebb809088b1858e7a46856dd81ecd4ab75b13 |
| SHA512 | b85b66370a81fc197c7c338d29f3be99640fe835566107b8d7b7870a401c295ba608a448378f9be814f618367836dfb2551deb1637642f069dd3b0a1334eb594 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 30c4cb0a1f5940030de9af8343e851ee |
| SHA1 | 7d09e0ee5a2cb7f4d916023dad2a4b28c087d1d7 |
| SHA256 | 09a3a5d17e084ff879ef1302e66f345eaf7d9c7164be25f361e365eb02a7a59d |
| SHA512 | 8ae3c5431980dd3de852cc72ee06f704c49440f6a705cdf32f3623416afccf70ddb5dd9cc5a4d0575c08e36fd110a5760ea52a52d059be23fbe86516ea19beea |