Analysis Overview
SHA256
efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7
Threat Level: Shows suspicious behavior
The file efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:38
Reported
2024-10-25 22:40
Platform
win7-20241010-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\9caca44d1073980.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\unpack200.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7907.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP76C5.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2A8A.tmp\stdole.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP19D7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index160.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1B8C.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP26B3.tmp\ehiVidCtl.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP17D4.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5773.tmp\Microsoft.Office.Tools.Excel.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1B0F.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5D9B.tmp\Microsoft.Office.Tools.Word.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\perfhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe
"C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1e8 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 260 -Pipe 1e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 294 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 270 -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a0 -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 270 -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 1fc -NGENProcess 1dc -Pipe 1a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 250 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 254 -NGENProcess 1b4 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 200 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 224 -NGENProcess 1b4 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 200 -NGENProcess 1b4 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 200 -NGENProcess 1dc -Pipe 1fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 248 -NGENProcess 26c -Pipe 228 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 278 -Pipe 200 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 26c -Pipe 224 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1b4 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 248 -NGENProcess 25c -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 298 -Pipe 1b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 278 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a4 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 290 -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c4 -NGENProcess 2b4 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 29c -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c8 -NGENProcess 2b4 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d0 -NGENProcess 2a8 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b4 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2a8 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 2d4 -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2ec -NGENProcess 2d0 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 29c -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2dc -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 29c -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2dc -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d0 -NGENProcess 308 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ec -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2ec -NGENProcess 2d0 -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d0 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 318 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2fc -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2fc -NGENProcess 2d4 -Pipe 328 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2ec -NGENProcess 324 -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 32c -NGENProcess 31c -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 324 -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 31c -NGENProcess 32c -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2fc -NGENProcess 33c -Pipe 2ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 344 -NGENProcess 338 -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 310 -NGENProcess 33c -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 310 -NGENProcess 344 -Pipe 31c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 324 -NGENProcess 33c -Pipe 348 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 358 -Pipe 310 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 32c -NGENProcess 33c -Pipe 350 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 32c -NGENProcess 34c -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 364 -NGENProcess 354 -Pipe 344 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 334 -Pipe 36c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 360 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 370 -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 354 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 32c -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 380 -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 368 -Pipe 360 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 374 -NGENProcess 378 -Pipe 354 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 38c -NGENProcess 398 -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 34c -NGENProcess 378 -Pipe 32c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 39c -NGENProcess 374 -Pipe 368 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 398 -Pipe 334 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 378 -Pipe 388 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3a4 -NGENProcess 3a0 -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 394 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 390 -NGENProcess 378 -Pipe 3ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b8 -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 34c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 378 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c4 -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3a8 -NGENProcess 394 -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 3a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 394 -Pipe 3b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 394 -NGENProcess 3d0 -Pipe 3bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c0 -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3e8 -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f0 -NGENProcess 3d8 -Pipe 394 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 3f8 -Pipe 3d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f8 -NGENProcess 3ec -Pipe 3d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f0 -Pipe 378 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3a8 -Pipe 3c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3ec -Pipe 3f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f0 -Pipe 3c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3a8 -Pipe 3e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3ec -Pipe 3f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3f0 -Pipe 3fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3a8 -Pipe 404 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3ec -Pipe 408 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3f0 -Pipe 40c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3a8 -Pipe 410 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3ec -Pipe 414 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3ec -NGENProcess 420 -Pipe 434 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 418 -NGENProcess 430 -Pipe 41c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 438 -NGENProcess 428 -Pipe 3e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 420 -Pipe 3f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 430 -Pipe 424 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 428 -Pipe 42c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 420 -Pipe 3ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 420 -NGENProcess 440 -Pipe 430 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 450 -NGENProcess 428 -Pipe 438 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 428 -NGENProcess 448 -Pipe 44c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 458 -NGENProcess 440 -Pipe 444 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 454 -Pipe 418 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 448 -Pipe 420 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 428 -NGENProcess 440 -Pipe 468 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 43c -NGENProcess 464 -Pipe 450 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 464 -NGENProcess 460 -Pipe 448 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 470 -NGENProcess 440 -Pipe 458 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 440 -NGENProcess 43c -Pipe 46c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 478 -NGENProcess 460 -Pipe 428 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 47c -NGENProcess 474 -Pipe 3a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 43c -Pipe 464 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.135:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 44.213.104.86:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| SG | 47.129.31.212:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| SG | 47.129.31.212:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 44.213.104.86:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| SG | 47.129.31.212:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 3.94.10.34:80 | tcp |
Files
memory/2036-0-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2036-6-0x0000000000850000-0x00000000008B7000-memory.dmp
memory/2036-1-0x0000000000850000-0x00000000008B7000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 1cb03fb6b46a79901ecb134a2aa4d965 |
| SHA1 | faf60b2aa1d05928350c77a47d000f7b46e98e2e |
| SHA256 | 4dc28fd224b29b078dd1e9879387d3ab77f486647bce845bdfe5a1abd3649faa |
| SHA512 | 8f4a420f33dbc144822cf9223f19bd2a71836266b0d648d81296719e59037ed520fae8921f785d6bcb093d849f324381e2e3ec0b0b53826eb991dcbec9bb19df |
memory/1712-12-0x0000000100000000-0x00000001000A4000-memory.dmp
memory/1712-13-0x0000000000910000-0x0000000000970000-memory.dmp
memory/1712-21-0x0000000000910000-0x0000000000970000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 1cdeec9733e8f5075432abe539fc2ab4 |
| SHA1 | 4042c94ffde066852c957c1c732140c3252645bb |
| SHA256 | 69867aa957051e95c9ea28e90ed7e017eb58ca0bb4048aa8c5a619a09541bbea |
| SHA512 | f540d10aed43f3c76caae7c843d97a7168dc73c65db9c9007882b4c1537c076b0fab71b525eb4ab9b9db21b2c5e579d749cfd19bcec6736b242ab5bc6a8fb541 |
memory/2116-26-0x0000000140000000-0x000000014009D000-memory.dmp
memory/2116-27-0x0000000000220000-0x0000000000280000-memory.dmp
memory/2116-33-0x0000000000220000-0x0000000000280000-memory.dmp
memory/2116-34-0x0000000000220000-0x0000000000280000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 0e66bbdfaee2e9690e7fc7c04dbac7ef |
| SHA1 | 2e721ac627cdbdc613eaf0ab6ea6277077594c5e |
| SHA256 | 0a2bfb69c51b8748221bcee47c3fb85c41e45d29e4dc24c7ac5f158ca2e0a791 |
| SHA512 | 7d5ab98aae0197432a39a03ccaa438c9a3135e6a869aad0483666f8065aa69970176a20d3ff672d975f504dd4a5e897ac33eb7fc867068b707eb2cc901139c5b |
memory/2984-38-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2984-39-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2984-49-0x0000000000230000-0x0000000000297000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | a4ff7246323625d34407c0e439c1f554 |
| SHA1 | 98cfc45bf36f0939ad7813c5d5aff82628a252b2 |
| SHA256 | b951fc89d1b1ef8710b5a1db8f8ea879aa5efb7bff793a4f867534998c363f15 |
| SHA512 | cd47fbf057972835f4dc5a7a0d3e54a120fbbd19bcdd0adbba5374ce18f40151ebda51f74161af4ad497a50b365b7e815d08514bb0236bce6320b5f3a1d5a7e2 |
memory/2816-55-0x00000000004C0000-0x0000000000520000-memory.dmp
memory/2816-64-0x00000000004C0000-0x0000000000520000-memory.dmp
memory/2816-63-0x0000000010000000-0x00000000100A7000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 1e8b9d0a48ebd421e802f2cb80cb9550 |
| SHA1 | 1eaed6dafb4617c2c5134deb89a7ee6391bfdec2 |
| SHA256 | c4a1a15ef35d947e5c22941636e24ab9d75eaf91e7ba7d13e28c30af5568aff6 |
| SHA512 | 17fadbe37f99c968eeeb8156edac3dee8fbf50121010792690d0892d41a79412cd5f4875a69fa6dde332e7398238e37d8c470fdc79992e067e06fb9efb1bcab8 |
memory/2984-72-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | a66211641894295f1fc34ab70cafe84c |
| SHA1 | 7bc54cb2f851237bb7751dfcf5160ea6646bb62f |
| SHA256 | d32d909d28c28893ace3877d07bb3005ef80e9ae16039900238bf69c269bdeff |
| SHA512 | 53b0777ff997f0396743a57c4932d2c695a88e6c5aea5184bd79f0bc1222607d9dff90b014ffcfe4a72a35b053de0407cef4d76c21bd8975ac255d566eaf8e37 |
memory/1648-77-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2036-76-0x0000000010000000-0x000000001009F000-memory.dmp
memory/1648-78-0x0000000000310000-0x0000000000377000-memory.dmp
memory/1648-83-0x0000000000310000-0x0000000000377000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 9556530b82e960b7a19c738a978802ce |
| SHA1 | fadc91f3d4a6b5c3d9ef9090845637215676ab54 |
| SHA256 | d57fb654449169d5d1414c12a5b6c5460500d029f01576927afbf3ea4f9bab33 |
| SHA512 | aabf0704fa1d47a4b9f463cb448396a8f4d4f1408628e01bec6a2e34e88b1d239ee11da9080cbe6f3445a3b37abd26e404a53d1e9ca8db852c4e6094d35ec2a0 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 0497f2f41be99479ae7461e31591930c |
| SHA1 | d161845e8738331a24929a3a2fad1b8b63b4cb40 |
| SHA256 | 54134967f085539eb65aa428572afe6dcaba4dd59737457a383d661179b4dc47 |
| SHA512 | 9be5c862343df880fcfcc20dd35a1da9bebddf041bb53d2174b38ac590e9d4ca48bb46cdaa600b56f887c094e26bbf7ce52c36de532b0dceb3641a2cc103298e |
memory/2816-93-0x0000000010000000-0x00000000100A7000-memory.dmp
memory/1684-103-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/1684-101-0x0000000000210000-0x0000000000270000-memory.dmp
memory/1684-95-0x0000000000210000-0x0000000000270000-memory.dmp
C:\Windows\ehome\ehrecvr.exe
| MD5 | c8d4feb56794fed45a486439082eaffb |
| SHA1 | 672bfbb74783f060766df02b972b013e37477d2d |
| SHA256 | 8177fbd1a730ea1705f9b0fa8063a9242a9aa1dd23717b614369087ed1049f5b |
| SHA512 | ab589992c38fa14a1532037030e987f4fd3a9a2050cb0b92a3ab8636848ea439d5c184b337ece7aa55e698c608c07b78eaf7964e8ccccd4cfa606486a32ffc72 |
memory/1712-111-0x0000000100000000-0x00000001000A4000-memory.dmp
memory/2780-113-0x0000000000A90000-0x0000000000AF0000-memory.dmp
memory/2780-119-0x0000000000A90000-0x0000000000AF0000-memory.dmp
memory/2780-112-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Windows\ehome\ehsched.exe
| MD5 | 7d3e5ff28df64217866661100232d00a |
| SHA1 | a810416005c7eba08b8df92b98ce655dd3fd3eb5 |
| SHA256 | 2dc1ee217bb274c43f749c7b7f12e2f8892690cb61bcb60a1f7fab9405cc046a |
| SHA512 | f07e05256eeedecfe387485283bf717c10ed84661e519061c073495c6ed5565cff93578035c414d2b4ace9fe30b368baa78b977e6f94b0b1c9ca3ec3df490bf9 |
memory/1660-126-0x0000000140000000-0x00000001400B2000-memory.dmp
memory/2116-138-0x0000000140000000-0x000000014009D000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | cea38f97c2d139befb7efce94ea470ac |
| SHA1 | bf072510545b7035105172d9badd3c045c495a19 |
| SHA256 | b95fb83542e80beaed3483cb87ba321aa2fda97312acc0b88c072dc6060d70f2 |
| SHA512 | 3a84f21bc8318c7b250a0b962544cc07940289b9e7444367a1b3d355db1dacf63e80cda1d5718787e8b42492af4c408737b5a4ad32c1531b8dc273419fa369ad |
memory/908-147-0x0000000140000000-0x0000000140237000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | 1b56fd7eeb74b0fce6cc006ab30e0a63 |
| SHA1 | f5602ddeee3a523d953d52cb6f105de875c97122 |
| SHA256 | 3115288f325eb780d8130822896419d9256bb4f8a51e8702d8e3951101ce6ac0 |
| SHA512 | 3b3fac2130b3d48c24773910b0a3c8396aa03f9db5a6b21aa2bb28a6397ed0dba97d09fec7326f941762d97cbb29ec6fbca1609901ba85570477101b24a2cf95 |
memory/1620-159-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | a8966439a9e9ab01effe65c2681f8a8e |
| SHA1 | 3cf213b75d99b86f7d5edf4ff736a156ac1b696d |
| SHA256 | 750bfd19b654fc3ff7e69ce067113adf057f585b41141c3008e435a2fba0bea2 |
| SHA512 | 857cd7a813f3500e4b5df8f4fa8b482fdc2b8a8de17e4d4d5451025f6bc26a74bbfc470cc96860955f6016d154a94b3e1957a25636d5aad4e2579769b654b8d6 |
memory/888-169-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 20952f59099cb27b3a3a32104752d4c1 |
| SHA1 | acb73c0e5a0878611b1bd422417f820c2822ecd8 |
| SHA256 | dd75b25cd952b8c2000cb87e993eefc2499aac643478f0599f03a893e5284784 |
| SHA512 | fc324f6857a656138c3ae23d7fb33abd9ba494db216f722920cb9ad7ff9d8a101b7e6dd018023b1ecdb907bada1aa4ca8ef2b33346ebff6fb44fcd495ccae3de |
memory/1644-181-0x0000000140000000-0x00000001400CA000-memory.dmp
memory/1644-185-0x0000000140000000-0x00000001400CA000-memory.dmp
memory/1504-189-0x0000000140000000-0x00000001400B6000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 946ad17c43d132b8d628a83e5f208a14 |
| SHA1 | aa95aa2be4bf76b0d66846d412a833b4648dae1c |
| SHA256 | b478a4f2ec18066612460a4a096d24b02903bed9447b9dca91274538c3bd123d |
| SHA512 | 73f4bd562bc84bea5ae8b37eed7760519ffc1cea9ccc04bb9a1f45dc187e2bd43ed0ec1fe7d35c5d9e7e3633b16006c8cf8ad0cc428fb3d44f564a614e37b56b |
memory/1648-202-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1876-203-0x0000000100000000-0x00000001000B2000-memory.dmp
C:\Windows\system32\msiexec.exe
| MD5 | 03f5decc9577a57190c31e47c6059cc9 |
| SHA1 | 9c71c9c1545ee35fca37f2c236aba14b67611040 |
| SHA256 | e112b8fd519ccdfdb3a51916cb92502b37983d5b1d21a997c0bc6b1306df7fea |
| SHA512 | a377e1f67464b77291517cc97fe20798f0bc13b6dbba4a5f9b260021dd710ce1598898df89750096714ad5906ebc5510b89418ee2820bb4141e5eb07225201ba |
memory/1876-211-0x0000000000580000-0x0000000000632000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | da46f6047778ece2c446d8025cc7ec59 |
| SHA1 | f8e03f770f322fcca8af3b1a830ba896934747a4 |
| SHA256 | e406707b6e7672e3d9484853a4bbf43a9a978cf38e3e1efe5d80bd1e7cd59271 |
| SHA512 | cb3a3f9c614658c28c4ab0286cbaf83091f4743005627de3a778e3d2df5ef6c2b0fff887f66094a204bbe50997e46ceba3ddca73508e0e297675c1c95c66acde |
memory/2976-220-0x000000002E000000-0x000000002E0B5000-memory.dmp
memory/2780-219-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 67a17403353f0a8e1e43098187435a34 |
| SHA1 | c7c9632e315a1aa19c74b267ca78b6bcef8ad21f |
| SHA256 | 1eafbc99bf421b43f1df16f226ce7ca30e40f4098e28eca11282cfbeee8bb0e4 |
| SHA512 | c5dd9392c1b49531f81a53655c6d57e713465672713f2958a2b3783ff7af38d7c3284bef2750a97326be6db552f9489e19152697dcd0d62d64f876728ef33fdd |
memory/2700-238-0x0000000001000000-0x0000000001096000-memory.dmp
memory/1660-237-0x0000000140000000-0x00000001400B2000-memory.dmp
\Windows\System32\Locator.exe
| MD5 | 0afbc99c6af7946799240899fce7ec54 |
| SHA1 | 1937e74f9316d9975245e24e5d08b5b7f89d35c5 |
| SHA256 | 6f4c85d8b4f71baf061ef62035e7b7ef4ee28bca3e855785f7b84cadd33db9a1 |
| SHA512 | f8ec3333112e9e3e63e4a220f88209802347efa0bc2803d0d3d20bd2e0b6e945a1f5f16ba647cb0acb9fbd2617deb9b80364084abab198024374494c8d632b3c |
memory/2708-252-0x0000000100000000-0x0000000100095000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 3602edc7da3b9045e5b5f1bf3eeab158 |
| SHA1 | 0202d628536d511b924bb1b8fcfccbfe10029646 |
| SHA256 | bfea770c04e1a2f7b55abef9ef80c1d29f7baf67f42fbaec5cd79e011d8ddd1d |
| SHA512 | bf6d02ef0e18dc71d361784c889333df60853a4aa79bbdd12f9e834a8bca1d481e5cc96a22a3cd0a86ba6e9c549717dc3095a3e0caae3df46ec67e87bb6bb0ff |
memory/908-251-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2752-266-0x0000000100000000-0x0000000100096000-memory.dmp
memory/1620-265-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | b3e62db68663afe76470117e0d2e4306 |
| SHA1 | 3df0c3782d6afe3e642f0801a5517c2f44a044a8 |
| SHA256 | 6e6b5a2356659ff5738b59cf878fb66ffb682bfdf4a9d54f3ee03645abd1d699 |
| SHA512 | 9294c61c24237bfa84fe9b19023fb5b822d93a36c34b662cead4ddb73b5215267d18922d1a466849524e7a78293cbc3bb98e9f4d5a58cbafd7e1a0e9b8d87fc2 |
memory/1128-292-0x0000000100000000-0x0000000100114000-memory.dmp
memory/888-291-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 77b06a6874658e28dafc149a6bc800cb |
| SHA1 | ee2c0f9883228293e80e7db5df7e541c6788a3b4 |
| SHA256 | 233b73320698cfe26d4cbfd546997f63f77ef643101f77fe4cad66367f1d97ae |
| SHA512 | f644a4754b94dad04ea4b775c3b33629d7b0aca0533b78442985a1168958f913bd3b6fab1a065afe76fda18e06d8c0a91fde42159f31edd7ff612153569428cd |
C:\Windows\system32\fxssvc.exe
| MD5 | 023e1b6700f67188e51911ef57bbd281 |
| SHA1 | 268653fbb82b7c36c8ac3be62b9a5a66d88de5f1 |
| SHA256 | b834aaa185a3d1cea3d129288cfdd5a6e3d0a0a6ce0c1264443578050fdd0442 |
| SHA512 | 28aa8d1ae5946df71ca765c611ec045e2fae939957b48dcf84be8aff20ac08ef16706d56b46232f95e4c35a4bb086d394c53e4f5b51d36aa9ac86a532c7e16b8 |
memory/828-359-0x0000000100000000-0x0000000100219000-memory.dmp
memory/2036-280-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2576-421-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/1504-420-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1876-459-0x0000000100000000-0x00000001000B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/2428-477-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2576-482-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2428-485-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2424-495-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2976-494-0x000000002E000000-0x000000002E0B5000-memory.dmp
memory/2700-499-0x0000000001000000-0x0000000001096000-memory.dmp
memory/2424-509-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2724-521-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2908-520-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2320-525-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2908-529-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2752-524-0x0000000100000000-0x0000000100096000-memory.dmp
memory/2320-546-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1128-537-0x0000000100000000-0x0000000100114000-memory.dmp
memory/828-549-0x0000000100000000-0x0000000100219000-memory.dmp
memory/1320-558-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2844-571-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2620-580-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2856-591-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2852-594-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2856-598-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/560-617-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1800-628-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/560-629-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1720-616-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1800-641-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1048-638-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1048-645-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2404-663-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/848-664-0x0000000001AC0000-0x0000000001B7A000-memory.dmp
memory/848-668-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2712-684-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2220-687-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2712-698-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/880-709-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1276-713-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2920-731-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1612-734-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2260-751-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1812-754-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2260-757-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1660-761-0x0000000140000000-0x00000001400B2000-memory.dmp
memory/1620-764-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2780-769-0x0000000140000000-0x000000014013C000-memory.dmp
memory/3028-781-0x0000000100000000-0x0000000100202000-memory.dmp
memory/1944-783-0x0000000100000000-0x00000001000C4000-memory.dmp
memory/1088-793-0x0000000100000000-0x000000010020A000-memory.dmp
memory/1248-809-0x0000000100000000-0x0000000100123000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | caf8f218586873174f42104ffc1c41f1 |
| SHA1 | 27e82cf8fce3970ecf5c5df3c9e799183d8a1722 |
| SHA256 | a598be6eba2b333030ef9e601af5e8db79d82c7747866586e167341aae0de53d |
| SHA512 | 35a84e9fe72cf8c9d7c2cb4be028afb0521960d9db1acbf9b6cdd25866cc6775174955c4399e8efcfc993a2ce2739c74d0936e92c974e8512aef5c300358a8a7 |
memory/3028-897-0x0000000100000000-0x0000000100202000-memory.dmp
memory/1944-906-0x0000000100000000-0x00000001000C4000-memory.dmp
memory/1088-907-0x0000000100000000-0x000000010020A000-memory.dmp
memory/1248-912-0x0000000100000000-0x0000000100123000-memory.dmp
memory/2384-932-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2384-941-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 5180107f98e16bdca63e67e7e3169d22 |
| SHA1 | dd2e82756dcda2f5a82125c4d743b4349955068d |
| SHA256 | d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01 |
| SHA512 | 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 5fd34a21f44ccbeda1bf502aa162a96a |
| SHA1 | 1f3b1286c01dea47be5e65cb72956a2355e1ae5e |
| SHA256 | 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01 |
| SHA512 | 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
| MD5 | 17ce54b01d0a074232235ed913ca4219 |
| SHA1 | 1b3aeafac003ff2a540e0eb4016304ef0d24e3f7 |
| SHA256 | 7e42218e2e8e9ea8661c92c818eed0252b1a28c50a019215f73d7b6d178b81ab |
| SHA512 | ec3d4b895f7cbfbbc67f50a8133b067391fd87dbe9bdb523017b81745b684a543f68ffaf1a553640cc432b410583a4ec2256a9f90a29c3135bafb874247077db |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 3d6987fc36386537669f2450761cdd9d |
| SHA1 | 7a35de593dce75d1cb6a50c68c96f200a93eb0c9 |
| SHA256 | 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb |
| SHA512 | 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | a8b651d9ae89d5e790ab8357edebbffe |
| SHA1 | 500cff2ba14e4c86c25c045a51aec8aa6e62d796 |
| SHA256 | 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7 |
| SHA512 | b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | 4bbf44ea6ee52d7af8e58ea9c0caa120 |
| SHA1 | f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2 |
| SHA256 | c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08 |
| SHA512 | c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | ed5c3f3402e320a8b4c6a33245a687d1 |
| SHA1 | 4da11c966616583a817e98f7ee6fce6cde381dae |
| SHA256 | b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88 |
| SHA512 | d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 9d9305a1998234e5a8f7047e1d8c0efe |
| SHA1 | ba7e589d4943cd4fc9f26c55e83c77559e7337a8 |
| SHA256 | 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268 |
| SHA512 | 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | dd1dfa421035fdfb6fd96d301a8c3d96 |
| SHA1 | d535030ad8d53d57f45bc14c7c7b69efd929efb3 |
| SHA256 | f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c |
| SHA512 | 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | 57b601497b76f8cd4f0486d8c8bf918e |
| SHA1 | da797c446d4ca5a328f6322219f14efe90a5be54 |
| SHA256 | 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d |
| SHA512 | 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | 68c51bcdc03e97a119431061273f045a |
| SHA1 | 6ecba97b7be73bf465adf3aa1d6798fedcc1e435 |
| SHA256 | 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf |
| SHA512 | d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0a41e63195a60814fe770be368b4992f |
| SHA1 | d826fd4e4d1c9256abd6c59ce8adb6074958a3e7 |
| SHA256 | 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1 |
| SHA512 | 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 2eeeff61d87428ae7a2e651822adfdc4 |
| SHA1 | 66f3811045a785626e6e1ea7bab7e42262f4c4c1 |
| SHA256 | 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047 |
| SHA512 | cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dc20893150c7b5b877029f38e51b3acf\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | 388c7e16e0ab1ecebee489de8e68fe19 |
| SHA1 | 3b57b9c0430e9aa172a29d9734ff1e65edc3e045 |
| SHA256 | 1dd2b24645b62d08b2568721e55be94e5429b5cc17de7a25beafc4668f46658c |
| SHA512 | d05983d3d8aa216c29b1ab800f7a71ae724fb8f8afe97b392087c6e1d646a08a29e841deec2b8477fd1900b976abda384ee4734ed99d3347a919974c39626b5e |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e147aa7481aea413b864b421616983bd\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | 7765ffebc7274906569ab11be8776352 |
| SHA1 | 636cc652de73021f553cc5f5f9ecdc40bebab4f1 |
| SHA256 | 52581d39a0e8d51cb2c3567a99036105ab4c27b9fc40f0252d160e49d15ee412 |
| SHA512 | d53f4412e07881fe3046c462559fb1baf6acb806bad2524d03d14aa12b01c3e69b816bcf65f00a34f935e13201a2f59d97d1148f0781f8b7d06794acde91c85e |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe3e03556a0762cf405912482403191a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | 580659e78794808b2e86cadccff6b0fb |
| SHA1 | d4800bc27086a04682960c5fa00afe628e9ac330 |
| SHA256 | 597167397dc4c9c3832c92e7382ff5b715e9092387b7481a4c0f4eb0794ac2bf |
| SHA512 | 2a4ba5aa61192ef87c773cad9372c6545a1a3ce62da22d333456c67d2ac14923ec11a8569770c09a8a0af5bc4454c94ed0c9526c37885977b34c8306571835c4 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e258878b97a273c306773f4489adad57\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | 3592d77edee0c6936e928bddae4ae2a9 |
| SHA1 | 343d53765fef8ed153543d25a752ba41ab2b8f7d |
| SHA256 | 2e3dd4713d7b08f86bea2bb9ce424255d20682e126053b2d475f5172ef2ad2bc |
| SHA512 | 3b40b45d758c2be8d311f50dc62785d4330f7cffa9c696d7bf82cc087509d6504d90362a4c59a91bf38922943fc631e5e3548604f6d5d3af27188d7f8d9649fd |
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
| MD5 | 10b5a285eafccdd35390bb49861657e7 |
| SHA1 | 62c05a4380e68418463529298058f3d2de19660d |
| SHA256 | 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a |
| SHA512 | 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
| MD5 | 1f394b5ca6924de6d9dbfb0e90ea50ef |
| SHA1 | 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920 |
| SHA256 | 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998 |
| SHA512 | e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
| MD5 | 929653b5b019b4555b25d55e6bf9987b |
| SHA1 | 993844805819ee445ff8136ee38c1aee70de3180 |
| SHA256 | 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2 |
| SHA512 | effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
| MD5 | d9c0055c0c93a681947027f5282d5dcd |
| SHA1 | 9bd104f4d6bd68d09ae2a55b1ffc30673850780f |
| SHA256 | dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed |
| SHA512 | 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930 |
C:\Windows\Temp\Cab538D.tmp
| MD5 | d59a6b36c5a94916241a3ead50222b6f |
| SHA1 | e274e9486d318c383bc4b9812844ba56f0cff3c6 |
| SHA256 | a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53 |
| SHA512 | 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489 |
C:\Windows\Temp\Tar5469.tmp
| MD5 | b13f51572f55a2d31ed9f266d581e9ea |
| SHA1 | 7eef3111b878e159e520f34410ad87adecf0ca92 |
| SHA256 | 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15 |
| SHA512 | f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
| MD5 | 598a06ea8f1611a24f86bc0bef0f547e |
| SHA1 | 5a4401a54aa6cd5d8fd883702467879fb5823e37 |
| SHA256 | e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512 |
| SHA512 | 774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll
| MD5 | 9958f23efa2a86f8195f11054f94189a |
| SHA1 | 78ec93b44569ea7ebce452765568da5c73511931 |
| SHA256 | 3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6 |
| SHA512 | 3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
| MD5 | 0a4ed78b7995d94fa42379f84cd5f8e9 |
| SHA1 | 90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b |
| SHA256 | 0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86 |
| SHA512 | 86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll
| MD5 | 7835e60e560a49049ae728698da3d301 |
| SHA1 | 87b357b1b3c9a2ad2f3b89b10a42af021ab76afe |
| SHA256 | df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa |
| SHA512 | b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
| MD5 | 04a6857c04546270358d14398fde209e |
| SHA1 | 596a3e11ac6c303c679edfd6c30aa71e8eaf8a23 |
| SHA256 | 8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285 |
| SHA512 | 4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
| MD5 | adc5887e89bc56694a193d92898d3518 |
| SHA1 | 267f14c45a86d50ad627c6cb00626049e9c1ee20 |
| SHA256 | edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b |
| SHA512 | bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
| MD5 | aae5a97685a809d0a0f661f9319f8a12 |
| SHA1 | b5fdd4ec4cc057fccc868de4f4910be89e23e48a |
| SHA256 | c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233 |
| SHA512 | d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
| MD5 | 0811b25e0449e04f782127bc6f8ac5e3 |
| SHA1 | dc1766e20ee338b12fa80e3ce0052ef97ddf9e20 |
| SHA256 | 20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c |
| SHA512 | a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
| MD5 | b1aa17d171be82960213057ca35815a9 |
| SHA1 | 6c68a8a2c524ddbe04395dfa613378bb311aa314 |
| SHA256 | c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e |
| SHA512 | 6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:38
Reported
2024-10-25 22:40
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\mip.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\perfhost.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab113b962e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c2051982e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da9a44962e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022ad57962e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b83923962e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ed63f962e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb8d5b972e27db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 116 wrote to memory of 5028 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 116 wrote to memory of 5028 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 116 wrote to memory of 1712 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 116 wrote to memory of 1712 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe
"C:\Users\Admin\AppData\Local\Temp\efbeb6cb4df882935291e93f465bd91e72f92677cf6bbb80c7298151f6d00cb7N.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.31.129.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | 200.78.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | 86.104.213.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 44.213.104.86:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| SG | 47.129.31.212:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | 185.94.254.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| SG | 47.129.31.212:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 44.213.104.86:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| SG | 47.129.31.212:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 3.94.10.34:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 35.164.78.200:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| SG | 18.141.10.107:80 | tcp |
Files
memory/4500-0-0x0000000010000000-0x000000001009F000-memory.dmp
memory/4500-8-0x00000000004E0000-0x0000000000547000-memory.dmp
memory/4500-1-0x00000000004E0000-0x0000000000547000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 5c9cc05bc8b0124f6a4979a3a166b6fe |
| SHA1 | 297f0a59c2835c9c2ee08409f276b58fceee2330 |
| SHA256 | ce6efd085e48193111fa18893e285bbaa59a9131bde100aee8ed472b0dc9506b |
| SHA512 | 93d530e075c20a2771db0409e22c7074beaab64a0417b299c988337957b21754697c1b51c7b95e0292dad75a915d57f795f769f9f26b1be92110cc92df13c3d0 |
memory/3924-12-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/3924-19-0x0000000000700000-0x0000000000760000-memory.dmp
memory/3924-21-0x0000000000700000-0x0000000000760000-memory.dmp
memory/3924-14-0x0000000000700000-0x0000000000760000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | a4f8441b13059bf382df838784c32c7f |
| SHA1 | 583b518eb32565ae7d97b6d90cc728169cae8695 |
| SHA256 | 71251d909aeb3e2b5b550a29e5de07e90393d4eaeac9a61156ade3185755f72f |
| SHA512 | 2f9d20064bd24083a9d8364c6388caf4b17ca21678eafcbbafd5791c5d94126ee9f6a8e2d1611f702c5047ec011dc8af118eedd8bdab382f33bed73f6e8b066c |
memory/952-35-0x00000000006A0000-0x0000000000700000-memory.dmp
memory/952-34-0x0000000140000000-0x00000001400A9000-memory.dmp
memory/952-26-0x00000000006A0000-0x0000000000700000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 271950872ba0563ddd45675fdb613772 |
| SHA1 | 931c1c8793289cf6a85335dfaf0b5d6934349608 |
| SHA256 | 8344913b6e1b9bf8559a7d28cb5a67301d8605806300ccf8be46272b7c0d9b2f |
| SHA512 | 38b82a1e2b953f9ffc6a847b7df086d8d86cd814ae59e503e9aad46635e3b448ffb367e9558ea8d58d0a7ac14e2faa175d61f04bf9637a95d764ab6e5df7924c |
memory/1816-38-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1816-39-0x0000000000DD0000-0x0000000000E30000-memory.dmp
memory/1816-47-0x0000000000DD0000-0x0000000000E30000-memory.dmp
memory/1820-59-0x0000000000C90000-0x0000000000CF0000-memory.dmp
memory/1820-53-0x0000000000C90000-0x0000000000CF0000-memory.dmp
memory/1820-61-0x0000000140000000-0x0000000140234000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | 067c35ea1ef4e278e23ede421c4de29a |
| SHA1 | 55dfa03da6e9fb9eced21712125d903f6fbf4fa9 |
| SHA256 | 29427ddf93bd227254bae7d34b3729660a159587cdf9405cd9c1639cc9d73115 |
| SHA512 | f1a49ce3488689bd8327eae944c031979c1206344a7310a160c8d3950f716bb59bf9d1200ab0488ffaa4a7e4d759e24319c40570e8a553a6ca506ceaf33056e6 |
memory/1816-51-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1816-49-0x0000000000DD0000-0x0000000000E30000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 8b93babe83ce74a7fc1a00a592ea97b7 |
| SHA1 | 7280c71d2f2731b684c6e2c411a61fe84070b289 |
| SHA256 | 80c0859d74dd25381f680bb6012b98b7c5cfcc36fa77a04a647a155104abf463 |
| SHA512 | b917ff04eae4977b01bd87a04eb9e4ba9db1226626341076c0bb602578316c7460d7218f054f762794d53650817b18a6558732a4376a75cab31403c3b9f31ac9 |
memory/3244-64-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3244-71-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 733be9f972ddb1588685fb5da872d0db |
| SHA1 | e61a97c5ff973263ee7ef00fee7c9e8dbbb88237 |
| SHA256 | 872c538d2068850fedc2cd63ef1a821fb2390a484998e9c34f63e7c368cdabf7 |
| SHA512 | a79c51e7c04a9dc4cc94ed4d291b6d0fcba3250eba5348eca1a4be0e7e04fcaae4dde192f2d44823ada095dff43feff7e9e5e3fff49d7fd4b3c67a2c3672f123 |
memory/4500-75-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2696-76-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/3244-65-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2696-83-0x0000000002270000-0x00000000022D0000-memory.dmp
memory/2696-88-0x0000000002270000-0x00000000022D0000-memory.dmp
memory/2696-91-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/4812-89-0x0000000140000000-0x00000001400B9000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 064c3e8519fad6e4f65a211889e680ad |
| SHA1 | c6a34b8bbb767dabcb35f2ce23f8c0f6889619f4 |
| SHA256 | c3fa6f8aaf77b8db2290506bec0b30e4f660d8a5d990367ede1ed0a7ac7630c9 |
| SHA512 | 6471a155e6a19931a88928ab3785d210166a173528e8cc464e396cecbc06efdd1a4157ce8965b683b6041313a14c2e6990abad81b3d1fdb5d21d28f6a673b47d |
memory/4812-92-0x0000000000D00000-0x0000000000D60000-memory.dmp
memory/2696-77-0x0000000002270000-0x00000000022D0000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 06efcce9a1d552cb2d45613d73a68e40 |
| SHA1 | 69d0a6271d7d616f3d099950d8ad9dbcef72835b |
| SHA256 | bbffc7850af210a504161bf7d19be6098fab8cd6d06d87f08031c7cd9dad845a |
| SHA512 | a6714dab9d623c0d7383436b3fc625c3712371cacdb1d13dcc5473c780a4220329573ab5e350681d128096f050aa75ffbf659858bffdea80161feb7296940341 |
memory/984-104-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/3924-103-0x0000000140000000-0x00000001400AA000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 20da0b6e0927eafd62a9caae83c64eec |
| SHA1 | 19da622d833a95bd0dae8952cb1dd25956d5f15c |
| SHA256 | 1d934e6c691641a7e0bce46e903994bd71e6894bbc2694cfc5009933ad4caadb |
| SHA512 | c56805ad9348d2c6b1fe58bdefc816e6f230a3f7e4920a187cefc08a5192aead05132a58aedbf1cba3c28c3b00dd1a6456e40cdaa792c76774360aa1d2f0ab8b |
memory/2364-118-0x0000000140000000-0x00000001400AB000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | a5a8528f2acdce99b864a3d15119f61f |
| SHA1 | bf6344a58c9864c34784435e39fbce3f997607f4 |
| SHA256 | b01a6b800dfcd10516af21c81808ef41c4e94937e9d9dec96b6654629b80c0c7 |
| SHA512 | 48542eedfd7b1c1851f8895c3d40987315d9c4fb8575d34a5def57b4995c7541ef0e315009f1bbb727e9d46c29346e8e6acdbfd130e2882dff0ce10d85273bb0 |
memory/952-129-0x0000000140000000-0x00000001400A9000-memory.dmp
memory/3932-130-0x0000000000400000-0x0000000000497000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | d9c92e24aca9463ab4a74eeec97e1e5f |
| SHA1 | 8835ee40f89544bf838767f5b9d998698769bd6f |
| SHA256 | d843d6a8cf70ae18cdfca8c7f3eea362544e477ad721219c071fd9ec8eb36405 |
| SHA512 | f5b763bee1042012a2b11b884655fda90a322a31a7f102f00c106b216e9b7504059145a2f363c282342d42cb82d2383ae2977646686caf0aefa46e04c67cb0b8 |
memory/2084-140-0x0000000140000000-0x0000000140095000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | c3612e07eace130832042d87e9884843 |
| SHA1 | 16e625d76eebeb1e8f6c987f04a763f353f51d87 |
| SHA256 | 9a490fc70592fdfc2ea4f2c2e8a43b215844af17e46da0d3f21ff58e29de294f |
| SHA512 | 48184e04f31c1115a5137f418dc398905a68c59ecb8da021794697c6a8f67be562619657fa1244d534d6f3a3a25c63ab3411b8c1b53baaf063840730818e17c5 |
memory/4668-151-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4872-163-0x0000000140000000-0x0000000140096000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | c2e6ca3680d20e5b4fa24751871e839b |
| SHA1 | cdf4ad168370ecb5e5abe5437efb79fdc115ad55 |
| SHA256 | 8cdd89febe3a69d60599df3e1ab4e9fc5970f536a962dcbd6387a30321c4d1d7 |
| SHA512 | 91975665cbdc59a8a7e9a68e7a057ef4f49bd2151b7af169f742fac392726bf574524b90d91785347aa6d6b8908d0528fbed02e9079bdcf8af36af17111e0865 |
C:\Windows\System32\Spectrum.exe
| MD5 | a31ad9ff45ea771f28071628360c1715 |
| SHA1 | 4407aef26b1ce992c774fc29f83678c664e27685 |
| SHA256 | 0f11696f65cf490adb10a0e59e62d827e1f9d5fa6ddaa34b6e759c45ef35633d |
| SHA512 | 2a594565a640bf0a95f3c6f360cf70a709011ad51aa9b48fcda836a0ab7c7382b5f4ea0003305c02050decf1dc774d177a948145275a84e855f24777b7db5f36 |
memory/1820-174-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3972-181-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | e4d9e34763f732f6a75d45b5bca505ab |
| SHA1 | ded2abf1fc02d9624024f6a7d27dda1a1e18b910 |
| SHA256 | c29acba7ae105816bc6e3f6064efaa3eb3fad4d7197daa57557e79069106d4d4 |
| SHA512 | 2d4bbd3192772a6f8d3fd8fdc4ae5f3793340111a56a0c884fee33935e5ef0e8e516ff31f3e3ac91c42f7a44948fbe8e90056083dbe53cac8b9a1414041d8c7f |
memory/4528-194-0x0000000140000000-0x0000000140102000-memory.dmp
memory/3244-187-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 511754d579fe9dca3b11039f02fa3dff |
| SHA1 | f35fce5586264557343a2fc9e14966b990a6c91d |
| SHA256 | 3dba093979bbddcb7dd6fe178b85dbc352b90e511eaddb2393348cb86d96cf3e |
| SHA512 | a45167ff7ed5829f3742a7dde6486b065b938c79f3ba570552fe0393c5b88bb102ef160cc7f0ab9379ed194fda5b7a228467bb35b71e9f1a91b8c3ac9822e12e |
memory/1916-199-0x0000000140000000-0x00000001400E2000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | d3fc7519d48053b81ec951df0fd07f4d |
| SHA1 | 9436dea57fe8d185cd671e562de45f546c7db551 |
| SHA256 | ea254ad41da44e71eb0d6c4747dc7eb87b42bdae4d0bbf00abc0979480730771 |
| SHA512 | 9db7b2d21df5cc93d9f09a4cf2a48cb792d117f2c0b49d415b7f81066808b7938907994fce80fd2254c7fad8f36696cb3eb75c439c3e3d61be34f2909b5a9d49 |
memory/2624-211-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4812-210-0x0000000140000000-0x00000001400B9000-memory.dmp
memory/2624-223-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | ab56a4be77a6074a1c560c8bade92e9b |
| SHA1 | d51b2d86c1f7eaab2ba9ef8d6f4f6b0911f4b137 |
| SHA256 | 415a333c1b098a13bd7ded211e36a5809c41680c8cfd0fcf4ebfe3e2f929e53f |
| SHA512 | dc879f8f568344551c59ba1343b6eb50fe44b9c27cdc981b45582c1e4c243d810f3dd3de9af1a17d48ad8024e97074c144ae7eaa3ac5d7fcc3997ddf959cd959 |
memory/832-226-0x0000000140000000-0x0000000140147000-memory.dmp
memory/984-225-0x0000000140000000-0x00000001400CF000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 027b4545239175544a4a0400d414e18b |
| SHA1 | 20a9da4d7ed2cc0d37abb94df5880ea7eaa9824f |
| SHA256 | 7cc2d874d7088759e69f4241ab6a2a7831c9fc59d29128b98fd5dac6e787dc10 |
| SHA512 | 51f3a58645a061a321a995482a346dda7d36ee8e34b09e9d7309b3db15517e3086276985c9dce24c26fd5f1d4a6af841eaabb61d97bb51766eef6ce1f972dced |
memory/4544-238-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2364-237-0x0000000140000000-0x00000001400AB000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 353a785adf7e0cc16c13db03035864ec |
| SHA1 | 72bfbf00d61fb0136ae284584beeb8dcfb8a96cf |
| SHA256 | 0d9c9b83d77463dd4ad50d7a41478e0737a2e503a07073e95b9b402a6547dc39 |
| SHA512 | 7c160d244c1458f2c17ef600b42fe375f00252a271568b7d8e71187fcd2786f56e0cfb8afbcfec85e205026978579973b1f8ccde7bef0f945b1aafaab06ef3e1 |
memory/3932-249-0x0000000000400000-0x0000000000497000-memory.dmp
memory/4900-250-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 5148574e413d9eda4991e04925f09c91 |
| SHA1 | 7a333c25793855cf0fa5a4edcf707daaa11337aa |
| SHA256 | 49169eab0e62358c5b8024df58e315d41d69bedae94901e7da5ee951ba9d4d4f |
| SHA512 | d0a8e2e1320a56ccc3fe9f9ac0093824a55c80042832773af3220ca79840ab9ae288714483f17ca0a2b9d4740ff79f9ebe173716a32a39217f3f28b400639732 |
memory/2084-261-0x0000000140000000-0x0000000140095000-memory.dmp
memory/3624-270-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/4668-274-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/116-283-0x0000000140000000-0x0000000140179000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 99e0c8abdb876f74bce739cb4c9df11d |
| SHA1 | 5aaa35d29e3cb42b63c77e2382d742d9b5cdbc7f |
| SHA256 | e384a1e32ee568394ec62b1f9272befd67db723f331a8f7d34eb6418b2d32c25 |
| SHA512 | 325923dc6a83b478bfafdf9e87e81454e5d874b0237b666580b9c75149fba98fe9097f6c9b2ea25439fd2e8766455f492f8c66846f861f5f7029cb4be8dda9df |
memory/4872-364-0x0000000140000000-0x0000000140096000-memory.dmp
memory/3972-439-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4528-455-0x0000000140000000-0x0000000140102000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 4fe348ef9f60d00528839dd392115765 |
| SHA1 | f2d84f75947f6cb8729e1e0be4386e41f8694ffa |
| SHA256 | 23507bd5ababb5f858a0408eb934313d6775a3bd29d0217ae85f11a2f55a792d |
| SHA512 | 9e5f79d861cb32f914a858bed9158a69380fa061183fefb6956f0f315db8dcbe5e78162a0c45072e1ba6736b7386eafe00650f38e8c38a7384687f782b639502 |
memory/4500-482-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Windows\system32\SgrmBroker.exe
| MD5 | ce166f5c36ce1e418b82affbbecc568d |
| SHA1 | eb759ff56bdeea4267f6ca202ec36a0fb9775d00 |
| SHA256 | 6c540180327374cec840d45ae9d4bd3995ef40c669a379cc9464e93fd53b1e1a |
| SHA512 | 3a0914cae6bb807f74a93854dce239a3ed2f45418556c6e1b5fad20406284009a20ae3572c1688b39e8e123f51c158a5366609aaa37721756886fff37cf56a5c |
C:\Windows\system32\msiexec.exe
| MD5 | 6bb08a98eaf8af7f7088dd82dd806891 |
| SHA1 | 017ee84fe237bbf983a9ca4aec9a4aca98eb0e5f |
| SHA256 | edf6901e56c1adfbd709d6d594509ad29d2ab2061470c4bc6d745a6d3e4d0f51 |
| SHA512 | 208f54c9cce9d6f7e0ecd6cdc0662f996af11dec494e07ed05ae8be98487740d424d8df9df6d14380ff9530deba4667c5b1ca01bf40d9d4232a60beeeec9a4ef |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 8466720fa2f9013da6f7ffb071e4af39 |
| SHA1 | e7b2915e31bff85ef9ffc8f87d62fa5a6d2fe72d |
| SHA256 | 29a7c980a4bc50b4215ff45d6164c951bc6191c3029f460989c82453e46c20ef |
| SHA512 | a4d479bbd62c04b24b8f4c2ea3652d896c51cf0b38195dfecf2dc740e932d6d4c86555efe511628aa7aa2e8dab1ed27d580c69cf825e6075718962daf5dd6ecd |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 7156797de0179048a3ce5e128db46a5c |
| SHA1 | 892a79402124f1d30090090e396fa7fda38092e4 |
| SHA256 | 816c2db287f8b1bd51f988c63e6f1873fd843cc37d29ab4d51b03288e7597070 |
| SHA512 | 9862a37c66c1e0a0042a2ecd1f64a70e5e98b0c70acd77f2f4e4caaf0396d50f1868a0fbd63cbbb47fa0d6b0b3ac265c7bff8e1b8923396d2f534b3f7c4f4107 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 0ec72bb3ef1dff36a8f3e25657eaeb8d |
| SHA1 | b45e7e644b3ad04a2b18d01d7c13d3485f282567 |
| SHA256 | 8989e2714c91a97f16a5d9824cbff6d67a99112f364e8ae69ab02563f742e706 |
| SHA512 | decefedfc49b6d67f536e4e2afea994993b914d3173627418886cab211b142a3acb3a8103d70ec9252f70c2240811fb836120e1dad3e3c0734f3bd78979f16b1 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 6c25a282198738ce80747658212f050b |
| SHA1 | 80921116eebb6bde8c8fe217af90c2bc56984cab |
| SHA256 | d72afe6489beaa0b4dfc890a6ec7a032d59e572ceb5cc8c188931165b0ef70a2 |
| SHA512 | fdb20bb2e8a95e0817f47aa37aecce99cf7cc62009cdfdaab4f18dc311a7b6ae4a8bc79ae507061b593c2b4a9779180cbdcf00a71b544c5cfb14a05fe2af7a50 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 752ab9cb0f17524b32bf6dae22884785 |
| SHA1 | 51e55612f68287b9357a4033f01b78d2306d6caa |
| SHA256 | db7a60cb3bd26c4f6adaf330144bfe67b63836225fb70eba6adcd1a4add7ed79 |
| SHA512 | fc90fe710fa3410af9e3e8c851bcda9242460af774d8713043538816719ecbad4b44b038970f8035805ec096627696eb5f31850eb553f6cd1cf9e986f24791ce |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | e056555021924903bfbd0a6deb301949 |
| SHA1 | 4dacc12870c9e66982b725ee2aa4abe9a052a669 |
| SHA256 | 480604cc461f19450a5805331d7e4342a4df6110a3c2a177dedfd2fad7016aca |
| SHA512 | e99c0ee26c1da13cb273d2c2f96d86af2b081caaa7a1f61b311e7e639f2db54de790424eb521ea3fd877bdd1d8e2fe4b731b8eb3a1fa94fc2851534e0aba7853 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 75ebd82a5d71b261b155ef6243ec8cfa |
| SHA1 | 5d423c753bc05c6a5e2305178bbe1077da6ecf7a |
| SHA256 | 86b21e5da6913fabaf7366a1c16d63a70af5b95396ed991a41d0b47b56ada57e |
| SHA512 | c6a6fc191223984182f4a0d29111ffbe61513c49c24f7cb291e92a64e884212d6c7eb6131b830b6c1480cc7cd9289e71a1154a563b8de67537358adf7a759f57 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | b29469c5dad074b85a3d9ab99e558b28 |
| SHA1 | addde0def3ae11064d87281d47a305d0399d2f4b |
| SHA256 | a08fbbc7f477e53d92d9b0257b514d75bef8963e38e99cb0a8ed985a15d262e0 |
| SHA512 | c061a95f252d9d084ba5ce385b4ff8a3a6761f6d87ec10b638c0d94542ad3e119970d997b8ff70d6259957ecaed2f8c10b91c99e111f9b27dfcc03afd63d68d1 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 0fc2309adc696714265e429c0d4bc4d1 |
| SHA1 | 389f1b3cb5c508f4a9a44826575d39d4d28cadc8 |
| SHA256 | 698ba1ec00c5b655a63a1264e5d9fd3adfe4c530b0b75d694e6289d527873e2b |
| SHA512 | 0316b894be035c369964b7093ae4f7fce8964147d4b8a539b35bbf04e2829d805910a567dd777df665213713d3247d4858f6018988a4602733800997b23488f1 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 1d762de1fa19431fe8ab5193abbf7776 |
| SHA1 | b4361c68d02afccabb18a78b3076db6ed690f30e |
| SHA256 | ef0e2a5232dbafe8bd77370afa48c4c6dd09282eb85c692f8b1895b85f862a32 |
| SHA512 | 8dd559b3192ae84fc1e944d00a4ef80a0afeda1733da0f9d4fafdf1c63525edaf6e2bb4ac5c21dffc2f17496ed73681f473d7daeb3de2abea32accaf24cbe470 |
memory/1916-527-0x0000000140000000-0x00000001400E2000-memory.dmp
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | d0f63e587897000b34209a01dd21f118 |
| SHA1 | 5fb3b709ca939863b532e30119c701846c711c6f |
| SHA256 | f61ecab9aa5d9d83696bc102d3da316e86c5fd6dacd0210a92aa70032c93ee39 |
| SHA512 | 0e2d69ba28aa53bfbea4e1f0925de524cb155688d010a87d9b899c47936e862ee2ea1fc1f6028927ef475cf1513d95a0a9cdaa3eeeef2caaaa467a1b0879206a |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | c79012e5087e1da75183a8444e75f8fe |
| SHA1 | cda838cce41d3f171af6dc273b605668c153930b |
| SHA256 | 381f23312f5c60752938c6cf9e0bdf919ce1f2941cd4d833cbaa2fe9a4f023b0 |
| SHA512 | f7efdd9b9941c454b460bff36d6c0d08652d9543d5739293500eef6b457cdb71a6cd90f7955a70faf142fb576088b4faec9efab4cac6d7f12a1b7b19435bf930 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | 0f8ae330e9ae8bf992e3b9d5f34db4c8 |
| SHA1 | 2495e8f1bb99e65582b41857787c0e437c047267 |
| SHA256 | cf36ae061609820776097e07602e4f83f7c7bb1b5072e5174386538fcc93307c |
| SHA512 | 464165ba6360c0ca2218e4a6aa8be843b736e2f5e65c14c04d09a9782245aa3edc2e08e952391a22761edb27eb89d147c6574e9cc9a754bcaa291d82f4fd79f8 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | 0aa41ac8451910ebce9550df31f1cdd6 |
| SHA1 | 73106c87b5efeabdda6f18a7cd7daad1a4a3a0fa |
| SHA256 | 2022644a399c7c017bdc123c62252ef7011940f55cd89e64003af08a630987e3 |
| SHA512 | 4d80bda728675620739f3265565b0844e5841dce0b9a160c443ea7a13a4bc2c308d6e19442320aad3dcc1df82a6c348f6642ac98becd6a4f4c485c0e3734e241 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | 60fba187d5ed221e7a2db630b4eb758e |
| SHA1 | 0fb69bb4404bb3ff91cf0946ac1916bea940a26c |
| SHA256 | e96a4b55c95edc3c0e806f56bb60a517fb28fcdf06b90b23a1eef61760a24032 |
| SHA512 | bde19fbf2712c6bc2c5402f33db2b9f6a26884973ca290d05682db360c2543240cf1734fcb319393699edee6f3e4f7e3e41fb4cdbf6c22a78ebe981041d06000 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 6a768938ecbb0fee9d4ff886d9c28a6f |
| SHA1 | 1f0bea26d12e65381a7b386398fb0aac257c0b07 |
| SHA256 | c91c171578e10165b50e68e3b99a51ec1695a08b859336553ecb919a2c73d51c |
| SHA512 | 0951fb00511df2d62c293f98a29e3e934c8a87b69707ccc363a41e957987e4fac86ada7db6bba063d64c80fdefc1874b15faf5bb689cf8e36d7aac80f2c35e48 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | db258622b7da56e13b6f2ad9ceb1431b |
| SHA1 | a184df6ecfd3f640528deeb81c88a99a66180b08 |
| SHA256 | 466049579d10994f27fc2526a99bec995e84bb3f506ab65fcc5a7786ba94f0f3 |
| SHA512 | 0b3e745e351aec0e0e64ce3dbb1c8de975f82f9df226a618b15ca3da3bb70ca822525d85904920f9155f1c3ba722693b52447cac2aeb2a42a0641ca0843d14e8 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | 9657dc0492a41e59621869332a883d78 |
| SHA1 | 712bc59656fffc4081053380a78323f799162bb4 |
| SHA256 | efa5ee74242d142770811c0c8c7fd63a51364efc62b67f5459a74c29fda92233 |
| SHA512 | 0f151ea807eaa0eaeed06fe4ab7a952fad7df6fefc2c1ec4465db9827f4b8c231f70930e00fc92b4b3d9d5cf42d384ba009cf5b59a2693c2891db77d2dc8223c |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 38cfc721e5f53f484d9841004d0f334d |
| SHA1 | df067e7892875d40f2220a9b6c30961198347727 |
| SHA256 | 28338e7cc6cdbb1179d3875aa1ada0761258f5a2b19bca2fa7dc546cac2d9049 |
| SHA512 | e03294c7b7ff0f3496b2f058b7e3019ca2eebb673a59449f6d1e970a1b2d009a70281b7895ad79ca194440a087f31533f193273783efe9e85ce0fb0f5607cc41 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 1ec78925283ca6b0208184ce46d60e63 |
| SHA1 | 856ec79d4d67fe8526eae9b9a4414edda5c58cc8 |
| SHA256 | b3cea314186758f23dc6c8ba0b2c6d9f5136e0aea446383fabc1efcee83c8069 |
| SHA512 | b2115894f6df1c63b86a917249c9d906a3315c931c8f4132ce8d291264379d8da22413caa524753c73b33404c41484310f735d83a94c1d38eadcc4eac3146749 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 20374ea8a895c5a099d8681b3a831497 |
| SHA1 | aa744abf48e95cf680e4ce590f7f82f5d0418e5d |
| SHA256 | 0176d22237603618e092c32459ca2aa00ea5324fdfb5bfcb121efd2f801173a0 |
| SHA512 | 3e2959c24db6a41d3a3538eb7f4f9706997a612ceadb4817681846beb256b3a6961b39a06f2b13d81c51cb9abb2e69d39f67fe37389dc582080b50d80c6f43c6 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 76719c54f52936e5af13c3a4b2c6961e |
| SHA1 | ad3cb70365aceae651555a58ff8e88f4a23274a9 |
| SHA256 | b964e791d244179b3a1d6004fd3cb63461ab748d97cfefa8bbce32aea8bb5fe8 |
| SHA512 | ac7a67abbb2d4965eaa0166ca2783f1999b0461b7511bc1c5605a5927c5de2fe307aed19eb62a447bf0d3a1c2a7cc7b34a4eb465f734ab384b22bae6f9a473cc |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | e41a43e6876862512a15b932ab96f9de |
| SHA1 | b7b1594c489fa0352252ddd153aa275aff02f80b |
| SHA256 | 7eb25bd26c3311149b77bd15f39d995eb2d03cf22ba508923a9f95c209750308 |
| SHA512 | 18858fd5ac92f04764edb89c81fd0a740d57d58434cb43f3833497aedff72df8bfbd65b662d352ac74b67f10ffd84d6e3a8dbfcb2ab4b8b425546e16fcec0c2a |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 33232086702163a7caf8aa30f277011e |
| SHA1 | 865389edbfb2f4466407500a3f8f78f1da194f3d |
| SHA256 | c936094d97c21a58e13b07dd7cc1db5054b61c628df45ecf8133822203542c18 |
| SHA512 | 2ee100d10380aacfe46e241993c0a50322472e207dda17966a551ca489c62dde63650c20aac96e2ee9f14ba3b4bbee5f3546cf328a168246920adaf4b60ce533 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 03b312834d372fe72cd98891f4155094 |
| SHA1 | 067ed5a602cd425113155f4207eb04cf1d825d05 |
| SHA256 | 9134d00b1edf04b6ae19d3287175b7addc39c83930b522605ea684020d44f08b |
| SHA512 | f4bba85ef7c68a5bb196c504861d56892f6c4d2cbdbd5944d5d7ee3317c6b66c3385e1a6d367d207b177dfe983125eff653594c9c22b2691c73b5fc983dfed1c |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 6265177c5f7a8ba9e43497d41ca2ba82 |
| SHA1 | 36121ee000cf4c082d8219684511d31d96a3f17a |
| SHA256 | 0349e18c683c99ca58ed53571e59a571565f9bca043e506d96f15bdff6db0fcb |
| SHA512 | 207cf9620fdc972541d817697f7c1b4cdc4632131a09b3be3b03d03f8da27533be08257f1398c98acdeec72e1061dcad2a52cfc645cc11cd54081f5785ba748d |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 49ed3160a699e4bf4463e4107d7a68fe |
| SHA1 | 0b215f5a83537055148f88f7edef84b7e44fbf3b |
| SHA256 | 8fa3ff52a1732dd22b0141614073543bd494567f405bd87b528b6c63033e819a |
| SHA512 | 21e7cc44c2ecfa2e3513c8d48eeddfa3433f3d7140a527001063073aacec1497d757e9a8de382667014ada351bf5e9c5a1c71f7adedb038551d510a3f742b988 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 96648ad9723d0a3adfccd0ca7d507e18 |
| SHA1 | eb929c9112073610f5f02ce4931e1bdffd9ce46d |
| SHA256 | 55a84b5dcf2dddefff893acd9c80c7fb2beff8edbd5fc11e172b086f1a80f804 |
| SHA512 | 62e4e01aad0c81c8e1642895060ac0651694dd42ddcff2533efa58f73fd8425ad9b53beeb0df3ac61c2d27b6dda744808c0d8e198edbfd7630a787cd60cfc95a |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | b10917e5ea5b0cff926ac04bdaa668a8 |
| SHA1 | c2415a69ba7794a1299ec4e675246112454deb23 |
| SHA256 | a805e2f51c2dceddbc48818ea2f3d2077042c5a4f9d0c95c04da01d8e89ac7e9 |
| SHA512 | ff6caf4a0a2f7608ec5ab1a24af9f10df646ac677753e5faec3325fbb348a627b335072b620d32f96629a07032a70fdceff33cff08c2793d93dcf54525610e63 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | ad06e5728ea60faf57566f16aefb2fc2 |
| SHA1 | 6eb874907db69b8986b7b94a1c7e2114d74aad0b |
| SHA256 | fb2a547442b982606b8aa82a5793d41ed321426f60231ab38ff1312ffc3848b5 |
| SHA512 | 27913f6aeb85a4092407841491e0523fe88aabf2912e78cd612110f095a98e662374e9dc869faeadc480da5d9981225b257e0d3dc42a8c8d26d9b04e005d59b1 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | 684407a86a0eca86f94f412582af5481 |
| SHA1 | 878c2634509e3bc49fb87cb561f75f671310800e |
| SHA256 | d13663f575557a7f95860b21a3c3902b4e1b66971dec61ed88271608538d93e9 |
| SHA512 | 2b821c8f39c88583203df7fd33cd76e091ed6a0c1cc8aacf05ac63e2a066537b9ff5f4c1df08e14fc144978a182e8246a12cece1cdb00a562e8866e1e6681b62 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | b968aab117713f9d9916beedef350d87 |
| SHA1 | 3f6692410b7ddbbc9df2954c233967f89e064119 |
| SHA256 | 55324cbfde7327e473c04da4342fd235ba512292f60694137a444a234b66e7d0 |
| SHA512 | b0195fe1ab16f4a8b8105b725e6e778387b3cf378f13f30d9e5d1f5b522c6b064fc6d152a98d001812701b2fa48ca90337c73fa6adca43479fdad8509bb3a972 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 7e7da5d878afe2fbc07115695057ecd6 |
| SHA1 | 9fc54b868c8de4dc138ac94e0cac78f064bc8915 |
| SHA256 | b1495f9e8308be6edd390a151b3c33dae8e42b8a3ad87d0739f148e38fcf3dd6 |
| SHA512 | 2e4b6a7ce8c59001f2eb7276548710ce9b4ea49691974abf0543d9e91a6a0cffcc99782a79edb7f73a040284953168ed8507d5ce1497c3fdf002676ec7103c5e |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 0eace5b2cdf314f85641a224970af6a2 |
| SHA1 | 5be67f5334d62d3cfad7d32c74bcc6d7e7ea157a |
| SHA256 | 0a802538cefe97567c97933d07bb0db36a93a00eebf5add6117e718870db4a02 |
| SHA512 | caceaf9e5f46e30a6365687b3dd329aedc9fc85c6ce809c63c224f3bfbf65df15d6827bbbe0442f6ff5edd6f1ae38ae19453dc1cd606599b10344803c7ed0283 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 827ddce6e4901ff877f65cd365e3aa6d |
| SHA1 | 9f2d9af47333ec1f3cc024db2050a0272334f511 |
| SHA256 | 6df67f2dfc121cebc010e74f3630ceb4e38adfb9c4de2f1a7d17eb9e0f2df28f |
| SHA512 | 4a9efc1fc356e0da34fee66caab9bb943f11d3c78c9cbbe8f66158b782102fd5175322cd6dc0b212a6b2743948a53532bd7ab43724ccc5d55a4498ae051657b0 |
memory/832-601-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4544-636-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/4668-703-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4900-704-0x0000000140000000-0x0000000140216000-memory.dmp
memory/3624-705-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/116-706-0x0000000140000000-0x0000000140179000-memory.dmp