Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-mlpkkade29
Target 2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker
SHA256 cc36ad76f4c4156dc8ab9aa8fe88a27039deb778949ac6e8ca078555f2c88fb0
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cc36ad76f4c4156dc8ab9aa8fe88a27039deb778949ac6e8ca078555f2c88fb0

Threat Level: Shows suspicious behavior

The file 2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:33

Reported

2024-05-15 10:36

Platform

win7-20240221-en

Max time kernel

138s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a2a820c7ae4ef42b.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F02EFD76-B175-4386-A9C5-C5AF299C03B8}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4FC5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP88FE.tmp\stdole.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3BF7.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP53EA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP516B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP55CE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{612BAF53-A521-49E7-987B-0D31C29DB256} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000050fc2b97b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2432 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2432 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2432 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2432 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2432 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e0 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 278 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1e0 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 1e0 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 1e0 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 200 -NGENProcess 1b0 -Pipe 1f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 250 -NGENProcess 230 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 228 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1b0 -Pipe 224 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 1bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1b0 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 260 -Pipe 238 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 230 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 278 -NGENProcess 260 -Pipe 1b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 260 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 280 -Pipe 200 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 280 -NGENProcess 278 -Pipe 230 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a0 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 278 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d4 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2dc -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2c0 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c0 -NGENProcess 2e8 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2c0 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 308 -NGENProcess 2e0 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 308 -NGENProcess 2c0 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 284 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 314 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2c0 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2c0 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e0 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2c0 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 338 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 31c -NGENProcess 334 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 330 -Pipe 1b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 334 -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 328 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 334 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 334 -NGENProcess 354 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 364 -NGENProcess 328 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 374 -NGENProcess 354 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 348 -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 348 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 378 -NGENProcess 360 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 368 -NGENProcess 388 -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 390 -NGENProcess 348 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 360 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 348 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 360 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 348 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 360 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 388 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 348 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 360 -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 388 -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 348 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 360 -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 388 -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 348 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 360 -Pipe 3b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 388 -Pipe 3bc -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 34.41.229.245:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
CN 112.20.151.0:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
IE 2.18.24.25:80 crl.microsoft.com tcp
CN 112.20.151.0:80 tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp

Files

memory/2804-0-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2804-1-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2804-6-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2804-7-0x0000000000230000-0x0000000000297000-memory.dmp

\Windows\System32\alg.exe

MD5 41c4089a83a3678d93c2f26936d9c42e
SHA1 1183e06179d52dd33768fdd4d4adbc329fc36e68
SHA256 ede1e3f1938fa52849af5ecd9f16a054bd2a54ce55995dff9464c56cb0111608
SHA512 c5f4f3cd5a5c07e24b1e3ddba08394cb2c361f6cf03980cfefe52953bcd25f33dbb29a14e5556a65d50514d227c2d43e964268dbc550edf3276b02a1a75b9eee

memory/2804-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2980-20-0x0000000100000000-0x0000000100184000-memory.dmp

memory/2980-21-0x0000000000910000-0x0000000000970000-memory.dmp

memory/2980-27-0x0000000000910000-0x0000000000970000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 2afc649bf8ea2eb062ca48592fa7282f
SHA1 5d713e1822ec0c5df21d4fe61800d1604b2e7700
SHA256 cfc87a74045f38cc45e5b1d90bdf97b8ec11e735108a1c60d2cabc468c63cf12
SHA512 c4dabe8324cf5d1efdc8f5b87a0d1e7bd07c448dc076107ee1f0710e20cbdae26f83b9f2031028a9160343a952da67c9c03eaccb0009f22aec274aff88123dd8

memory/2624-33-0x0000000140000000-0x000000014017D000-memory.dmp

memory/2624-35-0x0000000000A70000-0x0000000000AD0000-memory.dmp

memory/2624-41-0x0000000000A70000-0x0000000000AD0000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 2fd6eac895146f7d8af9d75fa25a2b15
SHA1 1255954c25f5dfef08ed6cc44cfd60aa43280de6
SHA256 3d8dde02b8f6046c4599b5cdf33992237e38b04ea6c96a03781c1ab65d43b0a6
SHA512 ea0ab2d264909052a635d96058029748a09f913615b6515a8b9f0d62a8e4adf4be35d7f71a4dbf4a1b9272f231b46b6991a84e3bdbf7f669d1d05eb946327bd6

memory/2672-45-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2672-46-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2672-51-0x0000000000230000-0x0000000000297000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 febd2f4f4f9815e9ed0bcff8226b8109
SHA1 1675c3d7817c338ad2a4984acad332b319a3670a
SHA256 4b7f5c9695d3c84f1e912fca626f9f01e5ef2d150f05532e9106dd7598d2333f
SHA512 66dbd8ab17cc7d8faed42eee0685a5859379743293d67d8895ac5db2d43e87644fecd7320615b3e7fee4722687590cc0f50763fa7153364ab0c3f8804ee827c6

memory/2432-66-0x0000000140000000-0x000000014018E000-memory.dmp

memory/2432-64-0x00000000005E0000-0x0000000000640000-memory.dmp

memory/2432-58-0x00000000005E0000-0x0000000000640000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 608a93d67db00c5a559234fd7216645d
SHA1 24f7d4e87167f77f43e7fb20fb1adfe4db72d2ad
SHA256 f0622179358171c369f3618a349c198bfcbc3bc1a736cb2195d7824572b43e7e
SHA512 9abed71235e86205210005ac5a0d1cbba8f4b70f48ca7ec3904776f0ee3d5cd4668d633618b1644e33b3afd4013e446956b88107e861bb89218e882407d89242

memory/1884-82-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1884-74-0x00000000001F0000-0x0000000000250000-memory.dmp

memory/1884-80-0x00000000001F0000-0x0000000000250000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 c6103a17e36a4e009c607dc4650e8de7
SHA1 b252b686110a5110d869cfa659247f8234b471ac
SHA256 aeba7369387cb533f6f8e22f4ab096af54fd9c5dcc127e8cb7fa3f5cb1596e19
SHA512 7c5af802fb2a262baa8c218db5f7c9c977eb8ffd4f6ab4c456249e997d53e393850b7cfc99852f1cbc6add4f5ac4c9cd22e0dc11793221ef19b49ff2538b9a55

memory/2680-90-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2680-93-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 71d1e2e681562bff4587fa2db39200dc
SHA1 096c5283b35f2b7b4a2b8d9deb8ad075e9363ae0
SHA256 520b9f7e2e8670e703c75dca5ddf1bf652fc64a759875bfe58ccd1fe73aa4a82
SHA512 4690f308b7931d7519765d1632ac336d8c782761283ffaf59b0b139544b50ca46088cb5d39b8d7235288432e7d7629ff0088b1eb20f3866225f7ad98f27492f2

memory/2236-95-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/2236-101-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/2236-103-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1796-108-0x00000000002B0000-0x0000000000317000-memory.dmp

memory/2980-107-0x0000000100000000-0x0000000100184000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 6829c3109cfa134b3e66799864296043
SHA1 71bc7a7ffde840a1950cb8bed4a12232a2d19d42
SHA256 89c79c01ebf71e3c186761f86b3700008c778066ea2111a094555463e11ea436
SHA512 22a91f0754afbcd9b78b3408f2114865df84f0476a485d0e3826e98811d30412763ae2cfe82eebea1dba53ecf34ddf82a1bfcdf57b04f752cf54d237ac4611ae

memory/2236-118-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1796-115-0x000000002E000000-0x000000002E195000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 5661d948e404be2ee9d78b5ea3ce6d6a
SHA1 20ae82190700edf8b6e02df1edddfe8a7f7bfca6
SHA256 88799517386079ffa0290fc109c9ada54cb673dfcdef0226fc7776955f26f0de
SHA512 b903cb4f1c990ee770c7226c44d7614881d8981a6b3f3005837b9526d283f294f345781633bb6669aaac91c766fcd9d9420145cab081cf7c4e8872d561761df5

memory/1624-129-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2624-178-0x0000000140000000-0x000000014017D000-memory.dmp

memory/836-225-0x0000000140000000-0x000000014018E000-memory.dmp

memory/2672-226-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2924-236-0x0000000140000000-0x000000014018E000-memory.dmp

memory/836-239-0x0000000140000000-0x000000014018E000-memory.dmp

memory/2924-246-0x0000000140000000-0x000000014018E000-memory.dmp

memory/2888-276-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2432-274-0x0000000140000000-0x000000014018E000-memory.dmp

memory/1884-292-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2492-296-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2888-298-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2492-309-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2408-311-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2680-310-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1040-330-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1796-329-0x000000002E000000-0x000000002E195000-memory.dmp

memory/2408-332-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2088-344-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1624-343-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1040-347-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1104-366-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2088-367-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1104-387-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1656-392-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2032-404-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1656-409-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2756-429-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2440-439-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2460-433-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2560-450-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2440-454-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2560-459-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2584-477-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2528-488-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1284-489-0x0000000003CC0000-0x0000000003D7A000-memory.dmp

memory/948-500-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1284-501-0x0000000000400000-0x0000000000588000-memory.dmp

memory/948-506-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2996-524-0x0000000000400000-0x0000000000588000-memory.dmp

memory/240-525-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1088-536-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2996-537-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1616-548-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1088-549-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1616-555-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2308-563-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2308-574-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2696-584-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1612-588-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 10e13df03ca02ca705e1c0af7ac318d0
SHA1 73d0a5f63494f54e370a6a3daf0e3a7ad465c5ad
SHA256 215d7494df03b70668fcbbbf4590ad4d93f2bf50b1af8c96f2dd24d3a66bbb6c
SHA512 7af7b96d5b258ada389ae9287ca751b7627fc3762f48c4adaf1f810fbb1a151fb768f8d3f8971a1c01c3dcf69e2577c8b856c806ec14c76f4fdb642e01b39145

memory/1232-605-0x0000000010000000-0x000000001017F000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 a4594cac8c5f8dc8a8825b8eedc5ff0c
SHA1 032ef4ea63a0e5c174b9a2f2cd2c8026fd1a242d
SHA256 3076e35048a6261a58068d10ccb16cea19238a8fef9292cc8cee27efc4862d42
SHA512 492d11f9d88eb41566c200158a223473f34cc8ad398ce01ae90114ba10647fb4dc7f59f3a1754f10f0fcdb531b1561ef1eada56b7a52680bee6b22e910716719

memory/2408-620-0x0000000010000000-0x0000000010187000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 79e7cf1dd3e2576fda72bd36703ee60c
SHA1 496acaf37e27fa1066790f93ba4a4b7875585f6f
SHA256 14d3135829ee2fb4d757ae439a6eb69a3ab0928f5b0874ec3e1bf64b4d253db8
SHA512 4c32c869b22c36ea5b0c55e20da87121341bd069ee885d1bb33e9527bb4b7d2c480f0070cd21efb1fc7bdfc3614040ae3830a3b21d5783c767dc083ce095fba8

\Windows\System32\dllhost.exe

MD5 ed18a2f7188e77684a7be6954bfbf176
SHA1 0dcb67ff0bf89e3df0aedc6a01f539d214132cb8
SHA256 e89aff74277d0918ad6996e92438a7450544c1303fb9879c26b8b20e1a9a276f
SHA512 58f4abf8f2b2cca53d75b642db5012e650002ea070b92b8adee68480a394ac515a9e411f7c6a6fc295dd353799af185b46fcaa27ed768922e155dda3aedd3df7

memory/1372-640-0x0000000100000000-0x0000000100175000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 5a74eb9c6696713a0314f1c597a5f5b3
SHA1 f5bb05c98ffe1a6f2ef4de2ffa87d14555105b4b
SHA256 4446a7c41fec860787883af908014a8c0aa7bf3ec7cac1d2c6f0f922642bc9fd
SHA512 b0b906928624a4af7b14d0931b8f8ab13e2c08af825513eb8182ca97deffe04768daa9ae30746756b40c552f597f30c6d3ef42a7614fb0ee65e0bb0c67754458

memory/1232-644-0x0000000010000000-0x000000001017F000-memory.dmp

memory/2408-647-0x0000000010000000-0x0000000010187000-memory.dmp

C:\Windows\ehome\ehrecvr.exe

MD5 204750f5943e40be234ae61bffa9249c
SHA1 de02520044fb11c42c5a869dec1b4f8cf828a1a2
SHA256 25265de0d039c876bdb0aa5f7935cdaaabbcdff77436198d1f06cb1e91784393
SHA512 62e8ef6c534e34b8fc6b8e240c0b58f27fe6c26152614910365dc53fcfc931a9a5a94760e0dc53f2a8b6118b7c83e5d3a3bf3b1ee06cac82c6985591e45477b6

memory/400-656-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Windows\ehome\ehsched.exe

MD5 c1710b55743ad9f2eaae405264fda3f9
SHA1 67cc4c3c7143f41308fa4d339757dddaaa49cdd6
SHA256 99a2f9fe0f53ae2ca0072b296d4b4f0e29743a5f678917b01668cc6f09c90a82
SHA512 3112bc0c2bfa8a6e4fab8eaa14e50bfddca206dc7b04305204e99c09302062d53104d36433ae5a8b41556448b0c82da20a146775d5aa249e9071fb0ea64e753e

memory/2996-663-0x0000000140000000-0x0000000140192000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 ab962162961adf641f97e8835f2c8240
SHA1 dfd511d9d81ab0a6d5cfe5902ce7a45d157c477e
SHA256 72f91a11856c85dac8443ae25e992fc1356e9fc006492a720e7a7ff6fea124e2
SHA512 cadb1d6d74d082e0827140f83efa4f187cb91e382d972687a44f9fee59af7751c7acc3068107b069aa689f5b37a9bbfc9664c8c58c9fc00ccbd59f99c13d6d44

memory/1356-688-0x0000000140000000-0x000000014018E000-memory.dmp

\Windows\System32\msdtc.exe

MD5 3977bf842c5a15f8a734ec21e9caf0f5
SHA1 dfe7570d37d8c9d85c0228c2707cf002abed8868
SHA256 13c52f3e79ff455d59f8bc0d91d07b8abb447d1eb716a027a1abb5b79a52e091
SHA512 6b5fb99961c85d94be3753591f4c96ae3876a27720d6314a5874eacce5e3b0ff0a70deddea03d5547b42c528f96ed25dd5784feb531c853279b53c1d86438843

memory/2284-697-0x0000000140000000-0x0000000140196000-memory.dmp

C:\Windows\System32\msiexec.exe

MD5 fb89d380bb41f05ecbf4a96197df95e4
SHA1 8608385d638525bb4ee4a4898dc72c1d75c7595d
SHA256 cf6a6df4ca20bc646a77e90d0741324564461f0d139c0e33ddaf9538d8123d06
SHA512 2873734e33f480fdeaae927544a8664a34ee2723875100762e1f0c4fb4a0dd755cd1e1a0ae3421d7837ebbb34e406a8748d57f9b0af23cfab450f69fb9d566b6

memory/2924-704-0x0000000100000000-0x0000000100192000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 dda1a87c80f5d07cb179701691dde610
SHA1 a1524ce77e54b1f736038a914a2ac3eaca896e59
SHA256 b3dfa69849517b5f50b63a96235f59d3a426090178f54823016dac7dabb1da71
SHA512 fbc2294845b7c76f7fc1eabb55eded892fb8d11f1563a44982c1a3601f020c4f1cb46ebf8d31bae4b64c5151badcfc96dd75972da5f29cce1e61351778b3fa61

\Windows\System32\Locator.exe

MD5 c5574d5b80f5234d197be68240bd941e
SHA1 c00697811f06d884f410fc2cdcedd2132eb486c0
SHA256 277ea409c250006f6fb72cabf30a8b15975df48bec310bc55602ac84cd74c60d
SHA512 2f8d71d2c88f2f43123d79c03b26929aa3f99792b6a1795a9670e7570d86c4a32be8b5467b187209b9e0e39e34be4c2acf0a990ffbb0bcb2c57440e9000bb08e

\Windows\System32\snmptrap.exe

MD5 53566bae4c274bf0d6b26b0a8a4265b4
SHA1 89c040b7d6e92a4222d65560a3767e1f349c1470
SHA256 1c719056a569d5937f01efaca267a347f788178cefe5b2cddb14ce3573dd9250
SHA512 e63b4f25220185e80b12396ab88d2ed150928e7399cafd7d0f57070feaaa41593a06bcef0574ad62a2cc793525fdb4084f6a5a14db33ca5828c89e031f9a125c

C:\Windows\System32\vds.exe

MD5 dbcbc873a5c7d974fa444a3b13ad7810
SHA1 faae829ed6d18a42b68686f0b22e310bf26bd83f
SHA256 a2414e934aa356339a07f2c5afc0c96898c261e05e7a6fa9ab597bbfe1d2b811
SHA512 76136d2b721502c2332c0093c88f0a859d6877097f13bbaa1b925309ced078f344b98b291f6348adb62f17721ade9e68af93957b00b98160314373c04b447eb8

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 e4e8bd22f7cb41cb482ed6d096f5454a
SHA1 fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA256 4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512 a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/2328-934-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

memory/2328-935-0x00000000018C0000-0x00000000018CC000-memory.dmp

memory/2328-936-0x0000000001970000-0x00000000019B8000-memory.dmp

memory/2328-937-0x00000000019C0000-0x00000000019D6000-memory.dmp

memory/2024-949-0x000000001A950000-0x000000001A95E000-memory.dmp

memory/2024-950-0x000000001ACB0000-0x000000001ACBC000-memory.dmp

memory/2024-952-0x000000001AD10000-0x000000001AD26000-memory.dmp

memory/2024-951-0x000000001ACC0000-0x000000001AD08000-memory.dmp

memory/2024-954-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

memory/2024-955-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 5180107f98e16bdca63e67e7e3169d22
SHA1 dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256 d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA512 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

memory/1708-973-0x0000000001980000-0x0000000001998000-memory.dmp

memory/1708-974-0x0000000001B60000-0x0000000001B6E000-memory.dmp

memory/1708-975-0x000000001AD60000-0x000000001AD7A000-memory.dmp

memory/1708-976-0x000000001AD80000-0x000000001AD9E000-memory.dmp

memory/2856-988-0x00000000019A0000-0x00000000019B8000-memory.dmp

memory/2856-993-0x000000001AD60000-0x000000001AD7A000-memory.dmp

memory/2856-992-0x000000001AD10000-0x000000001AD58000-memory.dmp

memory/2856-991-0x000000001ACF0000-0x000000001AD06000-memory.dmp

memory/2856-990-0x000000001ACE0000-0x000000001ACEE000-memory.dmp

memory/2856-989-0x0000000001A00000-0x0000000001A0C000-memory.dmp

memory/2856-994-0x000000001B250000-0x000000001B26E000-memory.dmp

memory/2856-999-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 5fd34a21f44ccbeda1bf502aa162a96a
SHA1 1f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA256 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA512 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

MD5 5b46f902ff5767959c40395a89ebab38
SHA1 2ee515c4b11f9ad786616d24f0ef207c33c000a4
SHA256 b83f0c6a4465c822d1011601cc9e96d5ebebe8ed1d2683c034b3eb615ea72ccf
SHA512 679d3bc3f6ec96e31cde02eb47bb22b1eebb088a98bb16f4acefcf957975aa1abb775c5d0a0f0e52b0a0a426414d605d31974eadd933e567557b5adadbde25da

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 3d6987fc36386537669f2450761cdd9d
SHA1 7a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA256 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA512 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 a8b651d9ae89d5e790ab8357edebbffe
SHA1 500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA256 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512 b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

MD5 4bbf44ea6ee52d7af8e58ea9c0caa120
SHA1 f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256 c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512 c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 ed5c3f3402e320a8b4c6a33245a687d1
SHA1 4da11c966616583a817e98f7ee6fce6cde381dae
SHA256 b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512 d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 9d9305a1998234e5a8f7047e1d8c0efe
SHA1 ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA512 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 dd1dfa421035fdfb6fd96d301a8c3d96
SHA1 d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256 f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA512 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 57b601497b76f8cd4f0486d8c8bf918e
SHA1 da797c446d4ca5a328f6322219f14efe90a5be54
SHA256 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA512 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 68c51bcdc03e97a119431061273f045a
SHA1 6ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA256 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512 d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0a41e63195a60814fe770be368b4992f
SHA1 d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA256 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA512 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 2eeeff61d87428ae7a2e651822adfdc4
SHA1 66f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA256 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512 cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6bbdc6d725b803074062afc8399682a5\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 d95816566ebb1d893cde289a63c822d6
SHA1 f5ab5e4c5a69f0d11c06ae3de4f224aafbec45fb
SHA256 d021c5ac81018dc9ed9ef49c8d55ca16a2e6979c6b3209cac874314c08c31503
SHA512 e3b658d516082b174828c471d762d914fea03e8340d6b0b25dd1bf1e387e2db0cc677e88861b4f635f909247106663f9d17e5bdf08b6c749ebfd90a6c905238e

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ac189ca1e341ec6ba475dc0f493db2b8\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 6585731df93b6de9916d84343f93e95b
SHA1 20d41e7edc56f35955389d5c1949e30aecf9a0e7
SHA256 f95a763ecc664b9ce40ef78a696d8c60b8d09310113109fb1e3e1ab11b19c7cb
SHA512 7a7486e541188f52920ad1e39bc836a4036275e8680bbeaa1acc0b77fea139cccf629b05c4a1e7907a93836ac07c5499584990257cdf04f1ea10949629bfc46a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8d66a175baea8643cadeae11cad99b73\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 155ca9b984a25959301acdb67fb55f2e
SHA1 1c178d1da461fb06f020b9ef65f97f770d6e56d4
SHA256 6ae7c6a6b09fe3194f51ef5d7773b372a459970f916d1b4bd140541670034e0a
SHA512 755f4236db28cf5ddc3666ccee4d226c2d1d84e46d5c36402ac17f8fd86b43347ea5b21e2ec086a2d4f77c52a6e691af1931f894118b774bfcce4cd2ec509293

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5bb18fc3a9dea82b3e9710a0108508a8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 df03b9ee15a8d69501dd89f3582b6672
SHA1 1c0a78d33899b478652ddcb8be3d41c539434a07
SHA256 09738ea535fe7623735822016df7ee7f319599d121f160cd1ac704ba3f74d0b6
SHA512 f8e7759b62330c4c1b43dd3069c8a5275a1896a96242f4dec84dbd8f5586b5ece54fc72945825e6de12cb8805a607ee402bda3ac7a5f657ac77a92432e6a378b

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

MD5 10b5a285eafccdd35390bb49861657e7
SHA1 62c05a4380e68418463529298058f3d2de19660d
SHA256 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA512 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

MD5 1f394b5ca6924de6d9dbfb0e90ea50ef
SHA1 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA256 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512 e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

MD5 929653b5b019b4555b25d55e6bf9987b
SHA1 993844805819ee445ff8136ee38c1aee70de3180
SHA256 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512 effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

MD5 d9c0055c0c93a681947027f5282d5dcd
SHA1 9bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256 dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA512 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:33

Reported

2024-05-15 10:35

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c6f9698892be0f3e.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c75c884b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0b1a484b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af61b584b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead5e984b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c75c884b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005e9fc84b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2d22785b3a6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 34.41.229.245:80 pywolwnvd.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
KZ 176.108.93.0:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
KZ 176.108.93.0:80 tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.168.225.46:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 udp
US 34.67.9.172:80 tcp
US 8.8.8.8:53 udp
ID 34.128.82.12:80 tcp

Files

memory/4776-0-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4776-1-0x00000000022D0000-0x0000000002337000-memory.dmp

memory/4776-6-0x00000000022D0000-0x0000000002337000-memory.dmp

C:\Windows\System32\alg.exe

MD5 8fd34c521b8435729495f842ec2557e3
SHA1 7b3bfbfb0e19347c42f0fe98e24ff6d5f6a10a83
SHA256 03dc85c6cfed9ef29bd1dddc05baf0c2249ff9a9faebe034db65e62fb062b58f
SHA512 9e710d199bea858db89243a2dd0e2fb8c0506472fc97848e97636d33e272e5f25ade43ec9e2cbc796e0dc6c29d0e384d109f766f3ba0110ac6c6aa25ff6add3d

memory/4776-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4076-18-0x0000000000500000-0x0000000000560000-memory.dmp

memory/4076-27-0x0000000000500000-0x0000000000560000-memory.dmp

memory/4076-26-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 fcf45e1c882670dd2e78e5da77b93692
SHA1 1d38b61231f79e2fe1731a3f0ad9ca71690eacb2
SHA256 737887d659b44eb8edb0960a277aad287668ad5e5d3ac89d0cd686d96261fa77
SHA512 621c7fe893c028644f84f27bc55bd9e4c5f8a75febf9ad2b4d4a546b2fa4a773905b0ede6816bdb2f6dd927e343b79c70f9145d0e840b4f27b9ec0e85ade5bf0

memory/5968-31-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/5968-40-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/5968-39-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 24805374e5452e9106d158dc1e51dc55
SHA1 a778740d5c495b5cfe16e05457df6e4ea0ee7d91
SHA256 92589680d89e3f6c61f63324e887a5d730591fef985eb19ac90355dc9eb9c1a5
SHA512 3b5058eef541a64909d7e447349f974d1ebab7d89da4293846c117c79018f52e1b3d72a11633d38799281bbb31c96b542b960bc18cbc20f439ba1fac9fc11335

memory/3732-43-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3732-52-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3732-51-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 81e4aeb28a48338b16d36341938cdeb2
SHA1 0bd3e831bdf20329ff3244f72cdaf74e8a393f66
SHA256 95e64afa22f810e4f55c80974b673e9165799ae9230edac9aa4d760258e02dc7
SHA512 c02413734217b38810eb58987a64bb9c644bea6a3febd355c3fc1d9d2c09eb10022229fbc9fe7da4d8ec4231cb2183b37b1d688f1f377c9c0461172098552ba9

memory/960-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/960-63-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/960-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/960-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/960-67-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 5367fb86dabc9c644036b850f86dbede
SHA1 a43d1ebc5ae3c2a3625c3efcb318bab8f845d886
SHA256 d313dedca79fd24cff2dde21e6ed3c3eeb55a51ef5f748b9abc7a11d21c92417
SHA512 7b1d0b3a7bb9342dbb2ad977ab623b10fb4a7ed2ccb97c1c1625dd69ce3cfdf95b2bc727d6b0bed219595c69df35baeb6381227d8c60c079bd18a4887ba155c3

memory/4688-70-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/4688-77-0x0000000000800000-0x0000000000860000-memory.dmp

memory/4688-71-0x0000000000800000-0x0000000000860000-memory.dmp

memory/4076-237-0x0000000140000000-0x000000014018A000-memory.dmp

memory/5968-238-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3732-241-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4688-242-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 cdd3655a1be1d6fb42b306d8d4e1e50c
SHA1 30ab03b9546193f23835eb68328db565a6fa4acd
SHA256 36e083d06d6d36168753d8baff2438d4da2a2da25c6d77b589503fc4a7d72f86
SHA512 afff697bf28301f56c37d0afb95d2b562f847c28054f43acc34b2473f28e3bab42250e794efb1aea032031f5eaf22109bb1788b15d669d9a047b275b1892218b

memory/3832-247-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3832-248-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/3832-254-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 3ac5174d41ead2294a427a0e9e739c67
SHA1 4f440ca4c8ff3ec0cdcad24fb24646eab9e4a2d1
SHA256 36d870246e75e970861b672f97201a5cae7ebda592054285f2fd366d1be83ba7
SHA512 3398ef0bd0028978e6a31d271f43d3bf875c2d8fde49b6fe94ef209f6130b4ba7aaabe4e846cd306a521540e46b28d7dde98bf481faca611bd9ab2701d255932

memory/5240-258-0x0000000140000000-0x0000000140135000-memory.dmp

memory/5240-259-0x0000000000EB0000-0x0000000000F10000-memory.dmp

memory/5240-271-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 6acb4e3ed022f89b6bbe7967a0d0ee43
SHA1 b6c40619392cc473d82410e50b453aea944e15b1
SHA256 b0b1f267af2ef26c4a4e0d64550f78186e062615f47409123ab961679176f1fd
SHA512 ff173945f172d1ccc5626f70ed226a78771882c3e1fbaf2a9d8aaade7485952834536993ffc3b9fb388861a25829ba717da98be9402ca27715db40e3d3bdf4b1

memory/2520-273-0x0000000140000000-0x0000000140199000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 9c4173cc3b5ff45deaa40e502dfa6d77
SHA1 c917c0d317195dc00261943247bd3fe474185581
SHA256 502f03e7cb81e25ad631112f8428265511bd17949980c37f5030955a706d186f
SHA512 4f7aef98968cda8a81e6780437e5676746f03c6be46b590eee96d817e0432f3de8395a9d298ef07702507abd8256586639c44e6dc1a0f1aecd11228b115af94e

memory/2376-288-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 697804019944f637af1a771636311218
SHA1 eb00aa95da9985196bcacb165a5ce18fa5aa27b3
SHA256 85f1d4b03991d3e01ce88410c602db283c2bb1cb24c92b6d4faeddc5a6e56488
SHA512 a78ce4f4e637992d08f12e075b4d5666b4607fd3e3433495e5a687006305b68f33d6b480749f7f0cae875b5417a5fe23e9d7fe470db9c77294f0f72e652c374b

memory/4780-299-0x0000000000400000-0x0000000000577000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 0196ffe0e3135587d46571b0e717ef79
SHA1 6b60e196e39e29798e976d41418a0e16d25a3475
SHA256 d0fd828b16f5ccb98255bbc9838d63e90265dc3811288104ef7f11e5a1ee6fb2
SHA512 def702c3c0f90286d81cb7ab53f5e7d2d7347018f4e210c9630c5949da492ee60f3e68ccf0a6192253843333abf2fc4a35c22cf44233f7daf24f930b7c15bb23

memory/4132-302-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 625bdb126ab413da1ef84a8df8a9c36c
SHA1 58579dd71b7d017fc80f9fb660cdee7069e87315
SHA256 5edd7d28edbed218ec17d26c75b3b40f8afebdf778e2a0b70f9ebc270ad131ac
SHA512 5f3a90daf6b00b05e05be8cd092254eb160938a2485ab94543a845d39c7e3c748a32b30cddc372f5d9775bc99c855002abed289b343c5bee215ed2057631ddee

memory/2104-322-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 7d8d7728a376d216c1673f1c599204b2
SHA1 6171c8a292b7805255cd4df742e05d62189ef261
SHA256 2791ffd162b74aa21fc5f83b5df6d36b25ecb87f9eb1cd4f649a7ec61e1dd9c1
SHA512 44c79eabdb1b5eedeb566abe00741ae9cb38b731338c73e54875fc92d4a1b4dd88c9064be56ac5c1fbc2fc5bbca981b5383364d74c804886432fc0377fe8b311

memory/5800-333-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 9470850ee29d69175fb0fa60ae3da9d6
SHA1 bd63b1124fcbd3a93ee0c3b21254db9834dd8326
SHA256 4c96c1cce8df5fcca335511c0199b704f2586b2b0f87f3965d54934650c891fe
SHA512 3f541c330cc138dbd515fa8f572ded409bddc39e749167fe9b0911fa5dc1bcb6ce38bf43659e122735d940edf2a43a75433617f4c8ea803c3a2d3e5dface41af

memory/2176-336-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 f60826683b9de81eb38b31fefda6c23d
SHA1 759b697aa35f1f3db448edaf0ca102a14e284f1d
SHA256 8d706fd6f439d828bcc645f4592d85eec59ff778d4fbcf2689271f74db93a593
SHA512 7be781d5600e680dbc6c7b5438cc060dffa09297ab483ccd8053663b0ae3d4398c626ab0e4545dbf6d94619fe7433c27ec2c6da33b004b131918b583fdab6957

memory/736-348-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 8b474563a7b3fec62b9cbaed854b5e71
SHA1 3a6166141b1349d3e108e6babdc85bd5a0ca8c34
SHA256 cc57e15600c136d9e1ed33e31142050f5a846bdc9a4569bb00433a4d0ab2f4f0
SHA512 6a18abc82bce7025d810ecf3c0f56966f6f2aad771bad209307b9e1bfe12e68c92db5ea439ec2e7544f6843a24c63d64ff4ebeb11dfa4f629e19dd70822d102c

memory/3832-367-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3228-368-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 ac52f1b912c68c83c81b7b4aa8bab57e
SHA1 44f7e91cee8fdc85706c8c89a9e8d25059f57db6
SHA256 fbf837b73a82853c679458538319c289f0c9a1056dcd61f4d521879f4424ce89
SHA512 7cf645206a902783f99eca6cec81a02f01af6efb5d66110c2d7c7aba0029e15966e57be44f40a1744976df44c40be194e8453c71ffd61d45304e086bbd6c0c10

memory/5044-379-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5044-383-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 8a76e1a1bf98a31bce32e346e9e89420
SHA1 2b3dc2f0d91201492324a01c9d38687da25863d5
SHA256 9680681180976987a73de0255a4dd3a451321369ba48af8d9deb62672c5e14cc
SHA512 d35d113f013190fcdede4bf4e2a2af6bc64172527e7e92ba5f114dd09257d0f9a29b54888863cece4bc6d1dfee3275034328960fbd16a7d066adb6e1199dd09b

memory/4552-386-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2520-385-0x0000000140000000-0x0000000140199000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 5a6a5b6d52e0c8fe2dbc4792056bd4f7
SHA1 2f6bf84aeab626752218f0f9935e3987d63cd5c1
SHA256 c803f355e3bebd41ccf46984426b280c222a0cfd72b7f6e4c862512c2a10c9fc
SHA512 b0a16ed2bdee6ca01b425b46a248739f0d6918a90e36e001903ee5cea974dda5e5b1915b0809dcf334bbc436a851e76c61ad895bb0f199e5ca974a8f7b7b43d3

memory/2928-398-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2376-397-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 2d55314e41e824d6fd9263516e0a2777
SHA1 6debf36b259324e9c572aa864471e2ffef6b23c5
SHA256 11331fd37a5886526352f92bea4fec9d89136b1650c426a3231920371ce088b5
SHA512 f4efd43fe9204bc9db7fd432edf643772602f011e306061ef8ef12dbad9dfa0a3db1b206b0520c7233aaca5017a5c48bf9777e7a0a0aefb4aa65775022616988

memory/4780-409-0x0000000000400000-0x0000000000577000-memory.dmp

memory/2368-418-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 cdafb0accd7d589f238a2a45671307bd
SHA1 42cfb4f33c8d95b257cd49621423d938ea3104b1
SHA256 3915c7863c81e93ff860b276659507b5f6e4af2e44ad7ade6e1a03b0ddd6f681
SHA512 3eb1c4a65e29329304099658fb4ba176d5b3ca3b793cdae39edeb62562a436db800882f4b6098aa7a7d3f32957a5e4e45ee4f006bb69ad25f8aaa60c728067d2

memory/2112-422-0x0000000140000000-0x00000001401A6000-memory.dmp

memory/4132-421-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 9351f7ed53338d49190ce1e23d8222c6
SHA1 0c8aa8fc07b082de5f749eed2cb1a620081a7aea
SHA256 fdb45bc401983d4fff270d29e611cd1414ae0a43c68dab81cb409a4337236f30
SHA512 09d41a5313991ddf60d3db5009a6dec61b0ac295c585a80313b5ccca9a698c7c1057f4f32457a8727bdea6d3afe9dfd6c252d56bc846db93e4eff9114bc090d2

memory/1740-435-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2104-434-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 6c056ca79b5caaeb7be79bb772ef95c8
SHA1 9e48de58de1b875821043c22000cac37d0ff39b2
SHA256 fb12704bbb84cb9a754fe5361a4601b16c2d123ee667e480754a99bd65f7849a
SHA512 77156879a7efa4441aa469b313aedcce5819253226c50b3f2c317affad56d5148b55233538b02335fecf8b3cfa22ad63fad83d9aae9792bdceaae845a7961d86

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 cbcead92efada181894d9c5638ca4adb
SHA1 630140cd8c42ff67a036b47baaff217e16bef170
SHA256 5e49b0501422f8c11c5b581dc5d530ddf838353c77824adcafdb8ef8312c3c27
SHA512 228bf61506955cf9de7de470b370e056f33276ec58cba9421f31f1d8f0462356e57daeb543c3039e876d017d5bf1f89630da033e91f90e187a8c45664d9c5327

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 22ef18ee22f8f79c120c91918e637e95
SHA1 0aa4805991d80a6fae2fc7debe79b26c5e82f119
SHA256 f35fd651ba2b9755de48c31020972fb0ef9734fce67f345101a10682575530fc
SHA512 dd59e89524e0434c6c7fdcd08c480d3acb2ecee1a079a02193d67b0faa6b5700a9cb56c2e54ab9c570bc6a44a83aa22487ced6c3f44dae980b4c682820aeb41a

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 e0a3f6719bace1d19495df23b8233ea4
SHA1 2597e92c4f147f3ecc40f84466cf8059541d21ee
SHA256 e88fceae8c35eb1ac08d9c0c7509cab40ab182deed2a7686833e8d8f173feb00
SHA512 edae3ba16020cb505bd7e2df4a9429e6e0544921b71084d6d21d3b350f00c3325b8a7783586235e8344c22ed9cc97070df1f10136753e969771cc3a405f83529

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 5c6428dbc49a13efd60eadb987a2651b
SHA1 f27750a08faba88e02e84dcf1256f871f82f71c1
SHA256 6ce124f6e1a0c1307fde4a0787d1a5a77954e534586becf6f88806c91472a15e
SHA512 57528c779144a6e06ef7e1c3e9794a3b8276e624b4eb39a34a44228cea93200ad850402550fd73738cb9cdc26a54e7b8b6bc494a581489a6d0e572206b924f33

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 d9c0d5cdd5ba9bf3402a5c351da5e17c
SHA1 f9fba8d0987c83605cb63c73e5c369efa05d8a37
SHA256 80d4adbb5401eb5bd2620e896e118816f11e1e6b32bf75001baa056e5d1ac00a
SHA512 9d75dd09328354508875e05958d3d5af639693c514063ae32e31accba495155856041bb323c5579c4f2b45d4d1faf4c7fdbec396dcd621a7f701d17e4c3d2112

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 b5f063670a8369dff6b5fd6a50be7ec3
SHA1 4966e083ea04f2a116621db6030ab85c9fc8fc58
SHA256 8466e4eea30fd656052921d174ac41ad2dfdca14e6c8e68e7c79ff4b2487a92d
SHA512 9f161a94b8701b7eea9a1be1fdac1dd113f78cb3f2fbc25b7746b49fae7179b6ce274170587160809deddcfbb28e2e89d50914f4023b7b55705fe3023593f018

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 7e80e15902ef499ed112c22a03bb4c6b
SHA1 30364713fc190d8af8fc24ff8c4ec9ab5e5f3369
SHA256 70a3b30d6e0bcbde46154c16403e14b1c889b7e7103632d13ece1b3511c4a650
SHA512 059af7e19839094365ff55758beb9be132eddb7af345b8d911e8655ce1be2adf469d900366192292e08e8061c3a52602defe30dc954a3a3eabbf65848310e57a

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 11122717688ef00236fc3a83ff60860b
SHA1 eeb748343de71af90cb710761fa9d475aaf038a8
SHA256 aaf209ff7df246d97bc7f9274ef721bde9a62a366ac1a8deb2f7b005de1b5705
SHA512 95fd577bc915f34b85ddbadbf57727e504af6b41756ba5e67930b36eefa2bae55ac6b78348056d402a9b5692846b5f48c6f41f8159e82c9e9598d243d55d651f

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 c77069db9fa35061d670347b52a5c9b2
SHA1 e22c87787db349ce405adb63ca858c5cc89948f0
SHA256 e93d881262b8ffa836c28daf27cab9787503a7777b3e2493b133a4179d1039b9
SHA512 14904ab900c898b5e04f8d15d9a5fdcef261190e8f804ad2fdaa570c90bb401e49062cd8b721b4579cfee354485c07cb795f70ea1f3a75fe62df007a7415fa0b

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 761fd0530d7ead74565c9443fb367c47
SHA1 e4556caf301e76ae24d2c90472e25dbb7ee40a72
SHA256 a589165706955d506adb8100c5b1ec62637b90f2b189155f408cb3ee996bc20e
SHA512 405f2b1673e68d656f56abea39937e51baa1c01966a44709cdc765be53b2c7e3b3843f0e3d0964755f86f7444347d4cea07141cee58274665403ff9483a33362

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 d97b09ab403e521ea6b4b8ee265a205a
SHA1 bbe0918ff7c9f9cca50a02fc3f45cd81993c7b8c
SHA256 cbca8fe9d7c0745e075fef57512e02b77e94b8c56f4255aa3757e0c1e2d42f6f
SHA512 56dbfb33a6739a98fd180278d877fe984303e0e5bd28f0f98c2b3391c7ce14b0babecec1fb7bf92fb6b5d5766ec93385c8632b177eef806265ffdf3d78ec8cbf

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 3c2ad556d9cabd72055a36a58dae6ac8
SHA1 96cb48655a9f5c1efc701f2201cc218f6fe511c0
SHA256 2874051a199269b4cd42e41395ec03317fd57aaf988b9dba2bf57439b642ba7d
SHA512 035627a058c3239839ff3bec4f7127d810f6cf9324e1a3ee137a20f7d10c2c21496c0810faa2dc22ee32c0346c3adb2e4c877a38b45347cc5fa6786cc9031531

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 af105b0674a5e23a35b9b4a6745d3b61
SHA1 a9506a87f880d888b2380be195d23a940a2fb403
SHA256 e64d96520bb255ef9bd0be31bed4db94e9d1c52a2de8be7171547b9b5daee25e
SHA512 3fc37040be37c2aa3372b323f3ee298b14a71b2fa4303295609a6cb5d71306d614fb37455245d73eca526b5894a6464135dccba3d41d8938f0d73744ec721893

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 ee690fed4468804789e204c7c8c5d8d5
SHA1 1ecb5b92533e44c1126db951f5dd263bfbb3b59d
SHA256 32b77f44b32854bd2dfbe68e441c971f14647cfadcbd75f1f87854954d22c5fc
SHA512 c1defcf0fb5043f667d7e8d00c3bce8eff6d942ddab2b1063770eb48d1ccd0dfba46541d24883f27549763681cecae7cc997418ccd02696b3c459a4c52684f42

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 a18fa8282230164bf60cbbcee20e64e3
SHA1 0f9e84b62efc78f78340bb5e1e3dd031ede5ef3b
SHA256 f2af89a5aa5b85b55a3ee80363815d1105b9d3f715c24ee7eb3a3ec5c93e5dd2
SHA512 9039135d9721cb51dad00d8690aaa5f2f1f89b75cd325e3037cd33c1a857c23692ec42da68651ace7c8b3a5d1941c26a339f3a7a82ca83f1eeae376162a74575

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 7c92fe023d248c1a2037b2e98f3e9327
SHA1 aa748ab42f2e1d547a3b810f4021f4f87ac57868
SHA256 810d7fb47782f5b22b9b0ef4db9e78bcb483890f0a420f0a12eeedf87f3e2675
SHA512 682783c1689b46ee7f85b484e5bf15e5ebf1d8b962d2f6559dda6a26d096b1ee1bfb2e9d6d8f2c77d77144432ffc3a05027b9d86f1138945cd8685d38ce00ff3

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 72b4282c5dc5fa1d8730c221f6a6b2c1
SHA1 c3d0549c6b5a91b58792dbc035bb28d053f4a6d4
SHA256 cf240fbad12c818858e2c79bd11fb76ccc9ac87748bde9a0cb70c64aada4c081
SHA512 fb0c03157354269f59faf19daf49737a6e26c5086b1e450a7ce9885304982cfd22988476303de15fe4ae93e4a42ea5ba685e972e0d9c53ad0d8a4aa62fd12612

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 ecdbb6e4489b57f2632add366d793994
SHA1 e2aef2a19ba12df8e609c2b226b2b21b37ec57b3
SHA256 6e41c0e810c4f816e0503fdaa850f939cdf9be5bfc8037039a6c1f674b2faa9a
SHA512 737a3c61bad0dac552e4c6028ac68224a2634151ff0fee3dcb4891a4823e8897649f2bdb995cae97ed25561622d076dc5a1904bc511a2b92ea9cff77034ba695

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 460b23b54dd449cc647bac7f169178eb
SHA1 1a2e35c46aec2b99a2317ce75f5989b2d3d9001c
SHA256 41bff49b735adb960cf68a55f5cc0f144f7fbe9483602fb61f208cd668d07bac
SHA512 5c4c25ab25db95400b58f4f02a49ef2f93c2e889b19071e06937e9bcf5d923277c7787b7c11144f811cc01a5e49a28b0565d26d5b5839b75e982a30f350bf727

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 56849df40edee15d1bbb85fa9e09887a
SHA1 d6aa73ffa2d2b43b403accf44aeed12f8b4989f9
SHA256 8335702649536773c0071839b0c526fed5ce2f9c2bfd8df90a111a287225253e
SHA512 c6005f2d69f5986c30f9ad1bd1a146642ef7fc5d97ba412d75c49fd735dce0d1d2d547f8a9005dcf90423751e4decc89d229ce4ff3a5eaf311e5a36081f3384b

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 80a951fb67446d0d7e5d7c50c2febdc7
SHA1 48af8ec418f0c57a2f26cccf84ed903fb36de801
SHA256 4f3c9eb6570a0db68d7f9eb4acf8cdf48879f2751c00c4bae2ddad3871f6e770
SHA512 e4a7479b95800bb50c0cd5c0941c9d88c52e1ce437f203e09c022e2f4fdfb8a913dc042c5ecd1321f392460673811b7516d1ac815481c6c10f156674ca0cfe1e

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 be79cb5b0d28ee4a2296bf0f247c94c7
SHA1 08ac216f3aa2773e19fefa26f838be8614cf6e47
SHA256 5b1bb43401cb2ed466bf394075dc19ead4c3270116d47b5a550b28b9b89a35e7
SHA512 6bcabc0c4db38ddec58d75d8bf3b497541cfa57ab1456d7295d5edcdce4013921cd84fac40279550422409a997b5997842c487fbb0a4eba53376d68c6faf2983

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 2292fc4e3f64a9e8f340a5f88ee785c7
SHA1 4a5b22375feb5d4ce6d14bf9abe594504ac9ac5c
SHA256 fc5ca7e0c1c2ed57d5e4e6de3435eea7baef30ae13f166477dde43322f9c55c1
SHA512 e7dddf7897c2aa5e4f67a82e331088ec3c9ed0f5346d6da494e8eacc715669eaf1cd2ce74daa40acfe92d676a5d1b8933b1ce75c9f1549f55d1a1793e46f4396

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 f929e690631d78c29342b6342bd133ba
SHA1 6893ab193b4c20f77f07c15ed6b6ce8ff58cb217
SHA256 6b1f16baaf3b82039e6486cfcfd481493df3622ee5242c631934c8bedabef926
SHA512 fac80dfba1c780aa16308ac5740a9bff73fb666526e4292349b73e1f0189371251f62251fb0f0086e092f3fae2c4a2c690972009a468e16ac78ffdcb6e0933c4

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 9ef2ce7aec265cf6568a0ba9c0b48774
SHA1 a8e99117ce06588a938534443c581fc20ba6d777
SHA256 47f65e4a1a82ba4a31c3c0121b48c29c3f550ad8a7f54f048bb3bc51cd54c7fc
SHA512 9a55368a4196171642005b01829df82f8afc5be8d646de915a44b77977d8ed2fe5a342422721c73ab30fd4324d9c6dfb24f8efc145e4f7697e0dded1b16b9af9

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 e092d755a17524b8082d7523452cf45f
SHA1 1bc2a30c9f7eba2091b30d202f6af215a7c0511a
SHA256 18be9522419f20f99f1fbb10879efa0ac1230001df4e508b47ced1798b775faa
SHA512 1324698aba993829e65012d03f0f8f6bf47ffacec448e6b08b3cda69e01c00ed692d8a431601a7609a7b02501c1f7ed0931c15c0f22bbfe8ab6727f365181754

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 49905255c29d303ae71c64ff9c7c7ce2
SHA1 ec100d1bf9ceb71b9dba758a51b74edb45a0757f
SHA256 2695cc12b3f4904a046c9a5bc169963a5aa9cb328e78f56b4a66316d8f58b671
SHA512 6c4cf028c9cd0f51abfe06ac20457c4487c7e85cdb8999f6a373c220d778e620a992c016692a3fb9429f31a9ca67ca18cc25f2b66041785f8d03176478ab65d5

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 8069234e5dfd5bb7f9000c0e458f918c
SHA1 66166e6e0809e03644bb395fafb1f1a65c1717a1
SHA256 2034df44d4cedc9311204324ee5120161294f71c202ff3522700c72f85741660
SHA512 041dde4f31fb456865475eb9336ef8d4f4052fe409013760d4236dd968bcc7f336d86c46c3ac26ad78f322df3740552533ff7a527294323bf1708c51bcff15b4

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 435c8a9e821e90514127dfcdca02fde2
SHA1 21dc429605d756ca74885ab972f7b13be528268e
SHA256 83394a80c57e748b97a0a1bfd6c67043b6d13bf10e889daaa8bd0eaee386e6d6
SHA512 76a49d74d37d7b64f6a6205f51469fe7f7c1cc3b3e95303393d08dc19bc0929bbe1736dd5de17bb5f8d0f62bd179fd9493c55ee6a99a9a16594803a9961996a2

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 c3a792882259a8f82a8f0177a778c408
SHA1 3074e2969bdc40714f8f940145d1e60848f95cec
SHA256 2abf4edb4a07ba09d67c3e73a6d97aab74efd6738f73abc047689f90e938424d
SHA512 f1285fd74ec07d7c532041ca656efa48d4c15909e72682fd3fe4813d7410712fbc6bf521f547218e8d8bd51d01c8197cce9e3be834a3e3f3d9b1c403106eace5

C:\Program Files\dotnet\dotnet.exe

MD5 5b438b098e54c7534dc1e03a277f8e20
SHA1 20c4bd1c4be714f604f55ae9882f39e5f8cae126
SHA256 b92207bef9ff484bf938b175e67ad56a6241e16bd9b7efb2ba93a08ca21735d1
SHA512 27d69ad8f905fdcfe4b0f947d750dc382fe3f4747f9877c310411fdf452878b8e34cb1a7e39d2a5d5cea8ce92d87f8f5513c1d036079f3d6ff82765426caf625

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 bfbe90c20284dcc1ef76c09330911ea1
SHA1 492ad4a65ed301eb47a3319dbab5d1662e8fe4dd
SHA256 c9bb28c91fbe286fe56ca8a78f23e6b091ad43edbe043e6e0f4af912571d8837
SHA512 2dd7c0546cd2f1bbf339ce459c7919048977638263f55dbf486cb55c23cc004be24b10617d01caac83ac01b4a29a1b57814a6a33d84ecd2921d4910f17a6cb92

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 f1a7fe336b1d8dfa329f3820cd9c38a3
SHA1 edff088cbf8f28b00eeb729db08477c3faa7eca3
SHA256 421a3651f42dd61d8a6fe6272e1fd607e6261f6ba792aabef037103aada7c8c4
SHA512 8f754554e2ee0bb0f4ad876ccf0bc82fb10dad9711e503230d39e98008301faa17919e63d65f6564617decfdde9d886baa608dbac534826583a1a21e7cb176fa

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 8bc2054a62f1f414bc7be7ef1a508547
SHA1 3031f067a6504ceb5b206196c299c14bb8e77a17
SHA256 791ab888f250de9ea4ab6b3967d5ada21d45c8cfb2610cafc1a8f7b886701ecd
SHA512 ad6df639781fea826bd9ab792f9b506dddf4ddcc65f8ba98e76718c2806c2fcb264a806d285fe9838181f2f8dca7970859906f45ba7600fa254c77941941825a

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 5e751d41ba3897480c5c801f7f88bfe4
SHA1 c71d215771f1f301a7f22d13c45a5bf17ce61f7e
SHA256 8d7ac56c8546ce43574ad7ab9ebfb24e88103393cb931f7e12ddf1b1993f8b20
SHA512 2cc66e497cb48005a7381c69abb912ec0c15adb91a47a01ff229718ac02010966f22531f2afe9cf65a2431f8d669d9995a2b1dcfdb15497edbd8229845dcafb9

C:\Program Files\7-Zip\Uninstall.exe

MD5 434cb7b24c5255942a9f9436d4747722
SHA1 cc4bb6b66271db78e5ddb4665a0bc05e9633e036
SHA256 01de26edc7ae3c5b36d50e56fc9bb98d8c68b08abedb1ecee7562f027b079e06
SHA512 b09fe3d3ee422970bba26be398375c9db0d1151398cc10623b3d57c58f9aa590132cc893270bfa65b8285b9029ad3e6e9955aac0d0dc1dac99dd0e96f8f979e2

C:\Program Files\7-Zip\7zG.exe

MD5 2a716ecb654e7277e78593a482986237
SHA1 99e87ee35dc12998d4fe27a864c08c3b41fb7bc4
SHA256 40b775702edbb34b4d1ed0625b277a2a25e5f233717c7b4d70a73115a16c3735
SHA512 b1c165c2a658dafebcddb6ae8418c87e8a1659545065046ef5a26f2a5a0c4e904dd59ef2b9d6162dab9727a27fd7d6dd8edd98bde360337a533e350640504b3d

C:\Program Files\7-Zip\7zFM.exe

MD5 ae5abd7367a122f147b039bb9c7666cc
SHA1 a7f95df1c6c1d5cb055ff7a0fbcdf9f2bd724d10
SHA256 858485fce75abac1df1e857742f222559137ae7788b0005660d1d894c213a5ef
SHA512 d0d3891591b5990272213a355d2de44161f8afa66c4068c19bb1f927487f8454327704eb2dc635c12286b8946539200192be68053a8fce36414f2b6cf51f3a21

C:\Program Files\7-Zip\7z.exe

MD5 0f073a810d6b3348c0b156d5cbdddf09
SHA1 655b182724a7cbfce1628060980a2d265f4b200b
SHA256 02e8e6f2051957be257759900a4259e7e5e965a7ae957416751844dab8b4e086
SHA512 f86a2112ce7514cd3bfa78f78e934f025f797f961a9528eac3e7349515bdcda95efd1184ef685b77f5c5b171db768130464709df4c18f437bf0088e21a76fbf1

memory/5800-554-0x0000000140000000-0x0000000140176000-memory.dmp

memory/2176-603-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2104-606-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/736-607-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/3228-608-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4552-611-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2928-612-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2368-613-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2112-614-0x0000000140000000-0x00000001401A6000-memory.dmp

memory/1740-616-0x0000000140000000-0x0000000140179000-memory.dmp