Technical Information
- [<HKLM>\SYSTEM\ControlSet001\services\sppsvc] 'Start' = '00000002'
- '<SYSTEM32>\sppsvc.exe'
- '<SYSTEM32>\schtasks.exe' /pid=0x838 /commits
- '<SYSTEM32>\slui.exe' -Embedding
- '<SYSTEM32>\Wat\WatAdminSvc.exe' /run
- '<SYSTEM32>\Wat\WatAdminSvc.exe'
- <APATH_ALLOC_DIR>\0838_03E00000_51.ndmp
- <APATH_ALLOC_DIR>\0838_03F70000_52.ndmp
- <APATH_ALLOC_DIR>\0838_03D00000_50.ndmp
- <APATH_ALLOC_DIR>\0838_01BA0000_48.ndmp
- <APATH_ALLOC_DIR>\0838_03BD0000_49.ndmp
- <APATH_ALLOC_DIR>\0838_04220000_53.ndmp
- <APATH_ALLOC_DIR>\0838_046C0000_57.ndmp
- <APATH_ALLOC_DIR>\0838_04870000_58.ndmp
- <APATH_ALLOC_DIR>\0838_045C0000_56.ndmp
- <APATH_ALLOC_DIR>\0838_04320000_54.ndmp
- <APATH_ALLOC_DIR>\0838_044E0000_55.ndmp
- <APATH_ALLOC_DIR>\0838_00FA0000_47.ndmp
- <APATH_ALLOC_DIR>\0838_00760000_39.ndmp
- <APATH_ALLOC_DIR>\0838_00770000_40.ndmp
- <APATH_ALLOC_DIR>\0838_00750000_38.ndmp
- <APATH_ALLOC_DIR>\0838_006F0000_36.ndmp
- <APATH_ALLOC_DIR>\0838_00740000_37.ndmp
- <APATH_ALLOC_DIR>\0838_008C0000_41.ndmp
- <APATH_ALLOC_DIR>\0838_00E20000_45.ndmp
- <APATH_ALLOC_DIR>\0838_00E30000_46.ndmp
- <APATH_ALLOC_DIR>\0838_00CD0000_44.ndmp
- <APATH_ALLOC_DIR>\0838_00900000_42.ndmp
- <APATH_ALLOC_DIR>\0838_00A00000_43.ndmp
- <APATH_ALLOC_DIR>\0838_04A40000_59.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD9000_75.ndmp
- <APATH_ALLOC_DIR>\0838_7FFDA000_76.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD8000_74.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD6000_72.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD7000_73.ndmp
- <APATH_ALLOC_DIR>\0838_7FFDB000_77.ndmp
- <APATH_ALLOC_DIR>\0838_7FFDF000_81.ndmp
- <APATH_ALLOC_DIR>\0838_7FFE0000_82.ndmp
- <APATH_ALLOC_DIR>\0838_7FFDE000_80.ndmp
- <APATH_ALLOC_DIR>\0838_7FFDC000_78.ndmp
- <APATH_ALLOC_DIR>\0838_7FFDD000_79.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD5000_71.ndmp
- <APATH_ALLOC_DIR>\0838_05010000_63.ndmp
- <APATH_ALLOC_DIR>\0838_77B50000_64.ndmp
- <APATH_ALLOC_DIR>\0838_04EF0000_62.ndmp
- <APATH_ALLOC_DIR>\0838_04BD0000_60.ndmp
- <APATH_ALLOC_DIR>\0838_04D30000_61.ndmp
- <APATH_ALLOC_DIR>\0838_7F6F0000_65.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD3000_69.ndmp
- <APATH_ALLOC_DIR>\0838_7FFD4000_70.ndmp
- <APATH_ALLOC_DIR>\0838_7FFB0000_68.ndmp
- <APATH_ALLOC_DIR>\0838_7FFAE000_66.ndmp
- <APATH_ALLOC_DIR>\0838_7FFAF000_67.ndmp
- <APATH_ALLOC_DIR>\0838_00050000_4.ndmp
- <APATH_ALLOC_DIR>\0838_00060000_5.ndmp
- <APATH_ALLOC_DIR>\0838_00040000_3.ndmp
- <APATH_ALLOC_DIR>\0838_00020000_1.ndmp
- <APATH_ALLOC_DIR>\0838_00030000_2.ndmp
- <APATH_ALLOC_DIR>\0838_000D0000_6.ndmp
- <APATH_ALLOC_DIR>\0838_00220000_10.ndmp
- <APATH_ALLOC_DIR>\0838_00230000_11.ndmp
- <APATH_ALLOC_DIR>\0838_001F0000_9.ndmp
- <APATH_ALLOC_DIR>\0838_000E0000_7.ndmp
- <APATH_ALLOC_DIR>\0838_000F0000_8.ndmp
- <APATH_ALLOC_DIR>\0838_00010000_0.ndmp
- %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C24EC5BDAF13613245B4CECC3DE91DC6
- %WINDIR%\Temp\tmpD9AB.tmp
- %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C24EC5BDAF13613245B4CECC3DE91DC6
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1567.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab15D7.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\CabE763.tmp
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\CabE658.tmp
- <APATH_ALLOC_DIR>\0838_00240000_12.ndmp
- <APATH_ALLOC_DIR>\0838_00640000_28.ndmp
- <APATH_ALLOC_DIR>\0838_00650000_29.ndmp
- <APATH_ALLOC_DIR>\0838_00630000_27.ndmp
- <APATH_ALLOC_DIR>\0838_00580000_25.ndmp
- <APATH_ALLOC_DIR>\0838_00620000_26.ndmp
- <APATH_ALLOC_DIR>\0838_00660000_30.ndmp
- <APATH_ALLOC_DIR>\0838_006D0000_34.ndmp
- <APATH_ALLOC_DIR>\0838_006E0000_35.ndmp
- <APATH_ALLOC_DIR>\0838_006C0000_33.ndmp
- <APATH_ALLOC_DIR>\0838_00670000_31.ndmp
- <APATH_ALLOC_DIR>\0838_00680000_32.ndmp
- <APATH_ALLOC_DIR>\0838_00500000_24.ndmp
- <APATH_ALLOC_DIR>\0838_00370000_16.ndmp
- <APATH_ALLOC_DIR>\0838_00390000_17.ndmp
- <APATH_ALLOC_DIR>\0838_00360000_15.ndmp
- <APATH_ALLOC_DIR>\0838_00250000_13.ndmp
- <APATH_ALLOC_DIR>\0838_00260000_14.ndmp
- <APATH_ALLOC_DIR>\0838_003A0000_18.ndmp
- <APATH_ALLOC_DIR>\0838_00420000_22.ndmp
- <APATH_ALLOC_DIR>\0838_004F0000_23.ndmp
- <APATH_ALLOC_DIR>\0838_00410000_21.ndmp
- <APATH_ALLOC_DIR>\0838_003C0000_19.ndmp
- <APATH_ALLOC_DIR>\0838_003D0000_20.ndmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1567.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab15D7.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\CabE763.tmp
- %WINDIR%\Temp\tmpD9AB.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\CabE658.tmp
- 'crl.verisign.com':80
- 'cs######0-crl.verisign.com':80
- 'ap#.##tcrawl.info':80
- 'ct###.#indowsupdate.com':80
- 'oc##.#erisign.com':80
- '20#.#6.232.182':80
- cs######0-crl.verisign.com/CSC3-2010.crl
- 20#.#6.232.182/fwlink/?Li###########
- oc##.#erisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFJfaCstix4Ltx8wQaOHPrI%3D
- 20#.#6.232.182/pki/crl/products/CodeSignPCA.crl
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?62##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?65##############
- oc##.#erisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9c##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?27##############
- 20#.#6.232.182/pki/crl/products/WinPCA.crl
- crl.verisign.com/pca3-g5.crl
- 20#.#6.232.182/pki/crl/products/microsoftrootcert.crl
- ap#.##tcrawl.info/rs
- DNS ASK go.###rosoft.com
- DNS ASK www.microsoft.com
- DNS ASK ap#.##tcrawl.info
- DNS ASK cs######0-crl.verisign.com
- DNS ASK oc##.#erisign.com
- DNS ASK ct###.#indowsupdate.com
- DNS ASK crl.verisign.com
- DNS ASK crl.microsoft.com