General Info

File name

LockerGoga.exe

Full analysis
https://app.any.run/tasks/4706923e-ca4a-4826-9cb4-ae9be29f6bc1
Verdict
Malicious activity
Analysis date
4/14/2019, 22:21:00
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

e11502659f6b5c5bd9f78f534bc38fea

SHA1

b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b

SHA256

c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15

SSDEEP

24576:645Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG:Rjt4El7fc/TFJWstwQsPdSDuACTpqhG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Starts NET.EXE to view/add/change user profiles
  • tgytutrc5079.exe (PID: 2188)
 Creates files like Ransomware instruction
  • LockerGoga.exe (PID: 2736)
Application launched itself
  • tgytutrc5079.exe (PID: 2188)
Starts itself from another location
  • LockerGoga.exe (PID: 2736)
Executable content was dropped or overwritten
  • cmd.exe (PID: 2684)
Starts CMD.EXE for commands execution
  • LockerGoga.exe (PID: 2736)
 Dropped object may contain Bitcoin addresses
  • tgytutrc5079.exe (PID: 2264)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable (generic) (52.9%)
.exe
|   Generic Win/DOS Executable (23.5%)
.exe
|   DOS Executable Generic (23.5%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:03:18 10:07:54+01:00
PEType:
PE32
LinkerVersion:
14.16
CodeSize:
950784
InitializedDataSize:
322048
UninitializedDataSize:
null
EntryPoint:
0x9d54b
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
FileVersionNumber:
1.5.1.0
ProductVersionNumber:
1.5.1.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
CompanyName:
ALISA LTD
FileDescription:
Background Tasks Host
FileVersion:
1.5.1.0
InternalName:
tgytutrc
LegalCopyright:
Copyright (C) ALISA LTD 2019
OriginalFileName:
tgytutrc
ProductName:
Service tgytutrc
ProductVersion:
1.5.1.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
18-Mar-2019 09:07:54
Detected languages
English - United States
CompanyName:
ALISA LTD
FileDescription:
Background Tasks Host
FileVersion:
1.5.1.0
InternalName:
tgytutrc
LegalCopyright:
Copyright (C) ALISA LTD 2019
OriginalFilename:
tgytutrc
ProductName:
Service tgytutrc
ProductVersion:
1.5.1.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000118
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
18-Mar-2019 09:07:54
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000E8032 0x000E8200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.65764
.rdata 0x000EA000 0x000346CE 0x00034800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.00574
.data 0x0011F000 0x0000B6FC 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.906
.rsrc 0x0012B000 0x00000508 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.71326
.reloc 0x0012C000 0x0000E228 0x0000E400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.55487
Resources
1

Imports
    SHLWAPI.dll

    NETAPI32.dll

    IPHLPAPI.DLL

    Secur32.dll

    KERNEL32.dll

    SHELL32.dll

    ole32.dll

    ADVAPI32.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Screenshot of c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 taken from 16519 ms from task started

Processes

Total processes
95
Monitored processes
51
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start lockergoga.exe no specs lockergoga.exe cmd.exe tgytutrc5079.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe tgytutrc5079.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3032
CMD
"C:\Users\admin\Desktop\LockerGoga.exe"
Path
C:\Users\admin\Desktop\LockerGoga.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\desktop\lockergoga.exe
c:\systemroot\system32\ntdll.dll

PID
2736
CMD
"C:\Users\admin\Desktop\LockerGoga.exe"
Path
C:\Users\admin\Desktop\LockerGoga.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\desktop\lockergoga.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cmd.exe
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\tgy

PID
2684
CMD
C:\Windows\system32\cmd.exe /c move /y C:\Users\admin\Desktop\LockerGoga.exe C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
LockerGoga.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2188
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -m
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
No indicators
Parent process
LockerGoga.exe
User
admin
Integrity Level
HIGH
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\logoff.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\samlib.dll
c:\windows\system32\net.exe
c:\users\admin\appdata\local\temp\tgy

PID
2892
CMD
C:\Windows\system32\logoff.exe 0
Path
C:\Windows\system32\logoff.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Session Logoff Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll

PID
1356
CMD
C:\Windows\system32\logoff.exe 0
Path
C:\Windows\system32\logoff.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Session Logoff Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll

PID
2196
CMD
C:\Windows\system32\logoff.exe 0
Path
C:\Windows\system32\logoff.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Session Logoff Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll

PID
1152
CMD
C:\Windows\system32\logoff.exe 0
Path
C:\Windows\system32\logoff.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Session Logoff Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll

PID
3384
CMD
C:\Windows\system32\logoff.exe 0
Path
C:\Windows\system32\logoff.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Session Logoff Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll

PID
1464
CMD
C:\Windows\system32\logoff.exe 0
Path
C:\Windows\system32\logoff.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Session Logoff Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll

PID
2996
CMD
C:\Windows\system32\net.exe user admin [email protected]
Path
C:\Windows\system32\net.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\net1.exe

PID
1244
CMD
C:\Windows\system32\net1 user admin [email protected]
Path
C:\Windows\system32\net1.exe
Indicators
No indicators
Parent process
net.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\netmsg.dll

PID
3260
CMD
C:\Windows\system32\net.exe user Administrator [email protected]
Path
C:\Windows\system32\net.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\logoff.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll

PID
2976
CMD
C:\Windows\system32\net1 user Administrator [email protected]
Path
C:\Windows\system32\net1.exe
Indicators
No indicators
Parent process
net.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\netmsg.dll

PID
3792
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3852
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll

PID
1184
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2716
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2432
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
1672
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2388
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
312
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
1708
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3636
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3228
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3412
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2616
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3212
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2888
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
592
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3740
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2748
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
476
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
300
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3056
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2148
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3316
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll

PID
3072
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2532
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3452
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2584
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
904
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
2688
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3324
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3628
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
1100
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll

PID
2264
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3284
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll

PID
3096
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll

PID
2384
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
3644
CMD
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe -i SM-tgytutrc -s
Path
C:\Users\admin\AppData\Local\Temp\tgytutrc5079.exe
Indicators
No indicators
Parent process
tgytutrc5079.exe
User
admin
Integrity Level
HIGH
Version:
Company
ALISA LTD
Description
Background Tasks Host
Version
1.5.1.0
Modules
Image
c:\users\admin\appdata\local\temp\tgytutrc5079.exe

Registry activity

Total events
3549
Read events
1749
Write events
1800
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
SessionHash
1F6CAD40E8C9C1DD9575DA72296CF034BA734A847725B6B81C9FEDFBDF715DA7
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
RegFilesHash
D68F86F979FC0FC92B11358D7544EF32C13CDC91826736CE49C9CF097C295476
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
SessionHash
13B7BC55E911AF719274AA08FCECEDBA990ABE055FC2E550450EBD842E2BCDED
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01149_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
RegFilesHash
10A98AB529E7BCD24CD8615A92C67F2B30AFB30CDC7FB495945427CA8FFBDDD7
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
SessionHash
3E5C61F4C1226A61B85EF2FC34EEDAF92090573466F783341C77EABFD909F7E3
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
RegFilesHash
6B11ED504AD4E3ADFE1949CAA98D6B258F9769079291336D78066390497FA749
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
SessionHash
044CB41130F3320539C0650BA5C9A21AA0E8F09A7B92DAAF11FE24604CA33173
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
RegFilesHash
F03116834AC43DB3940AAF0CFA92ACFEACB7D4E1F689EE0E0B00A7E069BAAEA3
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
SessionHash
20D053668C7DCCAFCC7F58DD101E28AB77AF337A92686B212330DA165D2673FA
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE01160_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFilesHash
54DECBED86FD1E51570C51526CC828E6163B5781D755FEA08C4C2D782D8CCF1D
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
SessionHash
61F634328B9930542CA9BE9EC9060077C261E0C1D635916302921A2199B337E6
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03459_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFilesHash
5F87CF43F025B04C238DCF6CABF87691DB7D03B191F30A6353608703EAD6F6C1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
SessionHash
4F7E186499D51CF1889E7540A3D2A14EA8500409B694CA6D371F45B876B9837B
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
RegFilesHash
537703C9B8387611A889605AD520332FFFB4C213D695049EFB68BF8F038150F1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
SessionHash
03A0BB25DBB3B8C6E34C6E9D515A79B1094320E770B08D69CD3658EA872651C6
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
RegFilesHash
3B51B8D0CCA86D421BD2B4E094028E5873B59496BC27B763D7B303ADFD99E16E
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
SessionHash
1C6C8EFAD217CAE851A3B4AED7E863A081FC8EF0A9FA9BDC45525AD89A8AB6B3
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
RegFilesHash
AF07EDCD664638B6ADFA9EE6B6F86A16B891689AB97358E605E53D2B92AAD277
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
SessionHash
E3653C8621A8804934235F36BDBB2C0F0CDC261F8A60757CE8C43F7EF98F6089
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00017_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
RegFilesHash
59C3114CCDE6B14C1C75EC611ACB43B2B1FA1FC0777620C04124CC54709B258E
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Owner
380A00001ADE1BA5FFF2D401
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
SessionHash
A0792B407B9C14EC8A14F9E0219EEA7891DE4556494D961306B6190D629EAF6D
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Sequence
1
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00208_.WMF
2616
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFilesHash
F0A2AE55F10DD78A98A9F64727AF07B569752E9126AD7934A0633CA311936EE9
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
3F8BBD2846CB6314F6CABD69F0D381F66B28CD29D6131C380D788409BD51F8DD
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
2C5AE4A7A2C821DA850E0BA9679AC2FFA3C0F584402F44DE0235768882E610EC
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
SessionHash
3B3B34E783A4E30884DEB6DA7EC5FCD64A2EE07AE431691EE77BABD1FE98CEEE
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFilesHash
81C1F73C945A5EE6E04CA44783F29E72B0F19AE958FFFBE93E8AFACFD9733318
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
SessionHash
C23F7C7897998C6D1FFA7CABC2360D0493432B76C46832C3307D391E16054660
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFilesHash
67610FBF16555F18F470DC7751F2162CC432A95152808403D3952DE8F81D1DA9
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
SessionHash
AA06D955252D4A4C1A94B4DEC86C23B1BE6FB9BE693E21057C6084595415FF73
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0301052.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
RegFilesHash
8014ECB039C24FA90A315E638EF12A6D48D57A31DDDEE41CD545CC6CA80B1677
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
SessionHash
C3DC90201D8CD06C5CDA168A599E7F99540264199AFFBDDD8F7A6834D31002BD
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0301432.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
RegFilesHash
C6E59BBD2E299575FF762F9F221D111176C869E4CA07063EEFDFFAC3FEAAD80D
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
SessionHash
EA66F39041ABC54C9F263CED9FCFD573CD8D3E8664D7146B88832C01B410EE19
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFilesHash
C3BCE6BFBF6C2295467167354ACC0C8BEACE949DB14FFAB37B7684AA05D83765
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
SessionHash
B2424B739B2E6D21298583FBD6EF1506E627F8A2A7B8A0924993B93D6DF5236B
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
RegFilesHash
D77FC7B9C225F254CF8AAA457650178007DD82A7C8DE912FE90E3F2DD9C87DF4
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
SessionHash
9CD78C0BFC40A0C9B03EB6456BF8DECE6EE05377572BAC90CDC5DA607FF8C7EE
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFilesHash
3BFFD3A55DBE821809D02E28C039F7E31130F88A89EBFCCFC5D097430FD544F3
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
SessionHash
9D086607E763E472EF27093D2CFD5D8FE5ADE5700A87967973605FD27EA736F2
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
RegFilesHash
FDFB24AB783ACE8E6033EE7DC6235D996201647C1AE914AD4CCA64F1F2634BE4
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
SessionHash
4BC24950E82E09D0FCF19E11E807CA181703FE69455A080FAD2173FB9F0B6050
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01470_.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
RegFilesHash
F49CC037A98F6EF2D5DE6FBC74ECA5ED265D6296164AB813AC3FEAC12DF42366
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
Owner
9C0C00006C91EEA4FFF2D401
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
SessionHash
929C90C0942A7E294C4F2DF76674C74B25716652EBAEF99078FBA98CB7EC4A48
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
Sequence
1
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02435_.WMF
3228
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
RegFilesHash
5DB26814AB6016AD4BDD1BDB09F670F803C209626922CB9F061524024091E6B4
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
3792C8F84BC1EF4F1234D43DC42B15CD22911F3289A31FC3F73029A3F787735F
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
4229DA800407D064ABF58C9232B0F047E9E1D085F60E0BE4CBC8D175AB22370E
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
SessionHash
E85C62AC76441EB1E1DDD3E664FA2EE4681028CA7D504FC949A4FA3DA77B6FF3
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFilesHash
9415E3F905AF44D1D6EE98775BE3E1B665AB48A846D75670B73E7936F86DF2F2
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
SessionHash
1A63EB7AADD5D1C8499815FC6C3FF7B9269DDD8A1449D94E777DB6E415B6A6C3
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
RegFiles0000
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0009
RegFilesHash
DACDAE154F9451B9B802BA39FB8F105BDD6C185BD4DB04DF877832A8A4FC61CC
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
SessionHash
B69F50A3ACAC9941AE8DA7CFD09BE8CCA971AAA31AE85A49285995466C04CF42
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
RegFiles0000
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
RegFilesHash
7F8AB1A1A2310D250C0872842E767F5156EBBB8B3681EE8C0F3A8CF89ADC1D29
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
SessionHash
7678228441CBE8FBC0AC891096E598C4884214B0313D18FEB7BFB09A635BA324
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
RegFiles0000
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
RegFilesHash
C3FF3384EADC6CC03ECA5CA690340BB0C54FE1645888592750922C959B0E1C32
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
SessionHash
1562E7E5484A77304DEA569F39B936418DB3989D0DC48FFF8E08679E0B9C814E
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
RegFiles0000
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
RegFilesHash
D1B74809D0EB008047EECB9E7F39062CEC1B341E715858A85FE9C9678F8AF0A3
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
SessionHash
5B8142D20188563382FFE3573F2C06420E5649085F4464C4D2D7676EFD77500E
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW.cab
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
RegFilesHash
B1DF6FB66F4F0BD3EB57D6A6519586DF8A8CFAE44E0B497CB347C9EF480AE618
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0040
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0040
SessionHash
C66EB973B3877D572A160EB8BCC567172BE2CBCB5F25D77B7F00F6E855CF82AB
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0040
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0040
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0040
RegFilesHash
5E2AE91DD0CC46996BB1846696078A172DFB91C27A761F0D9996BAEC7DA1B662
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0045
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0045
SessionHash
072A11D2463413958B032EFC84DB7BF54E68250146ED27B29ED67F6CF887B96A
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0045
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0045
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0045
RegFilesHash
C9D14C10E61E03BD8DB5008B13D8DB207EC91BEB0D7D6452021DD1C32E1AC984
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
SessionHash
1176BF0D6C6DB1AFDF57B7D90E6A60F9D29B0E007B56BCE7827FEAE33E55EB4F
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFiles0000
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFilesHash
85AD51CFD22F6D34ADCCAACEB86471ABDEDADA97E168A2900B59CD3F0B3FDED6
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
Owner
D00E00006093189EFFF2D401
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
SessionHash
3D1C66477AB41D8694A7F6C4F75A8EF50A48355A723DD4B12D2D768ADE61805A
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
Sequence
1
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\PidGenX.dll
3792
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
RegFilesHash
6E9CF5339F3918780D1605066EE4FA04291D4CB20E3B9FFD8454767CA249BF98
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
SessionHash
A9B513BE4907AB9CD9819D7F9FEB4E987335D22BDEC3491EB347084979E0A431
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
RegFiles0000
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0004
RegFilesHash
0742E12B64F22C74B48D314B5B85A3ECC411E3ECF23A7AA5E39DE4013F1B627E
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
SessionHash
19656A53B4F30DF8BA203B311B8AC55A1A0039E36B15EE6C4AE5DDE2FBBF71E3
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0013
RegFilesHash
093AD121129FB038D5EC95C3DDE6D5E29026E6D135E88252641B44B8EA91F1BA
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
SessionHash
C580F6030259D27CB25EA43304FFE46890D41290C23901E9D4F2628509B1F6BE
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
RegFiles0000
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0018
RegFilesHash
7CD458A5733BAEFFF697E8A3E6D6A5C692040E167C78F84FE934F02F5803B937
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
SessionHash
0D4AF1A54EC69833BB996C5B8941883256933E0AE3F074EF7927D5E906F5E069
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
RegFiles0000
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
RegFilesHash
EC88B6154F8F092882F8AA862C767FA1D3B829D91DC9C07A93CD2C752B267FCE
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
SessionHash
B88B1128BE4CC025C596C7BC674F6513FFBC8A8FB9FB9C0DE367CBC9A1ECBF9C
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
RegFiles0000
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0030
RegFilesHash
A764B7F54591C790C545545B2A5AD5D43DA66420323CDC734F8C0DD02E3619BC
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
SessionHash
2F6095BF7767DDD109BDFB535982CF30C6895513802D59407C1D88ED724B6962
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
RegFiles0000
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
RegFilesHash
87AD7BCE5B823E2AD3388852DE405E060D8D7AA5566E9D7513F43C19C31FD464
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
SessionHash
67543AAF56E656C4413E974F09192EF5FEEA5B83D02AEE8909D2FEA82ACF2FD4
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
RegFilesHash
16CA44C2483FA0AA46B8C02139C71162F9EF867C7E4D70A3F1685347917EE6B4
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0047
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0047
SessionHash
1D27DBD9776E40D148D17C32661F3F09F99DCB54B80FDEADC0D92526CB98E64F
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0047
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0047
RegFiles0000
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0047
RegFilesHash
69D36127366709BC1815A98171B1A4D5617A718F25F406644FC6EC2115308686
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
SessionHash
E330065CA1361FC039875FF1844A28EF6D4101186C60318B7FF0818F3899B6F8
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
RegFiles0000
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
RegFilesHash
CBD4A7E5BB0C4F6FFC7620A9263619DC357B912232F4447839CB13E6EF7C98C8
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
SessionHash
023AD3E28E3D3FD012E4DA9D685A855E0FB8F432C7ECC06420B5B06057AA5F33
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
RegFiles0000
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
RegFilesHash
E51B31535C10ADEB0899BE09D6E11F071480D9517A1C511047E0D1FEC7A0A584
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Owner
0C0F00006093189EFFF2D401
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
SessionHash
2F8E6E6EDD552AA294AF5853369ECB3BB42A374901F4C2DB4E0148A0723A305A
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Sequence
1
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exe
3852
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFilesHash
E52100353468E91596191A7F4804B271D12C6E8C074C49620506F51BEE467A03
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
SessionHash
637A54033D334E0EF9E2892ECB85BB6605356749F7D9ACFF96D7CEF61FCAC250
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
RegFiles0000
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
RegFilesHash
02EA62E2C6D2623E7EE1380F47E485A19138D02011EC7268048DA61A868F6D46
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
SessionHash
862055B352B04C03CF783863A7E3498D7136F3050A1AF040933E087486543020
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
RegFilesHash
F6D64812B3203FCFB66C84A357A2DB84A8E1DFCF9653C25A01041F3271758F5E
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
SessionHash
FFA743C41BACDABA6484725108565104B7294BE28D98986EC5972703FF86809E
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
RegFiles0000
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
RegFilesHash
A6186BA067F49F44D3DE16F07E7027B491C6C6C8CA454E92F938F6887D24BBE0
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0016
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0016
SessionHash
B0A45F73AD8F022AF185F2B642E91536443533420CA93E7EF0C5F5B41B916FEB
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0016
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0016
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0016
RegFilesHash
578AFFE769A1039E14784DF9F705C50AE52ECFDD6D38F9F8A68966286510A6A5
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
SessionHash
2405510ABC2CC96B9D69A6C363497808936D4428E166E76A0A0203B8169B1E18
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
RegFiles0000
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0021
RegFilesHash
FC89A1AA43B42745FF8A75C503A8E7C8041B36AEFB19DB363717071DF9103B87
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0026
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0026
SessionHash
FAB6119BE1C53809E0FA4A3D67A14497B310EC74CDD7B730AB6AE826710103B8
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0026
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0026
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0026
RegFilesHash
0F3B596168365447F64F07332A8EB6348E2BFD370210337BFD7C9B4CBC0BC55E
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
SessionHash
52DBDFD419D2E38D54D5C6B7DF430CC7E6A31A2F6441BCBAC2C05082D1965392
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
RegFiles0000
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
RegFilesHash
AD6D7C05A1B0A444E8F95CA97CD667DCA967A07FC1E8A7F274C09898AD5F072E
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
SessionHash
B10CD5401E4FD1745ADDC4C914528D2A730FD9188CE191EAF6C2E7C48C9644C1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
RegFilesHash
2B739F019EBE258D98D40D66591A4305C290B8E9A3BAB404923A68FF23C9F859
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
SessionHash
FED03208ECF7CD66AD4430F34A8564AD626E7B075CA86E6A38535506A57662E4
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
RegFiles0000
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0037
RegFilesHash
21E6E2D33150A9B3907CC19A4500899E9E374B1A6A612BC1C58748F1CD1BA309
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0042
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0042
SessionHash
20CF88821F9F65F12E57257D41B9B21FFF97033435E9605D7F0BA5190EFA9B30
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0042
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0042
RegFiles0000
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0042
RegFilesHash
49108677F43055A06DDBB17395E3F33D3449E43F6F309D7F51F729F4F78F7314
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Owner
A0040000BAF51A9EFFF2D401
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
SessionHash
15CA0AF77815681BA5B82E9901034AD1005608663E00418D37D25B4BC949A2C2
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Sequence
1
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
RegFiles0000
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi
1184
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
RegFilesHash
D6CACB9B3CCFAB0B6EE20914E23A26CF7EF17F7D7D4322B912E3C89DB819DC8E
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
SessionHash
74A6D384577FBD49D92C9801E5C4CFBC59ACD4982FB211C8142084BBD79B5C8B
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFilesHash
F12B21418071EB722D5B24C81FECBCFBA25F90398777D56720EEA8B3AD4FFD61
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0008
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0008
SessionHash
F1FFFC375D37DFF566A263EC45200ECBED11A24445705808413844B973DF414B
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0008
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0008
RegFiles0000
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0008
RegFilesHash
FF2FE65BFA469120B89108FC168C6E2A9AF3E44A86772CCF5F4A3E492D602B52
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
SessionHash
BA5BEE29EAF451C18E8503179AD9F0258A8BB06F1839FB8A78382A15851A4431
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
RegFiles0000
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
RegFilesHash
7B9FD59713B004907BE9B98E21C5A497EE291B2EA407A1C115AF5D8C3BFEA251
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
SessionHash
67679686B3FE63AF8E42518B2911E6E9913441E4CC8A9326AEA92888E8B5D8A1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
RegFiles0000
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
RegFilesHash
9B4B1C274F91B6A60C057BF5D76175EE2198BEA1062442BA160173BB3C48D72B
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
SessionHash
F8889C5298DEE25FF717979EA414A3E7E5065E75E3F04912A7B4EEAE2487AA46
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
RegFiles0000
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
RegFilesHash
1A2E0A9B7D7C442B231A24B647DB4576C2DAAA334BCEEB4D239FBDF6FDD8819F
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
SessionHash
68E020CC93D67E1E00F2E960FE78BCFA063FDCE5B5BC4A9505CC37C20A1F6012
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
RegFilesHash
05FB9F011582CB1A9CF0FEFE9385A8056767EA2C35170F6F525749CAB0985CA0
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0028
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0028
SessionHash
8F6D8F84D34168D6F1D10E52950C67B30C58334EDA1B4F8AD9E5E3606E6DB969
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0028
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0028
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW2.cab
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0028
RegFilesHash
AFE8310B0F3E53CBB57218C2D1FBF136CE65FF05C421F5E93B97DBAADE5BBBC3
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0038
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0038
SessionHash
6970251F505DC666901B9EA04CED62B78E6F6AE4E5C82CEE93F15E916B30D452
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0038
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0038
RegFiles0000
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0038
RegFilesHash
38A07B458574181165E76DA5DAA673ACF09E4C536A86B346BB5A3D4CD58C9960
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0043
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0043
SessionHash
1EFA6EF58CEF61E28C232EA3ED13073BABFBAE26C7DEDC63CD0D039E37DB7C7B
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0043
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0043
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\osetup.dll
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0043
RegFilesHash
B194A2D5F2A6B7146D4C6DBCAF80F775E252F0B52388BF630A80A570624C9A7E
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0046
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0046
SessionHash
B9943A1740F034BAFBE21714DE53E0EEDFAB4687F64C7B3D3A7239919FA662FD
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0046
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0046
RegFiles0000
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0046
RegFilesHash
7CD71B04A41CED0CE4871458783CE8BC9F990666C36C16BCA4663F8292E940C5
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Owner
9C0A000014581D9EFFF2D401
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
SessionHash
7035CA36EEEE72BEA684CF352FFE62C9B64D93EDE93ACED23BB990F406740E8E
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Sequence
1
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFiles0000
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
2716
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFilesHash
15BDF03CF669FBDED53FD2D9E155E75DB37A11D7B4DED9E681FCFE0DAC81B73D
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
SessionHash
FDD6292A9972902FEAB138C6687BB105728F8413E8C917E37F0DA3C65A816804
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFilesHash
470312B6D8B627B5C8DAB0D3C63232BAAF021D45B8D71C5C7C13095C3C534DDC
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
SessionHash
1F68FA7B43489D8CFC1E7ECFB39B1CE2039C6271D90163BEBA9C073EA378CC41
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
RegFilesHash
0CB3215B032786F6D4FCF1E3963FCDA51477C5166A2D270BBDA2A9298B36AA5D
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
SessionHash
43BF6D71F8D9BE334D86D23523EC31AA029EF17CD46ED18FA3B8A20E493DB77D
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFilesHash
7C6D28A44288D7CF1CF9230C2E73801F022EF29B6AEEF831398DBDD707290828
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
SessionHash
8C19A4288B39BC1188CC9D82CA94EAB069244F34045E3820C3D21F55CB61B887
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
RegFilesHash
15C767A6A75715A5E4F6B70283CA60201893AC907C8072AD364566FD1F8A0DD6
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
SessionHash
82B4D69A3F152E14DF0BAAB233D15780692331E032B1FB29742098979E46C616
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
RegFiles0000
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0022
RegFilesHash
7D61B81AF261D114F247D14F3F38A36602778C80112FD910A1D2632DEB21917D
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
SessionHash
E007C6D82ED5D2B36C883E8CFCA8CC5309735E15374E14383548766AB89CE2B4
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0027
RegFilesHash
B1878833F4505FD35A76EFDCBAFB67E94337418E99E7FC86FF8C361CE5939BF2
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0032
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0032
SessionHash
4AC1E88DAE99DF3645D0D24FD08233A01BB0F378DD98A776011426498CE0C85B
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0032
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0032
RegFiles0000
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0032
RegFilesHash
30132B0BF32DAE15481AD91F6CE783362E5FC0C153775A0917410D13AC14E63C
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0033
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0033
SessionHash
16861937C80D221210CDE91751C14DC48FC729963F0821658DFA93A8C59FC125
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0033
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0033
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.msi
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0033
RegFilesHash
360C725A223AD11619F610538C8D29B03E751BCBD710D2EB62431CAF48792D7B
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0035
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0035
SessionHash
C70878C51A602353B77A5EFCFF10ED8AB6ACE95B72E5F4F4D988C5631B5A642C
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0035
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0035
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0035
RegFilesHash
63F6C304D280CFA4B4FA4983CA4FD115F0B3CFCFFC226F0261A505E587F4B331
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
SessionHash
6E88C58D05538C9A000FE4B597B6B15AB16D5A352057BD77C6642D5B5EC28F8A
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
RegFilesHash
6C552025D7744E53A78AB95E993E15E6A45B948A1D93DF817B42B44C54763D37
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Owner
80090000C81C229EFFF2D401
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
SessionHash
7EF57B63641E01F9D211C705FBD34B41FD45136A5339AFC77E6859CA75144A53
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Sequence
1
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.msi
2432
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
RegFilesHash
CB6304DC7656CEE55324AEF8889EF925D4C82043BED398DA33AB857B30FD27B0
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
F48F5604C5CDC700979FDFFAC162F44141A938E59B7CA1AB02C05ACE3DD0E507
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
71C8709AD9F7800F8D039C0F3B7481700568272DA136EE3F4D261672CFABB8A9
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
SessionHash
5442868D88C1A812180A4C73C6A346043F4CD40B34885EB889449F71E4B52CEE
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFiles0000
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
RegFilesHash
FB3C79A1EAAC970CCD67D34E08F5E38C1C743588BB3DAB30497DAD12E9C1A7E3
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
SessionHash
9ECA8FABF010DD74BEB7F782584E7B177015879C128D39A46D100318B1DFECA0
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0003
RegFilesHash
F38FA0CC88056A90CA934DE3EB815FD185AF7FE0E22C520A60E152E7E4856E19
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
SessionHash
926320C957360D16F46B13B28F57814ECFB3975659C439980D002D581B76FFF5
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0005
RegFilesHash
ED458A089E908C078A33E92BA07BA4BDB1CD3716079EC0CFEB41F2283A80EA16
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
SessionHash
551BEF67330C80C564C8B1796117FE15AAB5F0CFE7CA1818A10D9639437ABD92
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0011
RegFilesHash
17AE0D8199E3E249EDD9191CBCB1AD9B24F07B952C40263BAB4AFE57C308A0A2
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
SessionHash
6193D2C39E45601796CC2213449619C1CAF5F4AD3943BCB407143FBF5C7FA249
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0015
RegFilesHash
01DDAA92BB3F6AEB975105D072CE0EC47CFAC9C99763DAE574D60637EF29B3A1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
SessionHash
FC0CB2391042E75E33C6BCEEDB3FB41D38EF200F2A847AC5DF2FB6FEA72C1322
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
RegFiles0000
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\SVE\CPDF_Full.aapp
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0020
RegFilesHash
4E61BC734FDF7A2B1B1A68038C37872F8032F8F1CD5EFE71F44AD6F7B934BBA5
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
SessionHash
73FA482CE4100B46E4889B1A60AF06FA1949EDB8DC54CF2B43107A94B244169E
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152882.WMF
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0025
RegFilesHash
7114D998D7E99E171C1B5577D00ED30F49437C14DA416F84C9C02207490309E5
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
SessionHash
81C69972F935633B3DE1840B54B47E95FD08C30546CA4C3BFABACA1076925738
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0031
RegFilesHash
984B9BDCF2AA0DBE572B0A675289E5CA573BE5BAAA9C5D8BC4BBD4B2D0398B93
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
SessionHash
405C664ACB28D445EE87BE51D3E3441E09B2AA6E41ABAF3BA43F917B7E40EA49
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0036
RegFilesHash
93433987E3DB8A96D6A4347E01F0301DF1B602F15E2F9E92B221B748A90AAFBC
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
Owner
88060000F47C54A3FFF2D401
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
SessionHash
732C0A14A00C9F2C7E3CE2AC9674A01F3321F6888FFD85F0C7AAF2D1CA5CA51B
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
Sequence
1
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF
1672
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0041
RegFilesHash
C6D82C8E35B38E702AFCCE84D84815D7BDEA3FEF494916B6AA1DD2CEFF2F73EC
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
SessionHash
2C4C4D8885996691689A46F3FFD59A9BB76E68309B3E9872EA4CC3C698EBC79F
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFiles0000
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
RegFilesHash
91D784321F713BBDB3E050E5BA529B2118A43124BEE6B766B63AB9328F5AB1EF
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
SessionHash
7668DED1AD777C1DA962757A03DDC787D9E362D32A5FC6E33E510837166B3638
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0006
RegFilesHash
9227A85A4106822ECC044EF3D8C500D927456F210CF3C78700F870F7584C9087
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
SessionHash
0B730D4DF8740685C9395B6ABF868F1F1516248F75F9EB2559D161070F4BAA93
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
RegFilesHash
185DEF8F31734F8B265FD8D5A1345A9218083D157B49471AE89986BB2C10CB1A
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
SessionHash
A24F2E97F444ADC245198D5218E631BABE91FF468BBD02C5689ADDD95F32C440
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
RegFiles0000
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0014
RegFilesHash
9B8B8335B9F5D78ED806DB159163CC5571C968EC900E883396322FA678D67F85
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
SessionHash
615F25D840093C87BE2D055BE2B45166361B01ED793FBC09B9E98B22CE8DE7EE
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
RegFiles0000
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\FRA\EPDF_RHP.aapp
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0019
RegFilesHash
9308E6F53D2CB24BB23A459EA6711C1881026D936AE88B3C4DAABADB542DA7AE
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
SessionHash
85D5FE8B2AE616BBD48E1A2782AA639C1DD4088FEED05FA9A30948FDDBAF29E4
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
RegFiles0000
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152876.WMF
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0024
RegFilesHash
F1D1CC1CFB846125653094D9BA965EA2B35A20A8EA9A91187BCECA4EADB14E49
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Owner
5409000078546CA3FFF2D401
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
SessionHash
50F3F128A019B87451C361AB3159124ABF245E9CAD587F9760BC67C3FC9C82A7
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Sequence
1
2388
tgytutrc5079.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Restar