Analysis Overview
SHA256
937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16e
Threat Level: Shows suspicious behavior
The file 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy WMI provider
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:24
Reported
2024-11-08 12:26
Platform
win7-20241010-en
Max time kernel
113s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\2cca79945f6c6349.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ktab.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCC25.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDBBF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE59E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE1E6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD73C.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDE10.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE3AB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE81E.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\perfhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86} | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301bc075d931db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FEF7B794-725D-4BDF-8825-AC9027D12089} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe
"C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 270 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 240 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1f4 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 28c -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 27c -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 298 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 27c -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f4 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1f4 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 608
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1b0 -NGENProcess 1bc -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 25c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 25c -Pipe 1bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 238 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 238 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 27c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1b0 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 274 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 29c -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 1b0 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 288 -NGENProcess 290 -Pipe 1b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b4 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 23c -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2b8 -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 23c -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 23c -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 23c -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2a0 -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e8 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2a0 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 18.246.231.120:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 18.246.231.120:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| SG | 47.129.31.212:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| SG | 47.129.31.212:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 18.246.231.120:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| SG | 47.129.31.212:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 3.94.10.34:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 35.164.78.200:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| SG | 18.141.10.107:80 | whjovd.biz | tcp |
Files
memory/840-7-0x0000000001C40000-0x0000000001CA0000-memory.dmp
memory/840-3-0x0000000140000000-0x00000001400DD000-memory.dmp
memory/840-0-0x0000000001C40000-0x0000000001CA0000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 4f178d5489ec22f76ee8fed3f0a183ce |
| SHA1 | aa0b5940f2ec393994399481db73e1b8046eb3bd |
| SHA256 | 94355f4261d3db5219773fe49c14bd2e4d52381c7c5cd9ea41654d84514e5960 |
| SHA512 | 51ee1fc9337e738e0bde453c948095383a76a7687fdf46375462bee0d98b47f1ba0ea119b7943e754ea2b24dfb4fbdcab349cdd4f820a6722987e4e8d9dd1574 |
memory/780-13-0x0000000100000000-0x00000001000A4000-memory.dmp
memory/780-14-0x0000000000830000-0x0000000000890000-memory.dmp
memory/780-22-0x0000000000830000-0x0000000000890000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 7688ed26546cf7025ce699687e264292 |
| SHA1 | ff09bdc6437ed00a31dd9ddf9e3702d0e696c8c5 |
| SHA256 | 457d4711ee76df9b2a2a7bda4f009e69b628b08f4b2a458e221159d43fc33874 |
| SHA512 | b9762c0503dfc9665d1fd608dbca9da73f4fa050d4fa9c2a2ba699020140f24588912a362a79bd6671c538e50dec2132af8638556e6e4ac34d5c9035d929dc6b |
memory/2836-27-0x0000000140000000-0x000000014009D000-memory.dmp
memory/2836-28-0x0000000000870000-0x00000000008D0000-memory.dmp
memory/2836-36-0x0000000000870000-0x00000000008D0000-memory.dmp
memory/2824-39-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 22c11b35b02b9f283447b8ac4e957684 |
| SHA1 | 4f89cb5fe94202eab988cf9d6feba7e197b0b026 |
| SHA256 | d5fe1e444e4c392f01581c2de3541129be57a3b1d65f35cb777bba4f65336ee1 |
| SHA512 | c504f0a91240e913132eea02ff300b26e75ba08c13e7352399ba3ebe44f65d7a7a64da9d0753e2498a4d47c6845c71314c5cc8465d5d2cec3dc03bd2f288875b |
memory/2824-40-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2824-45-0x0000000000230000-0x0000000000297000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | b06d6e8e5126e84e290a95f9fc8b75f6 |
| SHA1 | 8fe644d05d1226f1f3cb28d21558e04b42fa4481 |
| SHA256 | 27085a5206eb9873d6c410f4405ae0ac427a94d6b5563dbc4dd6bfc660091b4a |
| SHA512 | bc5b87a7b5134c3bf878fde3b922cb6390704bd97beae94ac573b0ade398eb835f5b32109d78dec33e5c8365912ba76f9d5c480a19e88b6f1f9a0212c2998ee5 |
memory/2592-55-0x0000000010000000-0x00000000100A7000-memory.dmp
memory/2592-56-0x0000000000210000-0x0000000000270000-memory.dmp
memory/2592-62-0x0000000000210000-0x0000000000270000-memory.dmp
memory/2592-63-0x0000000000210000-0x0000000000270000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | e95f1a66bdabca4eed2f3b5de366584e |
| SHA1 | e4fc12291256ced337044f04ca642af8be612c9d |
| SHA256 | 5a4b21eddf5757898d8acb55aee66cae0b39f7e8dca4a8c085f5c7db25625335 |
| SHA512 | 05249d757ea7e9a93088660ddf20909310adb675976612f3f30fb2c92ff8fd217d3ec482657a9a244b78ca1256c26e1250e4ec939fc6c191cd23c30b051f3321 |
memory/2824-69-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 4c3020daac09c93c6ae32f5fa473d5f4 |
| SHA1 | 9275a54d129b5128844f80bded3fa732bec76da4 |
| SHA256 | e57ac5a79e8ce18d5309e1185841907d1a017dab9d72ddbcc8725009396768b5 |
| SHA512 | e19600444f47cadf5caef7fea18db6ef2658f20f139996332d177020025ef581e8791438ca9745dab88177d8db70889737b1bb3acecca965c3147bee5f174f18 |
memory/840-74-0x0000000140000000-0x00000001400DD000-memory.dmp
memory/2108-75-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2108-76-0x0000000000A10000-0x0000000000A77000-memory.dmp
memory/2108-81-0x0000000000A10000-0x0000000000A77000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 41a610a1f303b59e35f8da7c63c8e79d |
| SHA1 | 184111bbbd3a7f16fb6bbd8bee46cb7555a0dcf6 |
| SHA256 | 23a7da8bfb1fa95869c41f40302daac308683206b82611cdd29e3a2f1f9a4c21 |
| SHA512 | d4531a46e3f0ed50f07c4dccfa6a9c88c6ff94714bdc05a43f7fb67bdb810877e85301305d534e2da93e68d529d9cb957f5f44dfb7d1000e99053b2f8afb3258 |
memory/3052-92-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 0109f59ba2ad138ece46d98a9ac4c51a |
| SHA1 | 9086587ebc33fae918d7c71f70aa44be0f4bd253 |
| SHA256 | d488edb52498cd5a08882ae2230e331ace8ff561abb2a968d859123c37f726b5 |
| SHA512 | 32de0e367c679794dbfc6f2c0b70ae2786087da5be12d78b47e757055409d62652cd75f56d97fbd6164169f3a27cd1cb870baebbd9fe90fbcdc70ef8dbdacdab |
memory/3052-99-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3052-93-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2592-104-0x0000000010000000-0x00000000100A7000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 448488be326076e2d0030ef108d7f981 |
| SHA1 | f05eeef6f2491f7239da38b449f58c424df0068a |
| SHA256 | a438d216d41e9bb9cfc8ec722254a7ec559a5234abd1f8c37df2cf31840f7d80 |
| SHA512 | b64a19df33d6934a9ff75d800e2c07478802223e47bd11ecf40e27a66c8581a51d77b1519cce6a453f1caef95b64036f65d5c465e211ba12fdb51e3fa708bc10 |
memory/780-110-0x0000000100000000-0x00000001000A4000-memory.dmp
memory/1312-111-0x0000000140000000-0x000000014013C000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 705029dd91dfec15b2874a62dc7afdd4 |
| SHA1 | 9cf365986761f37f74b7bd3c8f1932b3af994bb6 |
| SHA256 | 7a38e8b5f26e94f73167e66f53bf2f5af75155a0099b7884ef2edc564fba7700 |
| SHA512 | b94dad0d6b5e90ed4631cf76e59c235698c40eb6571cd4cf5fea19f118b3190a9c5da4754e1c5c3d364bdcfd9df3f696726082a55c414eada2dd0b4672268a7e |
memory/1768-124-0x0000000140000000-0x00000001400B2000-memory.dmp
memory/2576-139-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2836-138-0x0000000140000000-0x000000014009D000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 8553729412bd058bd236538091a3e894 |
| SHA1 | b09bce2454e8ef19667909284f6e04ee86d66240 |
| SHA256 | 851ffe76e28dc97d857be57cfb4c2113f6c1ff081fcc1421a7d5adc30c161879 |
| SHA512 | 2a6d7064ca991ae73034b214ae9255090aaa696446baab36e4151e62f5636af8adf7252c5b1158795f971850c78a83f026e1c8b7c3452b4833d71c572f24a5af |
\Windows\System32\ieetwcollector.exe
| MD5 | 5eaa4999b0dbfddc7aa864e03b9b28eb |
| SHA1 | 70a310af4a8f11b1cc902aa22e1923dccfecca80 |
| SHA256 | 38f2bc379c7b5e72f5e609097229f89aff9f3c51dc1469a3a7c6aa89f1617e7c |
| SHA512 | 6ed4e7b3e6eebfa6d1f550641e0494c2f0e7b5e695106099ca04097b0d8fe7ead0d24e79e1bc4587d8150341a120b4236d16c94fb1242fd41c4ee6c3b9c94822 |
memory/972-151-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | 3f34bd380c8d4634913c453254ee936e |
| SHA1 | 6e86530971e0fa7e5f2d55caf9c58a97f6995d51 |
| SHA256 | 03b03fed8f1fd410e1dd6aad9f99e4a7f3e4e3bae809ec1e5ba51a428d2eebbe |
| SHA512 | cd4602c42c4b124911625306c59334809e871e54c0ae2f0fdb9c7c5d8b91066df62a8da1f7650da10039847ddce41d68f83c77ffa3b732f7ca19cbf179fcfc0c |
memory/2164-170-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | d6f652c07ee395fa0f8f5e98329ad168 |
| SHA1 | 711c918b862f6f3ea8320e84268a5755612d421e |
| SHA256 | 70801f0ef22c884f5962aedc981787b43bf3c1455e6a495656e25f094bf5243e |
| SHA512 | b8d13f6e974cac5c63abe35e077ce6a07580120043c409775e73c44e0fda5b410b7343019f59f90d92ec68d9dbf7f80bc49fea8c9e499aceb2af398888d45edc |
memory/1756-181-0x0000000140000000-0x00000001400CA000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | 8816803935110e05728e652b507acd2f |
| SHA1 | a96233c580ede074b54964b1837e8f8c5ab49bc0 |
| SHA256 | 75299d7858ede33bcef84269c4c16f5391a5f4722d142b818bb043208ceb589f |
| SHA512 | 56e4f00a77bd1993a4754f54ec63af42d875e2ac03ffe20279ca6e2fa7a6beefc96ade2f6f6077e7b30c04708825c26b08846c5ea9035c673417c8accf6fd685 |
memory/2392-185-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/2108-195-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1756-199-0x0000000140000000-0x00000001400CA000-memory.dmp
memory/3052-200-0x0000000140000000-0x00000001400AE000-memory.dmp
\Windows\System32\msiexec.exe
| MD5 | 2ad1524a0b7dfcfba19aebbeb2053452 |
| SHA1 | bf648028075680e05a9c3134c0956b0a197c3716 |
| SHA256 | 26db94eed386180d9c4111f8786f80511c081d1e38ad9cc56ae24aab2995bee8 |
| SHA512 | 49b715bdf429f6d514e3409f53abfcaf471f151ccc88602ebe9e6b5be5768c2baa96e98435ec0e2c0748fe1a31082a5c517c800a2ea0c1ac36c6e91ce1ba3c2d |
memory/1708-214-0x0000000100000000-0x00000001000B2000-memory.dmp
memory/1708-216-0x0000000000590000-0x0000000000642000-memory.dmp
memory/1768-215-0x0000000140000000-0x00000001400B2000-memory.dmp
memory/1312-204-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2576-221-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2752-228-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | a469915980efd5a3dc365cd23f397ea6 |
| SHA1 | 4633b713d5a6389dac8498289c819a9a3172170f |
| SHA256 | 52c2ce2da41ff20d537c65b75b1372e426cbd78c94c8bf1e36536e8d031343dd |
| SHA512 | c79365d07d0611e3382a1e39878753382d4873d9d54217c7ea6091365fb8a16c782c45add29b6182dc45875686213824afd990d1a79ca2b3b070510a808129ed |
memory/2812-243-0x000000002E000000-0x000000002E0B5000-memory.dmp
memory/2164-242-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/972-237-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/1100-247-0x0000000001000000-0x0000000001096000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 719feb8a1a83a2bc42af5ce27d17c37a |
| SHA1 | 666b554e25f37e98c77924d76d0787f40db54b92 |
| SHA256 | 1abb67a6cc42dd98a4c9712ae5d35d9bb2baa82e9cc1a01b1bfa75b84092a709 |
| SHA512 | 64488c72920731f403cc47abe860556c280f53c2234ab490e697e6ae88a5bdca97ccc5defa080bb05c4af4173ce5c2d012a3115d29dadfb50c9f30e0d66bf99c |
C:\Windows\System32\Locator.exe
| MD5 | e20784cc92c60918c4c0d8e5227fb63b |
| SHA1 | e9296be93919497443023768559d9f63c416a23a |
| SHA256 | b8e53fc0bf3bbb8f1940e1ce5e888172161f21e0a5939fd731d65a4b9889157c |
| SHA512 | 315677843a9fe29c76a69ac8646bd679e62ac7aaa4b7e1ae4a1c3f54605c115964a11f1d253b194b300e0e4a1c1bba365b98eb44b45d30de9ad5e357ec9eb0d3 |
memory/2064-266-0x0000000100000000-0x0000000100095000-memory.dmp
\Windows\System32\snmptrap.exe
| MD5 | 2d6935a7f371d71fa68d083ad4fdb323 |
| SHA1 | 61298e0f47251ffb2462d436433492cd879ad0ad |
| SHA256 | f7ac4d3d2396f102a555c37bf28dc8ca480152b9f514b922ac0743c67b6918ed |
| SHA512 | c9e3da175bfc94e5ce49afb5209bdfa9dc0fde3424be76a22d12d52d68346da9089a476a7fbbe8b858fc6801bb93b70582310ef674bfc1fcc32ea9e3f24ad7a1 |
memory/2332-272-0x0000000100000000-0x0000000100096000-memory.dmp
memory/2392-270-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1108-289-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2752-295-0x0000000140000000-0x00000001400AE000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | a4dd0bc707afb4b9eb78546fb6499be9 |
| SHA1 | f0a25e9d25ee39396219d9dfc94ad90263157e5a |
| SHA256 | 11fe5ce6333c641ea2e07353157f3f390d947f2daae5cff2fd3e22c4af05861c |
| SHA512 | b5d3976e0eceda3fb2d2ccfb3980caaf115e60847d4f6ffb2b517ed6a10edc7e03fc9ffa6498917c24038f3ee19a99e114049711993c6619212b446cf8dc3367 |
memory/1672-297-0x0000000100000000-0x0000000100114000-memory.dmp
memory/840-309-0x0000000140000000-0x00000001400DD000-memory.dmp
memory/840-311-0x0000000001C40000-0x0000000001CA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
C:\Windows\system32\fxssvc.exe
| MD5 | a79467f398f410101c0f564696b03793 |
| SHA1 | 6f36df24742bd071b30301d1c96dcdd5d42f1498 |
| SHA256 | 9c252fdb8f64e14ce6195a43046ed3e2ee2508a5562a6086cae8172449e0f311 |
| SHA512 | 28edbcc56b0f5464c50b6628739c569ad4b1440234ecb8e8939eafaae50855354633d06eefdf474ffebc5dd81b2c107deec4daf16039c22c9d8f18936cb318f7 |
C:\Windows\system32\vssvc.exe
| MD5 | fbb166ee6061fc590c781da078377d41 |
| SHA1 | bf4fa2be1a2f51564594ca00eb5520999d7bc5e6 |
| SHA256 | 474644219c455c30afb8b0663fdea3b0b8b1509da7104ef2e6cddb3fef38672d |
| SHA512 | 8d52e492ee30bc798fb579c34acecb33c408f6c9be44944f59a1fef31312025358c5a951f41a3dd46ab43082684e3668e2435543ae563d2ce6cb54da05b4cc77 |
memory/1708-322-0x0000000100000000-0x00000001000B2000-memory.dmp
memory/1108-327-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/2984-341-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1708-340-0x0000000000590000-0x0000000000642000-memory.dmp
memory/1000-428-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2984-433-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2812-422-0x000000002E000000-0x000000002E0B5000-memory.dmp
memory/1000-446-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2092-436-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1100-435-0x0000000001000000-0x0000000001096000-memory.dmp
memory/2064-477-0x0000000100000000-0x0000000100095000-memory.dmp
memory/2948-495-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2092-493-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2500-516-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2332-514-0x0000000100000000-0x0000000100096000-memory.dmp
memory/2948-519-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/696-539-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2500-544-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1672-552-0x0000000100000000-0x0000000100114000-memory.dmp
memory/2716-566-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/696-565-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2716-577-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2324-588-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2376-598-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2868-601-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2376-613-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-615-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3064-618-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-636-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2896-640-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2600-656-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2184-659-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2600-660-0x0000000003C00000-0x0000000003CBA000-memory.dmp
memory/1184-665-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2600-664-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1184-685-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1600-696-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2960-707-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2924-716-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1632-729-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2500-733-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/920-752-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2532-751-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/920-755-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1768-758-0x0000000140000000-0x00000001400B2000-memory.dmp
memory/972-761-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/1312-766-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2424-769-0x0000000100000000-0x0000000100202000-memory.dmp
memory/1660-779-0x0000000100000000-0x00000001000C4000-memory.dmp
memory/1052-797-0x0000000100000000-0x000000010020A000-memory.dmp
memory/2764-799-0x0000000100000000-0x0000000100123000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 51da34a4f22540e7676f7e66bbb3d544 |
| SHA1 | 963a8594079797affc9f8761097d2923fbdaaa79 |
| SHA256 | 9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6 |
| SHA512 | 33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f |
memory/2424-897-0x0000000100000000-0x0000000100202000-memory.dmp
memory/1660-898-0x0000000100000000-0x00000001000C4000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 5180107f98e16bdca63e67e7e3169d22 |
| SHA1 | dd2e82756dcda2f5a82125c4d743b4349955068d |
| SHA256 | d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01 |
| SHA512 | 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 5fd34a21f44ccbeda1bf502aa162a96a |
| SHA1 | 1f3b1286c01dea47be5e65cb72956a2355e1ae5e |
| SHA256 | 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01 |
| SHA512 | 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
| MD5 | 7edd90afc437e69a178074f52d03c282 |
| SHA1 | 7deb71f38b5ba79676550f27880be332ce438e36 |
| SHA256 | 6e4a535ab7f146940acd8d0e7da49d0fd35b045ed4c325b7c809f94680010505 |
| SHA512 | 8d3487220ccc9753f0ae01e3076504570e4f4334dbe57a0883e11d75ec53d61c0ae674bcae5f9034c992246dfa3e6ea0f6b91a40ad56dab5e93c008f160a48c5 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 3d6987fc36386537669f2450761cdd9d |
| SHA1 | 7a35de593dce75d1cb6a50c68c96f200a93eb0c9 |
| SHA256 | 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb |
| SHA512 | 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | a8b651d9ae89d5e790ab8357edebbffe |
| SHA1 | 500cff2ba14e4c86c25c045a51aec8aa6e62d796 |
| SHA256 | 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7 |
| SHA512 | b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | 4bbf44ea6ee52d7af8e58ea9c0caa120 |
| SHA1 | f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2 |
| SHA256 | c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08 |
| SHA512 | c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | ed5c3f3402e320a8b4c6a33245a687d1 |
| SHA1 | 4da11c966616583a817e98f7ee6fce6cde381dae |
| SHA256 | b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88 |
| SHA512 | d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 9d9305a1998234e5a8f7047e1d8c0efe |
| SHA1 | ba7e589d4943cd4fc9f26c55e83c77559e7337a8 |
| SHA256 | 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268 |
| SHA512 | 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | dd1dfa421035fdfb6fd96d301a8c3d96 |
| SHA1 | d535030ad8d53d57f45bc14c7c7b69efd929efb3 |
| SHA256 | f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c |
| SHA512 | 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | 57b601497b76f8cd4f0486d8c8bf918e |
| SHA1 | da797c446d4ca5a328f6322219f14efe90a5be54 |
| SHA256 | 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d |
| SHA512 | 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | 68c51bcdc03e97a119431061273f045a |
| SHA1 | 6ecba97b7be73bf465adf3aa1d6798fedcc1e435 |
| SHA256 | 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf |
| SHA512 | d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0a41e63195a60814fe770be368b4992f |
| SHA1 | d826fd4e4d1c9256abd6c59ce8adb6074958a3e7 |
| SHA256 | 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1 |
| SHA512 | 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 2eeeff61d87428ae7a2e651822adfdc4 |
| SHA1 | 66f3811045a785626e6e1ea7bab7e42262f4c4c1 |
| SHA256 | 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047 |
| SHA512 | cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77c2c41b385e1e597e216225b4dc2145\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | 6b3bb4b643cb779940cc0b1adea870ee |
| SHA1 | bdd98c52d0521a394900d3af7ca1e7d8865fa96c |
| SHA256 | 2ca6a97186c24d8fd7a9f719190d713d8598b2ed3c32069eb5d837ba4c013f76 |
| SHA512 | f2585094e372392356ed82088b34cac20759d6174efe3b2c8c95dbcdbde70b226e8565ec76207ec8dd2eeb5670d6037b7385436087b5ef01e33a727412eb71b8 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\468e29a55405b9e85a203267372afe6a\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | 405848e86695192fba192c131b3946cc |
| SHA1 | 92e1c3a6c4de1d5810f97e721e5cc7d72f2ec27b |
| SHA256 | 143157f8231d3bd72e03ac69f466f19bdfb68984da97f993946b895de562bb0b |
| SHA512 | e8473a31bb78727d2ae57cadc4c53c184e8092e7b29174024b3ee0a442a13265f781f3b3ccd246122a2e9f80ddbf6c55d9b41349e46ba4384c80a29c5f83a404 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c87d866fd7c61399edca08521bdefb29\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | 1291737c225cd37792ed0c7aa0e2af9c |
| SHA1 | f8040ef748df4930f712b5a42c59762ff7986c6f |
| SHA256 | 937b16dd497967d0ce6be4bd7555fa48f9ace0738a88578f666c1527f43cc8b5 |
| SHA512 | 85d2051d6eb64ecb00eccac452b3717302cae811dd0f1b4003b5a3b1c68046e35b458a70620a166661894d31ec1a894862152db5f36ad448b3edea8a1155278a |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3a0ae44e04afc93ffd5e2af53a25d0da\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | 7c3766bfc5671320fca985a9e95e7344 |
| SHA1 | a3735515e4395d51e4027b2148f4811ccaa7b543 |
| SHA256 | ddef847dad87b5e96054ce3d1482d611778a5422e0e78e2648fdf5d3d4be4978 |
| SHA512 | a21b9d115892e759e924b665e8570a474fa198b24acb249d93e10d03488cc6361d2b31f5f6d2efd27bf0b98b42e18c90aa9687208b917d7fac5cbbb4f009fd63 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:24
Reported
2024-11-08 12:26
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\alg.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| N/A | N/A | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\82691e7e65f51a6c.bin | C:\Windows\System32\alg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ExtExport.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe
"C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 212.31.129.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 200.78.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.13.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 18.246.231.120:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | 120.231.246.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| SG | 47.129.31.212:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 18.246.231.120:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| SG | 47.129.31.212:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.94.254.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| SG | 47.129.31.212:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 18.246.231.120:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| SG | 47.129.31.212:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 3.94.10.34:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 35.164.78.200:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| SG | 18.141.10.107:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
| US | 8.8.8.8:53 | reczwga.biz | udp |
| US | 44.221.84.105:80 | reczwga.biz | tcp |
| US | 8.8.8.8:53 | bghjpy.biz | udp |
| US | 34.211.97.45:80 | bghjpy.biz | tcp |
| US | 8.8.8.8:53 | damcprvgv.biz | udp |
| US | 18.208.156.248:80 | damcprvgv.biz | tcp |
| US | 8.8.8.8:53 | ocsvqjg.biz | udp |
| IE | 3.254.94.185:80 | ocsvqjg.biz | tcp |
| US | 8.8.8.8:53 | ywffr.biz | udp |
| US | 54.244.188.177:80 | ywffr.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 54.244.188.177:80 | tcp |
Files
memory/1732-0-0x0000000140000000-0x00000001400DD000-memory.dmp
memory/1732-1-0x0000000001FB0000-0x0000000002010000-memory.dmp
memory/1732-9-0x0000000001FB0000-0x0000000002010000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | eda940238030b6cf6f7d4a35de9f0e7d |
| SHA1 | b7bee3cdc22d867ce0579496f04d18c22b804278 |
| SHA256 | 4492df2a6707faa240555b003e9d18e1ad4eb3d99e6ff245abf71b5b030ff554 |
| SHA512 | 33162534a86a9f0eb92a1b906dbb9b79e89fbde279da660994e28c10dcdb2478f05ad9e2dcc5e1ecdaf9af7593fef49b0377c2260a0519b8c213a07142c69a1c |
memory/780-16-0x00000000006E0000-0x0000000000740000-memory.dmp
memory/780-25-0x00000000006E0000-0x0000000000740000-memory.dmp
memory/1732-24-0x0000000002A40000-0x0000000002CB0000-memory.dmp
memory/780-23-0x0000000140000000-0x00000001400AA000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 14736523642b56e5398066c572974eda |
| SHA1 | 697c446906667b00644e3182988a5e0649179b79 |
| SHA256 | 1919f6953e5e54140a680a5c97f8ea3adceac1279a20b6ff366268cc87b0a5b0 |
| SHA512 | e05a671d75be01579a35337706fc41b6d8161de8085cf0f1bc077dedd64bb94d9decd5f197592566f2d1abd8e249a5ace95782ed80ebd45173fe9ca0cab70aeb |
memory/1504-39-0x00000000006D0000-0x0000000000730000-memory.dmp
memory/1504-38-0x0000000140000000-0x00000001400A9000-memory.dmp
memory/1504-30-0x00000000006D0000-0x0000000000730000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | ba06f18e016c66e5b4044c960d8627ec |
| SHA1 | 09d1b2630091f6df55ac19a1dd1d685c3aaa27ff |
| SHA256 | 80eb84ae00858db5053db63a90e81485df3451f31988a7a1fd4ec51da0904559 |
| SHA512 | 38c6accb6e6cc44060b18b7d150dd6b963d1e2233dd84d3a724bef104bab7b0fc20ef40091936767949f2a014007c276afaa6b8be234a12ea27ed88687d7ee70 |
memory/4688-50-0x0000000000730000-0x0000000000790000-memory.dmp
memory/4688-53-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | d7c26b7c170b4d7b17d68d87dc4ba6bb |
| SHA1 | 78935958fd106a2b42c566301510dbb0e4a14f74 |
| SHA256 | 2a312611b99ab3e800ce3b5bdb15d51fdcb215d3fdf40df03e4765d9bd2814b5 |
| SHA512 | 45848ee4bd807ddee94b5b77978872cd6f1452a8cbab2c3903b77c693bb91427d46c95cae4c966c572f097e14dbaff368ae80be2a60ed4957ec725a96a1beb3d |
memory/5020-68-0x0000000000CC0000-0x0000000000D20000-memory.dmp
memory/5020-62-0x0000000000CC0000-0x0000000000D20000-memory.dmp
memory/5020-61-0x0000000140000000-0x0000000140234000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | e7c2cd5fad02fd80b8fa61682586349e |
| SHA1 | 0231577271cf111b4f4f16ef43fd7a8c061ca92b |
| SHA256 | 6c16aa58350b47287129d19e2954d4ec54d184575248a142ddd954b3b02da75e |
| SHA512 | 36fb2aaadebde3afbfdfadbf99a42be27e5c0fc2e1e13a050834fbd5ebbc70dedbe1d0e4b30fe71bf8a468b796b2f5d0ddcf1026bc3017251797a5b8a2358bbc |
memory/1548-82-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3136-98-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/4380-103-0x00000000004F0000-0x0000000000550000-memory.dmp
memory/4380-112-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/3136-118-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/4688-111-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 861a4f44d9810ee8456adf3abc6aba9b |
| SHA1 | 2823a3c6adaa9a9fd99f1edb1e1364e2d4518db2 |
| SHA256 | b9f3175c9118d279c808fac40dd837091846f39d8d1d1c97529d1c0bfefad096 |
| SHA512 | f33fd1500294782e8fd202bf652f6fdb543fdf0d71d38967e91714dfbd8bccee830993062a8305faf3a71524e91992659dd24c5ff0b2815a06377d310b3a1c68 |
memory/4688-100-0x0000000000730000-0x0000000000790000-memory.dmp
memory/3136-95-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/3136-89-0x0000000000C00000-0x0000000000C60000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 5940b34f974e4a2c2a0a4099af861aec |
| SHA1 | a394678e8c1b6c6a1cf3d6eb3a2de9a65ebb6bde |
| SHA256 | 5e44b51f378255d3eb5cca4e34f66baaeecb0ad82f4ba8096316c53582d8cf74 |
| SHA512 | fb76eb9e6d127b3d563cab655d3aabccf4829e51885a62f39504e53a2176d760dea17dd666812d209301141422580af72b1337346b1d7c289971af380c3376d5 |
memory/1732-87-0x0000000140000000-0x00000001400DD000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 0e41678f6a78c1d22b7b563963b96fab |
| SHA1 | ea4a15e3b37fc84573d5af0ee113bca0b68b3e7c |
| SHA256 | b96b1167fa1afdd37696468961e1b1dce0c8cd2be543252515b8aa1f551b0736 |
| SHA512 | 6ff789287a5c578d32cfa4e1ad1bfb589b6e13e3c9c9d9eecd4b1aa78c9b9778c7bb797ad3bd0f706fa042308cdcf1c5433844d85f64fccc33873fd84b55fdc3 |
memory/1732-83-0x0000000001FB0000-0x0000000002010000-memory.dmp
memory/1548-80-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/1548-74-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/1732-72-0x00000000028B0000-0x00000000028B1000-memory.dmp
memory/4688-44-0x0000000000730000-0x0000000000790000-memory.dmp
memory/1732-227-0x0000000002A40000-0x0000000002CB0000-memory.dmp
memory/780-225-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/5020-273-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1548-274-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4380-275-0x0000000140000000-0x00000001400CF000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | daa2a372bc48fa44141b8bb0c5446484 |
| SHA1 | bb7998b221072033f12aac3ffac7198ac8050c3d |
| SHA256 | 310ae1456a3cbb641a4ef9d23f832cc9d9e6a6d1dd292bd2f0d6cb3b0d0c295f |
| SHA512 | bf1ce4becf69ebefa0ed034ee87824aeb624441510e1610150a21c010bb9623b39f9f70376d3c662f0c759278ffa841e63bbaac9880ec61eb2a238da50050c13 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 4d70e804f17cf578c338b6a0c45cd0d8 |
| SHA1 | 745a02fcdb7046e0db04aca61f9119c4007e47ef |
| SHA256 | 64376e03ddba56cd9c19ab136e64ed7cab0eb86b074fba876ee3297467842dae |
| SHA512 | bfbe4a4825af05981d844b2dfac1eecf13f691e9a91356c7d6a42aac6d85042c49040cb6d5f630741d3d4bea3f064ac4461469d1b3e3e1464077e5bd5404a686 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 8b198b6cd3a74835c580b31286e7198a |
| SHA1 | ee3ff0c512d604442634d54ba0e7e958c61aab8e |
| SHA256 | 0552dabf811e6cc837daed3ce631d39e293fbeebb0a75dd72e4c13551403bc99 |
| SHA512 | 3e59417a17f58b2a248648f8a905c9c9ddbbd6b8016f6ee148ef0e1606510d09757504ca408f76cc7fde12757774b2e82a96118117ea24b3ce6ac60780a19ca0 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | c422b5041b848a39cfcec605e0855d70 |
| SHA1 | 84024d82e70bdf345c151bb931bde1ecf7917dd1 |
| SHA256 | 48db4e886dfc73e8cfb24d37d47d6d4598997840e6330353a15468e53ed8c3de |
| SHA512 | dc184c40cdbd0b43f18e929b2e86dc34a18c5c52b54d40eed1284c8d0a8219a55504048cefc70a26a58278906dfbf848d4e4b1e7e43e810329f98142d35b6a26 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 8c916c812066aa219fe00ac897038dce |
| SHA1 | b3cb6e6b7db956e133467dff1024d43a5932b5c1 |
| SHA256 | 1cf8d010a4416f82bfc949fcb3a7498856111068b1b2797c4111eab39eee8f3f |
| SHA512 | d93d1bc0b859bf33874fe8ab6f59d611a6b43c50debe870ff7352bc741d71f3de044157c05ae78bd50de0538542d7d81c24725c9a24449e8e1a2b148bc75ba8a |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 732877621bfb28fbb229d4549043e189 |
| SHA1 | 683249a629590e025178a257597b97376c0e04e9 |
| SHA256 | 98ae72179742c98fce4f0f131680afb1c34904e3263872efa20033b9a9344b62 |
| SHA512 | 9fad1cafeb2673a3e4c30f51fc17d3c85f8728c374d9c338116dcdf2d9d449b781b23f4d3c54240f06a78cb33da81eaca705b400af2398b79fc367ff13c868fc |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 3c34a57890337285461d0652a0cedba7 |
| SHA1 | a423786257fed2dbe976675e152cb17842b4707c |
| SHA256 | de4e9eb8c9044e41632bcd33e046ddf67f28825d28896aec69457376e5963148 |
| SHA512 | 1ca1473e46c2e527e6c8b50d07656572d6a6fd1d1a2753572755a486f8e89f65207619edb366a36abc3c9d62da4e54d82bbd9346fa5709e09b9b4347e43fd4b8 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 29ecb336f9827df91655c5e58359a9a3 |
| SHA1 | 0e126ad5d690ac100224da8abee220c49a957d68 |
| SHA256 | b72956882863f600b8acd07baca870f462da45e541104dfbea2b4997a11c9db2 |
| SHA512 | 0c370800d215cd10cdc1fe63e2bdf0eb35bfed4e102bab3bc0816324899746fbf9d348697aa139cf501292fce3082a55a804be4a02b069e431b09de7bb9d1ef3 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 60127d40eb74aa5379bc0f61ec66d037 |
| SHA1 | 637a7448fe1a04c02e713f78fe9a5550e88092db |
| SHA256 | ed553c96c375c50ac12e6d3f6037bf7e6cde75a40e81f0debfc344c507e77530 |
| SHA512 | c833f75ce2c894466d7cb9587764e0194906fdab31947563aaca59ad75065bc81c5ef67140e2c23334d76743933ccd9fcb178bd258c58fac25577183d3bd31a0 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | f6316435d8f6ce7357397b0897f0a3cc |
| SHA1 | 4dc6b86670f404da8dacc74b9bfa192ba86a15af |
| SHA256 | 9e03f5fd40acf79fffd6f09a43f2b15d7073b4a3080ee1fc619588688e424234 |
| SHA512 | 6dd6eaffffd999860487312069f614d1e1057108d4882834a8f158acb0df8b00426d5d1b20b204eab3dfbf8c2e8243e77a6fc274989fbf6d54a5befb08b6a525 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 442c326748ee1f05b6f40bcba77b04f2 |
| SHA1 | 1b7c2bf23c62d290f56367aa5ac5ea7bacd581db |
| SHA256 | 16455c92d6a0114f6a0d8aba42f05076b6ee85c22a33cd9b1f85ae0656ff5fd0 |
| SHA512 | 7a6e81ff51e837f3fa95ceb0bdc68d7331393bdce39c4767012b3f69ce76299e837f55337d073e6c4ad8413b1a64cbc52e57d822817da0c587ce9670ce7b7e23 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 0026a7f92dda5cf996159ec01e02941e |
| SHA1 | 2f327b895b73aff60fa5455a684a97c6ef7b2f31 |
| SHA256 | 34b465a86dd1098e39761a84a4352c45f3540d35d78a8d1dedc42d414183d684 |
| SHA512 | 727483ce6207ba356bfb566817595fd9f080d149af216bf5561847b820ff82bbae8338e23bdf17318acec97eea3ebf601f5155ca24668a8b6ecd613d9b17342f |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 43015ed0ed98630bdfc31628fc92ad22 |
| SHA1 | 138f82816f0b3c3d8323bc66ded8bde2b1d162a7 |
| SHA256 | b069edd39a405f101fde6bed36666a970e8cc55ea6b81d0f7cd9d57fc8525d15 |
| SHA512 | 897090ac5c957803244820f2c09bc33ade4ef2a7e42be2240f2d5d03b4625b34874e2f1dc87fbeee6d0a0a4aecb63eb28271d33593109bf805607eee168202c6 |
C:\Program Files\Java\jdk-1.8\bin\pack200.exe
| MD5 | b88a7d09384b105cae7f235cfec1cbb1 |
| SHA1 | a58dfc10914c9a04999563e6c31c2b2934d95005 |
| SHA256 | de53959f52ceba0435b5c471288aa8ce7aa227e0ca868b35da1ca83288ae203f |
| SHA512 | 04e3eab0dd879690f1a3e90090e164e642a0a9632c238ce8145cb632193a140e7a8e7002dc8ad87e778a4da68fa7399faff2eeb538a02775b032a971c26d1926 |
C:\Program Files\Java\jdk-1.8\bin\orbd.exe
| MD5 | 1be2cbc708e77ebc93bc3037d42e2e0b |
| SHA1 | 9f8b1bd7bc0274af7aff25feb690faf6a0f48caf |
| SHA256 | 395e8dcd9d13a493a3dfeb9b843a5092097965d818a22c2ab82e550466a36fd5 |
| SHA512 | affdd07e435d85cce6815797954770cdeaf736264ac4286e7098eb129ab0d7a007bf38a6b5305497784462aa037ec7d059dd1b08f8ee75a70976fd7771dad2a1 |
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe
| MD5 | ec77eb3a4ad158c9e5b2bd99deb8349c |
| SHA1 | 989694986c3b0bd86c8bb3434b4185c5e30b60fe |
| SHA256 | f20d13f15a69a6a6feed325dd7a33669557ffcbb0ea50525ff1fc95639122d99 |
| SHA512 | 4acfb23a4e767ce6004b48dd8278b0e936ca7adf43c351baa9533778ad581c45793dc193a5660d43efdb5cc871630d69e06e5556fa223159ad0b8a67795ff9d9 |
C:\Program Files\Java\jdk-1.8\bin\ktab.exe
| MD5 | 949ab6722a4661d22f382ce1cfa77143 |
| SHA1 | abd344c2a34c81b98c8c512ab8698a708cbc0dd4 |
| SHA256 | d32b03f89a012fdc593915c91bfc6846ae15b5e7fec4e15103ba830440ef2107 |
| SHA512 | 43e688ed2962a62ab79de5f075de472d1946087ef9c0963a5b1aa25774488a6cf23f9068b75182678b9751f6b45a575a743150a148a4d802f193b588e6ce6f7c |
C:\Program Files\Java\jdk-1.8\bin\klist.exe
| MD5 | 9722c20c2a73d07a08720c3a8567f63d |
| SHA1 | 9117675b32d5eb81f278b673f4801f0a71fa3d32 |
| SHA256 | 54f57db4a26968a0786c818a136c296cc534b86a5781c039a05305d0be20961c |
| SHA512 | 1c59728e70d98a9393b5e4e99b8bb7dba56e276b723d3dc78e27e2cc50c95bb16f6b6a8fc8b2271cf604cc77470029944fe4df29be5a1dc52f04a1d737c0bb54 |
C:\Program Files\Java\jdk-1.8\bin\kinit.exe
| MD5 | 48c1b5aa659aff95b3b8ce9ea7704b0b |
| SHA1 | 4dd345eca70b201034116affd3e76334805a9b4e |
| SHA256 | d1da6801dd609799c7b096dd125a79494106ec321d24932102cf1360db10761f |
| SHA512 | 77783d160ced6536666798db2ec8f0e928063e66c9677cc22fe59cfe08ac73817bbacb811cd3f63a9ea9fbdf6c2201259239eb501c3f980005b8ac23ff58753d |
C:\Program Files\Java\jdk-1.8\bin\keytool.exe
| MD5 | 79056e207f54baf3c9242c95bdc65c61 |
| SHA1 | ca1692f75cc6d0986b08443b15bab9b144d0547b |
| SHA256 | 61b5fa00ec8516c4f15a58e16371d62df271267b9bf0e82173d5538c7c55dcdc |
| SHA512 | 3447acd57c758cd440693492624279558896506073350aa7202c2f597421d649961996621404c0ed02e23a07859f9c31ca84a2604b708137bc764087920009fd |
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe
| MD5 | 216a8d908d0a87d305c37a4974b62668 |
| SHA1 | df31cc3b30cee65d9f23bc777cbf9638de47b508 |
| SHA256 | f421bceb890b76bbca412f2610469b67c1fd32e82b46fe6b66eceafdd28dc859 |
| SHA512 | 428058fb9e0f85b1bf1636b7f09dd9fc165ee11608547cf79c8f5bd2d727a6fac1006d4bc691018ed7f07ca5ba54a8b7440380dc8d5320f1f05b3a64fba36df7 |
C:\Program Files\Java\jdk-1.8\bin\jstat.exe
| MD5 | 8a6ed20bd737b5240ce7e236d547e67a |
| SHA1 | b9c4509d620e80da5ea14b62f81f206a28e67d7b |
| SHA256 | be75b5b841660cbde4fb3e5bf633ea4edf3c7f748be87cb1c07b7aa1a4991f9e |
| SHA512 | aaab42ddb4df99f660114e3cfa50271ee64e81510d6888e64304714d69ed9557d131d2fd909e5b125eab9bb966edff8d4f0a29190d298e848cdee90b918cd2cf |
C:\Program Files\Java\jdk-1.8\bin\jstack.exe
| MD5 | f1efdf451771386683b4cf008a5c049e |
| SHA1 | b7e2f24f53ddae0143319184502851b5507adfe5 |
| SHA256 | fe17ddfb73851726cb9e883f3ea208a38bcc9f7a767b6902d20e13a8a7f27d3f |
| SHA512 | af8b36ec7e4790d0321211847512548f60e816bd6008b35cbd53e3f2484ab53b1d097d9c3a6d7b4680c8d420088f83a611922c9d93be4f3202ee97f05a5e91f3 |
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe
| MD5 | f0d52d46ce5ee86d282c55831a31ceba |
| SHA1 | 8ac1f7d057b19133c2f8e06148c2cb12cabd4b53 |
| SHA256 | 98af04fe97097d66065058d7fccf55fc04b46dda6d2a5ecbd964a39253f26870 |
| SHA512 | 0650d1bdaa645885c7aeef4af36257c2e4af0e0b08755f78b0fa8105af6bbadcb17d1299dc697d23036c518b3b9f555c7755729b23e3fba146bf48253dc24184 |
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe
| MD5 | 7830db56f1f0c3f7730d725bfcb25e0a |
| SHA1 | 4e62d0487f636940bcbda4f70572546925904c79 |
| SHA256 | a423603a338ac95633ff0c1e8a16e3f7a6bd0124d6b95276e34faffb9e727dec |
| SHA512 | 6adf1e595a8ad01c7d00144d222609f5f6d1317abfec7089ca2aa197884808fd107077a155bb63d25b6edbee4aa0b299704ff56b3f2c9b86b7f8d2c052aba425 |
C:\Program Files\Java\jdk-1.8\bin\jps.exe
| MD5 | 0bafa124e536fb4acadec847846be813 |
| SHA1 | 04bec4d37a37d9f9b942bf72f6078340888ba57c |
| SHA256 | e369bc641b86d4fd859f00aea90c218c63135cd9f1ba3c8912d81b12fb6be3e6 |
| SHA512 | 410888620d98ac73bb4464c4461bafbaf068db9a17c585a0cf7956da6219f0b2f7370b4a6e63611a07da9a09058c5f6fa88c51e799b8329ba449181f1e7a6bbc |
C:\Program Files\Java\jdk-1.8\bin\jmap.exe
| MD5 | 495f565874706e0c82076869bc68d8dd |
| SHA1 | df8d77f8b9c7b2a981e0a3a6a07cf1163695e6bd |
| SHA256 | 648f0c81ff0115b2a29bf97c48fd45f6f6328291c9a4a7d343ca8ada75c9d9aa |
| SHA512 | 2a0216ebf8b5bc96e2f9e49a8f58e65645fdc5d2c9520c3e8f42235c03b515949b29c82f328a2fcc7e93291e4078ab8032887294d16fbe97c23ceb1fb78bae13 |
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
| MD5 | d2fc8883e972424412418c7da96d76bd |
| SHA1 | 16c3e297005fd71c2c08dac61bd85aaf9c4c9c9f |
| SHA256 | cb8dd1419a8e500ec1ff3a8d8589ff134e0c20015d7ea11cb5a73949ee1015c2 |
| SHA512 | bd8036997c60eeb4a49801e95b52372585af782a4e724446a7d3a65f990e7f5cd39dac1749e451ed8a5e8ba38fbfdbd268c0c678958323a103eec26756abb10e |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | d96bc6c40578d2840b5a6737eb34fc40 |
| SHA1 | 81e692c6a629c6d577d5208b1e3e818fb2b85afa |
| SHA256 | 5573eff424c667b71a2c6efa98c2ed315f7dfea43e4b3abdafe3eb7bac6f59f7 |
| SHA512 | 2cc5db8bf93e72b2f9514018b8146cc1ef17a06e18e30f72cf39ea9595a259407815eebfe019d08615d5e6c5e7269cbd62243b1475cf690f20395c07ad5bfef1 |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | f58c8b132f67f150273dcc2abc935e78 |
| SHA1 | ee4375c20405fbbc8917609077b7a4f657a0208e |
| SHA256 | e6bf8fb1d0e295c488a9b49153eb4573467b020194e300a89d5f9dbc26ca6764 |
| SHA512 | fd47586b21cbf118f3b2c8a3d5c340b9e26208d42db8a3621a554d479655fbba78222560c5fb36e7cf6fb7547582b0416bdc82f5b5975ee2384440f4789c7460 |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | e28b6cbc672b67ac54c7c08bc0d6138f |
| SHA1 | f1d34ca9b07100900701c4ffa9851afbe2dc9c1b |
| SHA256 | 7729549d8d9e9bf6454e8e48d67beae64043cd9ea3292ef482d229c51a08cdd1 |
| SHA512 | 375fcaedada56acfbaee621fc8c3d4200b77341cb6a512ef20f6878298797694ad5cf6b90b2e901f416cf2fcd9d6362956255642a90e6cfb43c382009c7dd2a2 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 7cd5224a10a5833d29472c8e22b4c4af |
| SHA1 | 977a2ce4e38893b2ec8a0c0b0884bd072ceb98f0 |
| SHA256 | 6cb8bcdc1783d87dbd3354efef1cfa78a7060523d48375771b94745fee343694 |
| SHA512 | 74fb56ddd0aa37e1052743f598c24571ea1c1a7882c0db503da40183b92aab7274c238e8471bf941d944c8c198c38adc5266d5a62f90799900d8d2f514fd8576 |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | 7ed4a8cc99c3b25f051877baf705bd56 |
| SHA1 | b8679f72cce1fd4a8de9f9b5164234dd6c89fc77 |
| SHA256 | d58e005e96331fcf1b9ccf359c3e427cd6c69561458d87559441cd529f7054c4 |
| SHA512 | 26ed4e4822f29be06892675b50a643926dbd10cb9524c2496e1c80aa48e28b54e6b53630dc0d417822d8de186911c26a97950bcb426a74c275ad70f8ff10c08b |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | cce46e5a8b16d23e823f88d32654a22c |
| SHA1 | 4915af402e9f330050e209fef2c0e127949021e5 |
| SHA256 | 2082c811fa070b6afed7e47b5a50831b7e121b9c09f24e6c08b0e51f96bc43a2 |
| SHA512 | 40f34da8b1c76d3ac3fab67a9e0fbb4a1a15dd199c1620d994c2d54ad4490e661496635fe009fdcfb4a5d26130d470e8848a0ff297b2ba893f059283659e372e |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | fac49d63b23486dcbc2f44e44c4ab121 |
| SHA1 | 9ba5f6be1eaf1068d19106f549e9986b53f38b68 |
| SHA256 | fe6cce95de2b941090d85bf1c3153287242454356f2f9ffa7d8af0dc4b616bfa |
| SHA512 | 8ed37c8c715ed85ee8127947722c34f922b9a64b10a345ec536a6d8d3cc55acdcbbf250fc8a852f3d8398ff7cfafd2ae3335602d18799a9ddcfeff178e813a62 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 8043e0855f98da495d93d57d80462a51 |
| SHA1 | 4d444e56d3fee5937b8f3b84e6bc6cbd4f5860bc |
| SHA256 | 51b3a780948416cf94c96550aeacb6db272fbaf0dd2248c1d5385b8b8deba8af |
| SHA512 | 99fe0cd6586a999030250927818b26e0bf5c7ce8ef56a142f1acc36038f46f8faa526a613bbc0eed87ac32addc637a0076d7c45dadf4063142dd79684c3e02f7 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 60fbb600347bfea7f65c51d716545740 |
| SHA1 | f026a98f02dab086eab72f80cd540eda20a7ea44 |
| SHA256 | 212de0f3a15faeed2d1627a8a574a0541ae35540f47bb2ca2db1ea2971724aae |
| SHA512 | 2fd2f7b50c27082830ddbe6759dc91c2c588ad244fc2cf4054a1194b3055e9e6c373f29e2d53b35829dd7fd7972038befba7912b350d530308223dd8c31c3e70 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 50919807428901cc021aef7c453e3ac1 |
| SHA1 | 5a93fbc49059bed6805a8e117c8d44dd7d1e7658 |
| SHA256 | 1031cbbbb5402df5cf41378a73484803f6521ca93403e6e3e6751f0bfa4f97f0 |
| SHA512 | 43c129770cacd56812c681df12ed5176282a9c33272256dfd005e1e110fb6a49ce002c033bfc646097362698b3db15a1fc39a218774ad7a015d9aa5f753eb265 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 7bee60aa1ec06eec0b4cb63d6192bb63 |
| SHA1 | 858afb9de9b4b75034a65f0f551bdfac41f17c4c |
| SHA256 | 33f8fe5fd1bebffc305b041450ab7051448b5312df29b815cc143a4972c2755c |
| SHA512 | 160d264c95440626a73951ad09cd64e302910493bbd0db61a432b3c2fb846f9e1c64361a2c24a34926764cc1337c0133f44c09927408f4d1776167de5271a804 |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | aba03472edeb7f90deab402cc5d2e369 |
| SHA1 | 892a0aa058d97db338aae14ff65745cc0256d80e |
| SHA256 | 0ba3a82f7baa3a3e8d4d8ddde16b0570d62eda190cc3877d5be897908beb5949 |
| SHA512 | 5370399557f2a8348227a8beb0e0b09de6622da098b31412570c5af943fcce96cb6ec34b724c2ba4d5677bc2ffd7a575d2d45e6e68f17fc84202825738e3d73d |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 49ebe7e604b06bcc2038cbf2ca863c24 |
| SHA1 | c8dfc20b49c42c64c73eac1b797c660631074fd1 |
| SHA256 | 789cf2dd502f4c4f8f54ebde7490c5d2e32515d656713a031ad72c2233483bcb |
| SHA512 | 485b8c5f2f36fda84950b3e3383424f51de256cb1040a415feccf877229b868132245a762567c1126b3ba03fd027ea19c5751ff5c876879f3afff46c4ea287da |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | df5d5cc1b19867078322eccb281e6c64 |
| SHA1 | e2bae3b4f1a5f57d8c3cc792b4e9ff9f45faca65 |
| SHA256 | 91eaeef23dfba202b2f44eb04e7292b474e9d17ce0d2295f8ba7438e34eb1fd5 |
| SHA512 | 12daab26bba1750e15b58a30dd6037ac2bb28f36c722e3322e12905fb6f35e4506708989c2e2a4843ec71d3b76d91bedada2143b948fd2e495c76545c6d5561a |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 789be79065dbf48b31b9ae6ff855583a |
| SHA1 | 8f2bcc8c2c892e4ce1b79159fbcda832395acf13 |
| SHA256 | a628a230b772afa5605ba91e483a31ac649fc8a510aacc804cbfcaf1db4d9b34 |
| SHA512 | 2374f02a73ad9a2bf3cae976bb3aeba73ab929260e9f3186114d1fa3c6eca7d6b87ad6fdd32a2afefb61c61c94a3b2a2ca5f932b8a7e87ad7f62c86914bd4c5a |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 06351892d804b8af0f33ca54623c25bc |
| SHA1 | 3eea1b761ff5dac1797b31c3f6db3355b6111a2c |
| SHA256 | 61b2a8c3202ed7d9bb7e5e0abff81e033b48d9f1dbec2a49f8c36340a7e6802c |
| SHA512 | cf689b4a9fdc592cf04f7d33a012ef1c8d7c86910f42c299ea93d432e8c2b7dab1b499f2c9eb394bb468ae15400030cc9720e442dc4768d8ae36e14c3db7b202 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | 2d1dfddbaa58af965424b1ca2c5387a0 |
| SHA1 | 5a32e90033b12f8c490007b1165123953f56078f |
| SHA256 | 0e78b91d653a515679adf3cba6c4cb3f82848e0b678304edc325b5fc2760a66a |
| SHA512 | 4a3cbfc3947e1714b96b00dac5e890ba0442c91ca3dce794be381196d503ac4726fac8f82dbfcfb6f1fdb75e6eb98417b74bf454adf8264c788c2f7fc960e934 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | bf88c25606781ff0d740e531a86900fc |
| SHA1 | e4716f030f4f4e604a9283191305262f8d4d25e6 |
| SHA256 | 76026c3dd49aae41d156e4e3437aa89a77f27372437df077bead65db1a7dac94 |
| SHA512 | f8e1ae3e3af6482177f7d2d47ba50f4f6fe0f0916c51c315bedd7363bfb731028415c8a2d3c165a495d9e3fafd088f4ac45e701cd5054547934cd47a38902723 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 102887745db2621bb71f07d645fcdda1 |
| SHA1 | 40d336085bcb37b815381067c39234bfec6f8ecb |
| SHA256 | 4dfab7ed5e639f58922c0a24b16ab1a716daaff9c47bc3e54e6c723f6e2e9309 |
| SHA512 | 054627b6eca260fa605d4be439cf64be7969e3b5f024d51d4e0d7f5c2e40ab53eef18c76b02a4dd9f208f00ddd78695f360e93acd1d0bf3b94d3b8eeb1c109a8 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | 29747c4de6d66e4e8a69b30a35141837 |
| SHA1 | e54846f2a93ed9a9dfe3f04cd9ee028ff280f249 |
| SHA256 | 16d76b80ccd779fd5f1872ab82608b228ed6840dbcf022b27f37382472972636 |
| SHA512 | de2fd3ab04f2a1ea4abb68f4aa30ae64650f375ab84ab058859dc422fd0c4f819c7b93017c5e25a611393a356d09bcf6f2d8027e45f86082e260f828372c8ee5 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | c175c1c637820727da041986d3e970cd |
| SHA1 | 15aa88b101f4fc9d255bf250988706d400cd523f |
| SHA256 | 07b819058568412fe0e97ada253ebc615653c3457c24d39312c2f1f5e8ab1378 |
| SHA512 | 0adfa43f855f03f7961f5132063e7bfdbdb5d5984393ad7e295a24642927f22f2833c1cfcb493ea8d4f5e2409883dcde391c07d768a8a8e6c9f8d34f988ac733 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | b8456bb9fddba3a191c3a52f9ba9d2b7 |
| SHA1 | 606ddc205577ce60ba3af844d3596d6f557c60c0 |
| SHA256 | bfcbe037df46f9958d5912038816653939dd542536c552946b5d7825afecbb67 |
| SHA512 | a2747598ac3ad402f866bf281114613f76a916875b04e5b6e0cfae934f3074b0a2a3b1ff7e1d0f9e718474e42190336c31dbae28b68fbba3fb833a114a7f304f |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | a21ae415aea74a3fc247e4d5f1670640 |
| SHA1 | 9710f2d9acb4696ede303c4d6abafac75ff0e80e |
| SHA256 | 8a06c4840c94f0e2f2cd2e5b40f039683f50f7a893b862a48ac6ca4d7faa2c97 |
| SHA512 | 60a661fa5639e814519f2fa7b9ece42a018401e6c08b553fe4df5c5b7050fc0c51fdd6fcabfd5f372d93b115413675900549e449ff54c8b6f9d9116913e5a77c |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 09295b732ecb6d75d0f1bfb34fc20bf8 |
| SHA1 | 29d9ca7c2c58d5560d2fdfce1795861599d7af68 |
| SHA256 | 98d19a9c3c5ae2f11325619ef49046083f0f6452692ff3bd904be6096309e050 |
| SHA512 | 3c42ecbd712888f922d6eb4598c821a5be3640e885242f62c81c8259a7c307b1d727a8061c1810f96d869614d86d6c50c0707cbd41c6cc4d5683341007497ce4 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 647f089469e665799f34fd1a3656ed0f |
| SHA1 | 2c4c056c87d6e6d0af2e38c5b43304bb648a4eed |
| SHA256 | 1f760a90d1c073b56f1f3c8f1fd34ed44e39d2f4d3b64803ab54511ef474b2a6 |
| SHA512 | 375567123578ef15ca7fb006e64abb6ac5827aa7d62ce770431efa890a9c7c99a7be0f33b5a678aea5d58a346d0df5c7271988b01f05733d1cd4568f92722152 |