Malware Analysis Report

2025-01-02 03:11

Sample ID 240817-bplsasyeqd
Target 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe
SHA256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9
Tags
remcos remotehost discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9

Threat Level: Known bad

The file 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery rat spyware stealer

Remcos

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 01:19

Reported

2024-08-17 01:21

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2a0cee92d03a5d9e.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4DC3.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB107.tmp\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3E48.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5EF2.tmp\stdole.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP43C4.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5AEC.tmp\ehiVidCtl.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index164.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAED5.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\perfhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1648 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1648 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1648 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1648 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1648 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1412 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1412 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1412 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1412 wrote to memory of 1972 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1412 wrote to memory of 1972 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1412 wrote to memory of 1972 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2864 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe

"C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 258 -Pipe 1cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 244 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 23c -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1d0 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 234 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 260 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 1d0 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 250 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 234 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 264 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 234 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 24c -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 254 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 214 -NGENProcess 208 -Pipe 20c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 254 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 208 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 244 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 208 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 264 -Pipe 214 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 22c -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 22c -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 22c -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 294 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 22c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2cc -Pipe 208 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 308 -NGENProcess 2c4 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e0 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2c4 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e0 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c4 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2e0 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2c4 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e0 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2c4 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2e0 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2c4 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2e0 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2c4 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 304 -NGENProcess 358 -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 368 -NGENProcess 2c4 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2c4 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 358 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 2c4 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 2c4 -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 364 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 358 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 2c4 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 364 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 358 -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 2c4 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 364 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 358 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 2c4 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 364 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 358 -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 2c4 -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 364 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 358 -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 2c4 -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 364 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 358 -Pipe 3b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 2c4 -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 364 -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 358 -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 358 -NGENProcess 3d4 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 358 -NGENProcess 3dc -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3dc -NGENProcess 3d8 -Pipe 3d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3ec -NGENProcess 3c8 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c8 -NGENProcess 358 -Pipe 3cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 3d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f0 -NGENProcess 3c8 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 3d8 -Pipe 3e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3fc -Pipe 3ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3c8 -Pipe 3f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3fc -Pipe 3f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3c8 -Pipe 3f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3d8 -Pipe 404 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3fc -Pipe 408 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3c8 -Pipe 40c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3d8 -Pipe 410 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3fc -Pipe 414 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3c8 -Pipe 418 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3d8 -Pipe 41c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3fc -Pipe 420 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3c8 -Pipe 424 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3d8 -Pipe 428 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3fc -Pipe 42c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 3c8 -Pipe 430 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 3d8 -Pipe 434 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 3d8 -NGENProcess 444 -Pipe 3fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 454 -NGENProcess 3c8 -Pipe 43c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 3c8 -NGENProcess 44c -Pipe 450 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 45c -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 458 -Pipe 438 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 44c -Pipe 3d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 444 -Pipe 440 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 458 -Pipe 454 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 458 -NGENProcess 464 -Pipe 44c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 474 -NGENProcess 444 -Pipe 45c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 444 -NGENProcess 46c -Pipe 470 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 47c -NGENProcess 464 -Pipe 468 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 478 -Pipe 3c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 46c -Pipe 458 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 480 -NGENProcess 464 -Pipe 444 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 460 -NGENProcess 488 -Pipe 474 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 488 -NGENProcess 484 -Pipe 46c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 494 -NGENProcess 464 -Pipe 47c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 464 -NGENProcess 3e0 -Pipe 49c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 3e0 -NGENProcess 460 -Pipe 498 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 460 -NGENProcess 3e0 -Pipe 4a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 3e0 -NGENProcess 488 -Pipe 48c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 4a8 -NGENProcess 478 -Pipe 494 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4ac -NGENProcess 4a4 -Pipe 480 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b0 -NGENProcess 488 -Pipe 464 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 478 -Pipe 490 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 478 -NGENProcess 4ac -Pipe 4a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 4bc -NGENProcess 488 -Pipe 3e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 4b8 -Pipe 4a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 4ac -Pipe 4b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 488 -Pipe 460 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 488 -NGENProcess 4c0 -Pipe 4b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 4d0 -NGENProcess 4ac -Pipe 478 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 4cc -Pipe 4bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4cc -NGENProcess 488 -Pipe 4c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4dc -NGENProcess 4ac -Pipe 4b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 4d8 -Pipe 4c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 488 -Pipe 4d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4ac -Pipe 4c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4d8 -Pipe 4d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 488 -Pipe 4cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 4ac -Pipe 4dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 4d8 -Pipe 4e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 488 -Pipe 4e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4ac -Pipe 4e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 4d8 -Pipe 4ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 488 -Pipe 4f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 4ac -Pipe 4f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 4d8 -Pipe 4f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 488 -Pipe 4fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 4ac -Pipe 500 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4d8 -Pipe 504 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 488 -Pipe 508 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 4ac -Pipe 50c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4d8 -Pipe 510 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 488 -Pipe 514 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4ac -Pipe 518 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 4d8 -Pipe 51c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 488 -Pipe 520 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 534 -NGENProcess 108 -Pipe 488 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 484 -NGENProcess 53c -Pipe 52c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 528 -NGENProcess 530 -Pipe 524 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 540 -NGENProcess 108 -Pipe 10c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 544 -NGENProcess 53c -Pipe 4ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 544 -NGENProcess 528 -Pipe 538 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 54c -NGENProcess 108 -Pipe 534 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 53c -Pipe 484 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 528 -Pipe 540 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 558 -NGENProcess 108 -Pipe 530 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 55c -NGENProcess 53c -Pipe 548 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 560 -NGENProcess 528 -Pipe 544 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 108 -Pipe 54c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 53c -Pipe 550 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 568 -NGENProcess 564 -Pipe 528 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 558 -NGENProcess 53c -Pipe 4d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 570 -NGENProcess 560 -Pipe 108 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 574 -NGENProcess 564 -Pipe 56c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 578 -NGENProcess 53c -Pipe 190 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 560 -Pipe 554 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 580 -NGENProcess 564 -Pipe 568 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 53c -Pipe 558 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 560 -Pipe 570 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 560 -NGENProcess 57c -Pipe 590 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 574 -NGENProcess 58c -Pipe 578 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 594 -NGENProcess 584 -Pipe 55c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 57c -Pipe 564 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 58c -Pipe 580 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 5a0 -NGENProcess 584 -Pipe 588 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a0 -InterruptEvent 5a4 -NGENProcess 57c -Pipe 560 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a4 -InterruptEvent 5a8 -NGENProcess 58c -Pipe 574 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 5ac -NGENProcess 584 -Pipe 594 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5ac -InterruptEvent 5b0 -NGENProcess 57c -Pipe 598 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5b0 -InterruptEvent 5b4 -NGENProcess 58c -Pipe 59c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 5b8 -NGENProcess 584 -Pipe 5a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5b8 -InterruptEvent 5bc -NGENProcess 57c -Pipe 5a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5bc -InterruptEvent 5c0 -NGENProcess 58c -Pipe 5a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5c0 -InterruptEvent 5c4 -NGENProcess 584 -Pipe 5ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5c4 -InterruptEvent 5c8 -NGENProcess 57c -Pipe 5b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5c8 -InterruptEvent 5cc -NGENProcess 58c -Pipe 5b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 5d0 -NGENProcess 584 -Pipe 5b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5d0 -InterruptEvent 5d4 -NGENProcess 57c -Pipe 5bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5d4 -InterruptEvent 5d8 -NGENProcess 58c -Pipe 5c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5d8 -InterruptEvent 5dc -NGENProcess 584 -Pipe 5c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5dc -InterruptEvent 5e0 -NGENProcess 57c -Pipe 5c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5e0 -InterruptEvent 5e4 -NGENProcess 58c -Pipe 5cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5e4 -InterruptEvent 5e8 -NGENProcess 584 -Pipe 5d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5e8 -InterruptEvent 5ec -NGENProcess 57c -Pipe 5d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5ec -InterruptEvent 5f0 -NGENProcess 58c -Pipe 5d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5f0 -InterruptEvent 5f4 -NGENProcess 584 -Pipe 5dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5f4 -InterruptEvent 5f8 -NGENProcess 57c -Pipe 5e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5f8 -InterruptEvent 5fc -NGENProcess 58c -Pipe 5e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5fc -InterruptEvent 600 -NGENProcess 584 -Pipe 5e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 600 -InterruptEvent 604 -NGENProcess 57c -Pipe 5ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 604 -InterruptEvent 608 -NGENProcess 58c -Pipe 5f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 60c -NGENProcess 584 -Pipe 5f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 60c -InterruptEvent 610 -NGENProcess 57c -Pipe 5f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 610 -InterruptEvent 614 -NGENProcess 58c -Pipe 5fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 614 -InterruptEvent 618 -NGENProcess 584 -Pipe 600 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 61c -NGENProcess 57c -Pipe 604 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 61c -InterruptEvent 620 -NGENProcess 58c -Pipe 608 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 624 -NGENProcess 584 -Pipe 60c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 624 -InterruptEvent 628 -NGENProcess 57c -Pipe 610 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 628 -InterruptEvent 62c -NGENProcess 58c -Pipe 614 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 630 -NGENProcess 584 -Pipe 618 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 630 -InterruptEvent 634 -NGENProcess 57c -Pipe 61c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 634 -InterruptEvent 638 -NGENProcess 58c -Pipe 620 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 638 -InterruptEvent 63c -NGENProcess 584 -Pipe 624 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 63c -InterruptEvent 640 -NGENProcess 57c -Pipe 628 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 640 -InterruptEvent 644 -NGENProcess 58c -Pipe 62c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 644 -InterruptEvent 648 -NGENProcess 584 -Pipe 630 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 648 -InterruptEvent 64c -NGENProcess 57c -Pipe 634 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 64c -InterruptEvent 650 -NGENProcess 58c -Pipe 638 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 650 -InterruptEvent 654 -NGENProcess 584 -Pipe 63c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 654 -InterruptEvent 658 -NGENProcess 57c -Pipe 640 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 658 -InterruptEvent 65c -NGENProcess 58c -Pipe 644 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 65c -InterruptEvent 660 -NGENProcess 584 -Pipe 648 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 660 -InterruptEvent 664 -NGENProcess 57c -Pipe 64c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 664 -InterruptEvent 668 -NGENProcess 58c -Pipe 650 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 66c -NGENProcess 584 -Pipe 654 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 66c -InterruptEvent 670 -NGENProcess 57c -Pipe 658 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 674 -NGENProcess 58c -Pipe 65c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 678 -NGENProcess 584 -Pipe 660 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 678 -InterruptEvent 67c -NGENProcess 57c -Pipe 664 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 67c -InterruptEvent 680 -NGENProcess 58c -Pipe 668 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 684 -NGENProcess 584 -Pipe 66c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 684 -InterruptEvent 688 -NGENProcess 57c -Pipe 670 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 688 -InterruptEvent 68c -NGENProcess 58c -Pipe 674 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 68c -InterruptEvent 690 -NGENProcess 584 -Pipe 678 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 690 -InterruptEvent 694 -NGENProcess 57c -Pipe 67c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 694 -InterruptEvent 698 -NGENProcess 58c -Pipe 680 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 69c -NGENProcess 584 -Pipe 684 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 69c -InterruptEvent 6a0 -NGENProcess 57c -Pipe 688 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6a0 -InterruptEvent 6a4 -NGENProcess 58c -Pipe 68c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6a4 -InterruptEvent 6a8 -NGENProcess 584 -Pipe 690 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6a8 -InterruptEvent 6ac -NGENProcess 57c -Pipe 694 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6ac -InterruptEvent 6b0 -NGENProcess 58c -Pipe 698 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6b0 -InterruptEvent 6b4 -NGENProcess 584 -Pipe 69c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6b4 -InterruptEvent 6b8 -NGENProcess 57c -Pipe 6a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6b8 -InterruptEvent 6bc -NGENProcess 58c -Pipe 6a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6bc -InterruptEvent 6c0 -NGENProcess 584 -Pipe 6a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6c0 -InterruptEvent 6c4 -NGENProcess 57c -Pipe 6ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6c4 -InterruptEvent 6c8 -NGENProcess 58c -Pipe 6b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 6c4 -NGENProcess 6b4 -Pipe 58c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6c4 -InterruptEvent 6b4 -NGENProcess 6c8 -Pipe 53c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6b4 -InterruptEvent 6ec -NGENProcess 6d8 -Pipe 6e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6ec -InterruptEvent 6d8 -NGENProcess 6c4 -Pipe 6e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6d8 -InterruptEvent 6f4 -NGENProcess 6c8 -Pipe 57c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f4 -InterruptEvent 6f8 -NGENProcess 6f0 -Pipe 6e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f8 -InterruptEvent 6fc -NGENProcess 6c4 -Pipe 6b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6fc -InterruptEvent 700 -NGENProcess 6c8 -Pipe 6d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 704 -NGENProcess 6f0 -Pipe 6ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 704 -InterruptEvent 708 -NGENProcess 6c4 -Pipe 6d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 708 -InterruptEvent 70c -NGENProcess 6c8 -Pipe 6f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 70c -InterruptEvent 710 -NGENProcess 6f0 -Pipe 6f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 710 -InterruptEvent 714 -NGENProcess 6c4 -Pipe 6fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 714 -InterruptEvent 718 -NGENProcess 6c8 -Pipe 700 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 718 -InterruptEvent 71c -NGENProcess 6f0 -Pipe 704 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 71c -InterruptEvent 720 -NGENProcess 6c4 -Pipe 708 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 720 -InterruptEvent 724 -NGENProcess 6c8 -Pipe 70c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 724 -InterruptEvent 718 -NGENProcess 6f0 -Pipe 72c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 718 -InterruptEvent 730 -NGENProcess 728 -Pipe 710 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 23.95.235.18:2557 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 geoplugin.net udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
SG 18.141.10.107:80 ssbzmoy.biz tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.143.234:80 crl.microsoft.com tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp

Files

memory/2108-0-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2108-2-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2108-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2108-10-0x0000000000650000-0x00000000006B7000-memory.dmp

memory/2108-11-0x0000000000650000-0x00000000006B7000-memory.dmp

memory/2108-13-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2108-15-0x0000000000400000-0x000000000064F000-memory.dmp

\Windows\System32\alg.exe

MD5 0f1fbabd58704ceb4413c3a7fe30acfa
SHA1 2682d85b2296a47ffdb85beeb08a9e3e0ff4ccf2
SHA256 54a01618677a9d286d5cb3bf5928bad49b9ee503104006ba200e70f37adef633
SHA512 3d61a7031affcd329396d864f2b6110b9f4f7e9ccdb93e90b8c4507aed2f813487a1b30f0a18fba998e2239835a6bd94398e9531a182298bd9d47672afeb22ce

memory/2452-19-0x0000000100000000-0x00000001001E3000-memory.dmp

memory/2452-20-0x0000000000900000-0x0000000000960000-memory.dmp

memory/2452-28-0x0000000000900000-0x0000000000960000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 1df473704f92f6d555deca304663eb8f
SHA1 77879bb9c6cab55b8954b4ce7da624a9976ad910
SHA256 9bb434718a54e11cabd47c7201e0c9d3eab3d91884c022cb7569f77c0e0da019
SHA512 9c4d1f45180d0fbb98040e1e0aed6fdc33cd6be7588e091ddc493bee3bf4f74bf457c409bf2b15ee95cf22a8741111076eb0437f080da48ef20560d004fd85d5

memory/2904-33-0x0000000140000000-0x00000001401DC000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 2de420633c45b13f52f205deefe42a7b
SHA1 64cbdd04ff387fdb7b48200da18389c09a1d8faa
SHA256 352d24fa4c8e4eae8549000367979dad6b61e51db84fe42f879bacc7198eda91
SHA512 3ae5c8ad31c2348e07f80929369d13e911b1570d5929da105c8e5ca76e16838aaf875c01490466dba2caedd5bd9b76fa838eb59f9e760ee73f4de309fb79ea4c

memory/2644-36-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2644-37-0x0000000000320000-0x0000000000387000-memory.dmp

memory/2644-42-0x0000000000320000-0x0000000000387000-memory.dmp

memory/2108-48-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2108-49-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2108-52-0x0000000000400000-0x000000000064F000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 b2b61f66acac9f278ae2e33cf1be8444
SHA1 b6561940bc59c6fb73a57885af6593e97a819806
SHA256 8bf79b3580dc58cc4c1436247776e6be3a7f744dd9b7c7e0d6329cd43fdfe531
SHA512 cd52d6d0105568e7270cd40e5f57a986bfd6e54a20c161686dc6311f3a7b2125000a642cf9226c9998eac43ee0faf8553f600ad4c0040ea01bd7b6ab7490a1a7

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 1822775d505dd883f3c88da311bae66c
SHA1 8a6bf05e5a7e6915939c9837b3b3e8e6f331a0ba
SHA256 e51f9f04b375f85e78edd325a9430e870b022ae753f51f15fc5df671c1349593
SHA512 55411f97a7c70de811dc6ab774c0d488a5eec9165771f1b4210ad7ed50b1bccc07d55ff2c0ea2a47d26664843f272dc7bd4b2257401af79f48116bafea7bf779

memory/2868-56-0x0000000010000000-0x00000000101E6000-memory.dmp

memory/2644-61-0x0000000010000000-0x00000000101DE000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 89a7a921aef2b591902fd2bd101fc341
SHA1 38e67db6ec27c21233a096d4181e729b7b471cbe
SHA256 01fe4597b5cb4d96f33132eac472869c54ae9a616131160a1944fec15cc3dc9f
SHA512 c9bd1c04f83b1e8f05fe39d6a2fe7d8370af85e8cd9c7686df74be7e6a155f67379d52bf8e8d47c0e43e88015dd62408f13c716e5a2c2a0bf743195f5a2799cf

memory/2864-70-0x0000000000400000-0x00000000005E7000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 2e6204f3936dc5b2c362e2f24efe2106
SHA1 a379091fdaac85ec3fd5fa8f0b11abc89f7077f4
SHA256 8341201a3b670c29ea6d6fa4cb4eb6026e76e8a7a593a9724a69d03680784a5e
SHA512 558e127cec3aade162822fea1f53ebf7588ffc3d0a423145b8dc656c3aaea5ace69a74e9cea7c1ad803b85dea2c2767309d59bff58d166c1ea90fa1238f0d315

memory/2864-71-0x00000000006B0000-0x0000000000717000-memory.dmp

memory/2864-76-0x00000000006B0000-0x0000000000717000-memory.dmp

memory/2868-78-0x0000000010000000-0x00000000101E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 c195c6a6685bd48f81c9142abd14efc3
SHA1 ba2ab378baa156ef6a70b9695e022a8cc2ae336a
SHA256 0acda9c71bde05051d89e751bb6cb5125c334db049a24f06e6556a58bf8af487
SHA512 9c5a53f135e7ade75798ff83d77c765e0d4a821efbbc161e312b5692f967c60c98614671c0f3926998dc63c826bc3c4616c9d68d343d9b8e1541fcc557cd3795

memory/1412-92-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1412-90-0x00000000005D0000-0x0000000000630000-memory.dmp

memory/1412-84-0x00000000005D0000-0x0000000000630000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 525e1a463ec81eb1163237766a4c5b0a
SHA1 c150aae5656c7662670fb86d6c2a03d1d26a2135
SHA256 486513557af5eb8268fe41b852762a6c2882fd225db1bc7814ca6737c37786bb
SHA512 4716b5cf86ac843f350c40ee5dc1b918538eb911a962720e90a6634d6e9d07f1f8161de0bb73800e22f17c87a8336fe6d87052dc5687811ad49cf792168d44a0

memory/536-101-0x0000000140000000-0x000000014013C000-memory.dmp

memory/536-108-0x0000000000380000-0x00000000003E0000-memory.dmp

memory/536-102-0x0000000000380000-0x00000000003E0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 19fb390fba5817e2d452d891b13a9141
SHA1 8c32945aecabf7e6aaac5ec09d315dcf3153cd39
SHA256 14cf65f41b06abf1aaa4b179ab2751eb39453131b385f2c39e0663500347590c
SHA512 ea1b88f095037bae101f5b64bfc22698e1542d1829b2b61654ffd0b06be1e92a898f96187b41a0c3692a13e5e03ed40cecd76a745737da703e314b8b264c7c1f

memory/2656-113-0x0000000000BB0000-0x0000000000C10000-memory.dmp

memory/2656-119-0x0000000000BB0000-0x0000000000C10000-memory.dmp

memory/2656-122-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 b285fa624df56c5f4875efa963d7176f
SHA1 e6eb96810061b9b4a068bdd65c7b1417bd8a8bbe
SHA256 606637078c5764e19a04c5ece0757dd0b82d8500cae9f850e60720a6098605d8
SHA512 0984a47b89131a4e1dba072b5b85e0a934e23921773be4affb307f6e2c613733a3a2fd79f36c3136233b1c782eccb8aab64135014052bc2cb4a88c33926b6e34

memory/1936-135-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 be8f7278729cd74bcb2e8d5b3066e788
SHA1 7a65e94bcbed93e16d1a1530b585054795736dd9
SHA256 e5534547f4cb37d562992af1bc88c63b2db73190fc6c77ccd210a0273365ee01
SHA512 9286f00cdcac9278345590025ab9ae99a4ff0a4bab1838adc4b5d2870b9d68e11d80abf7e139d8a708988c37f7e7ab9552c09c055278966ad2c9af907c115e07

memory/2452-147-0x0000000100000000-0x00000001001E3000-memory.dmp

memory/2000-148-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 cfee182c6a2d8228cec44325d0fbddda
SHA1 df7a693fdccab10264686585581e1ee7dbdc5acf
SHA256 cd1504a23427a4c2957e549c4c5edc6b2119d991aa510e97c43e99bfac207a18
SHA512 d42643ee46ff565d0dc0ce3d1f0fc6952561a078ce61aa1d37626e4f89f8248393ecb0c428d7f6b7892a00e63ec3248b0c54299d57e57345a7dbebae3db18f89

memory/1604-160-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 c3307a9d442494cb1634806f3c13f58b
SHA1 0b3a122de70fe7354097d121b3b1435f34a7d4e9
SHA256 56b2225610921002521baf28e9d9423af98372fd6ff8ea44a3ed6e4bf42c8447
SHA512 b205b9d66b1d8fa408ea5fdc25b6b9d65504876f710cacf84f9db9d32990b1e4dd731f09765a522a394bc123fcef2e594de1d5650a0c7049b2e242d80d72219e

memory/2204-172-0x0000000140000000-0x0000000140209000-memory.dmp

memory/2904-163-0x0000000140000000-0x00000001401DC000-memory.dmp

memory/2204-178-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 a65631c0a83836c63f992d97c3219c51
SHA1 15e34453549fe80117f1e9d41966041ee82402c0
SHA256 7535917a6d051341c335dad7558e8f95cb805940ae05a27170ac5337aabc9ae1
SHA512 68438012bcb288f670f173a0ff8555e5e79668c1776216b98d95be240ba72aa7f124f48f5b5fa20fe5cb12ff0631a946dcc8f8cfcc9cf44278eae59afa732bb2

memory/1648-181-0x0000000140000000-0x00000001401F5000-memory.dmp

C:\Windows\System32\msiexec.exe

MD5 5bc3c392149242ca974a25763f0d0032
SHA1 3437e1c549d52f1b96fb252895cf0eb8a3bb7812
SHA256 1cce31bf2df99c26e1c81fb628ddb355ea71260ee80969befdee8b2a1ddc9571
SHA512 03c154d5608d6836f09d25daede987b0f120c7a1ec0b7f112efffac0e6ed5d6a7684ec999b635b26ebb6361e7a365defd13973104e98e30170e6d30b3a2b9ba7

memory/2816-194-0x0000000100000000-0x00000001001F1000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 84d043c7244b232ad2f86d7c9cdeae32
SHA1 759bc3b2906ce6a8850493ee3edc3070d213ffd1
SHA256 9f1cf2dba7ca3e5a530e10d32795230dcb17da1afc557fc8283ab630697c1320
SHA512 1c3ed911f128b3d4880f67bc55fb63b1492f4a0771a6832efd21398915ccb608171418f5b0b4cb4b0787e5269078c23ec168545e7969d2d471ebc0619305690c

memory/1412-216-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2984-219-0x000000002E000000-0x000000002E1F4000-memory.dmp

memory/2864-198-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2816-199-0x0000000000650000-0x0000000000841000-memory.dmp

memory/536-220-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 3ff741f3f6307d3b71c98dc4cfa5b46e
SHA1 28d6cf02052ea0efa0622b8d187c46007caeb9ff
SHA256 9ed895003c7a87dec24b2bfa2e4a2393e6fa73e1bfd46d39d9ef6b91c3ec9795
SHA512 73d83629c60150781584ceab62780b14ce1bb616cc4a2240b452e8a67940fe4a0ac9d8ede2233753cd5fc14334799458225c7bbc1b2ca6752364fdd7e9292852

memory/2968-235-0x0000000001000000-0x00000000011D5000-memory.dmp

memory/2656-234-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1840-247-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1936-246-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\Locator.exe

MD5 e7465428217bdf3e8cbd8e584faea90c
SHA1 4b2064b404e4bc5e145d6cf4fbadc0a8f045ee2a
SHA256 fa7b3c2c3b67e8c75b961e4ab41fa23af97f76d8bce319a0b293babd59cf1f8b
SHA512 21726fd03e332df3fad5286812183c8afc15a6b9d4e2ff1c9aa622e8b5e696effe75f5b84211605c4e77100237683631e75472d9999d339919bba02745211d55

memory/2000-250-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2352-259-0x0000000100000000-0x00000001001D4000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 1e1d0ddb5fffb05ffc90c15a002b322c
SHA1 82cda12a918f5dfadfa613c508add45c50bd1626
SHA256 a17540743c119c60cc09eca6a6c353253e6e8eb9da6aa69551ddad68b7c5e8f6
SHA512 e8eb276975f3bd67f56498fc0319c8e5a4b7fb76d6838b4e7bd4cbab3498c9068e168cc7e6a0aca8f0f6186aa15f7f194b814ee9770a2c2a6eaf3c94ec3b34e8

memory/1824-283-0x0000000100000000-0x0000000100253000-memory.dmp

C:\Windows\System32\vds.exe

MD5 f82f1b710eda62c8c1d179838da16267
SHA1 2f22c97f8c0ffca1f378706e1346f53a7d403152
SHA256 f0c3e83580a33b704cf7a580b471232f46ecf77d3bc957589863887906522db5
SHA512 3ec508645e4a5b26ff45851e3e0ee411ffa0602062a3e75cc0c823c373fb20d045dc0b84da9d5676e5caa1674dd7db5424b83d48f7c0b44fb4f1103718a86238

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/1148-274-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/1604-272-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 0cf86cb7a22e3c3b1703992d8cc29f6b
SHA1 0aaa6c91e4a4b0f3cb27765ffc6037b79b18398b
SHA256 9d76dd592745177f1c32d521704a97d2384651161963a8565a95c27413a08af7
SHA512 5f8d0a439cdc59828080b3234f31b2c8386448c44437b98d5a21315193bd1935b247d2960bae36dba33b88aaa600c5c2aca6f76cabc5d517027f5d7262aa2b21

memory/1648-294-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/2444-303-0x0000000100000000-0x0000000100219000-memory.dmp

\Windows\System32\wbengine.exe

MD5 fba5b0473dbebb70d95a958d5b0c7fd6
SHA1 e39d80f58c550816d5c5ae8ad4cf82965c7b5436
SHA256 0d07cdcd01b3b414c7ac8dc110a93e03172e6f456c3df029eeb424009b375a7d
SHA512 e52ff2d833ddb9b6d6207423f4fe4297f65553c66af01db4855abdcab6bab04e114540da0fab881776c937bddd496fe89e967d70dfe541d6f6a7e1efed9d7e47

memory/2816-310-0x0000000000650000-0x0000000000841000-memory.dmp

memory/2344-308-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2816-307-0x0000000100000000-0x00000001001F1000-memory.dmp

memory/1972-325-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1840-331-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2680-335-0x0000000100000000-0x0000000100203000-memory.dmp

memory/2984-334-0x000000002E000000-0x000000002E1F4000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 6951e2ebbda5bc61b9e340c64c3c9408
SHA1 91acf5927c6affd9dd5ddc60a46989fb3ee7a2bb
SHA256 793eed52029a488cd78e12e9bac37c5a52593d26dd365d6362324b6ef051d040
SHA512 5c205d859566b44a4621723e88bc2eb05e3aaefa352c25e6fa38ed8d42c25a98f9e8cd7384e422d2fdff8e426eb78842b8e8ec056da87fd821a8da05101019d0

memory/2524-347-0x0000000100000000-0x000000010020A000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 8887dab8d6a09160a0301e6d450b7cf3
SHA1 91edced845c43bf8d6a58dd6265ef18c6868fdd1
SHA256 507df89b4d43b3a9957c0bd4aa1acb8f1fe021fae74bb7246a2e258e4f1c5f1a
SHA512 d910280dc65a6bd131c8702c6f5ec265279e033ba01672ee285f1dc73479b5dcae41b90e226f56af26db57c91afdd997ba99079a891f400f99dd4c93e6d1ec4d

memory/2248-360-0x0000000100000000-0x0000000100123000-memory.dmp

memory/2968-359-0x0000000001000000-0x00000000011D5000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 1b0e23ddd9856ee193cc61d163119385
SHA1 4cebc3bdc9c21b3234f83bfcb2f6fc5221f175ba
SHA256 316f9d35d28f43120a6bb0489fe2a99440446fa71aac3cdd6963b6b1f8504ef5
SHA512 d8b49278dee393974fde68bee32da58a680cfc4a68b07c402f26e50c42e5afa637cb566f0549fa3f27aedc31a24b1a6e5595ff887d1ea3d33fced043a5996520

memory/1972-365-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 84ca72efbf79e289bcc90292b8a5580b
SHA1 e1246a230739351a44850d75a27bc8052a9462bd
SHA256 9c7bc0480510edd003dc9ee6c8b9cbd42301900b8dfcafc18698c896db1aea1e
SHA512 4d037f7fea337a3343456a7c5a7253f38e479faeeb260a189877c752941f81dc6ff55a1087a78f53251428c49979f4f5fd57580cecb4ce146323b4060df0f877

memory/2352-471-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/1492-486-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/3044-500-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2384-503-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1148-499-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/1524-516-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1824-514-0x0000000100000000-0x0000000100253000-memory.dmp

memory/3044-522-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2204-533-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2444-532-0x0000000100000000-0x0000000100219000-memory.dmp

memory/1524-537-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2380-551-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2344-549-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2204-555-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/3060-568-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2380-573-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2680-575-0x0000000100000000-0x0000000100203000-memory.dmp

memory/3060-578-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2524-588-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2068-597-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2248-600-0x0000000100000000-0x0000000100123000-memory.dmp

memory/1424-609-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/872-620-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1972-661-0x0000000003D60000-0x0000000003E1A000-memory.dmp

memory/2656-847-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2000-869-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/536-925-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2396-974-0x0000000001880000-0x000000000188E000-memory.dmp

memory/2396-975-0x0000000001A40000-0x0000000001A4C000-memory.dmp

memory/2396-976-0x0000000001A60000-0x0000000001AA8000-memory.dmp

memory/2396-977-0x0000000001AB0000-0x0000000001AC6000-memory.dmp

memory/2300-989-0x0000000001880000-0x000000000188E000-memory.dmp

memory/2300-990-0x00000000018E0000-0x00000000018EC000-memory.dmp

memory/2300-991-0x000000001ACE0000-0x000000001AD28000-memory.dmp

memory/2300-992-0x00000000018F0000-0x0000000001906000-memory.dmp

memory/2300-994-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

memory/2300-995-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 5180107f98e16bdca63e67e7e3169d22
SHA1 dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256 d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA512 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

memory/692-1013-0x0000000001B00000-0x0000000001B18000-memory.dmp

memory/692-1014-0x000000001ACC0000-0x000000001ACCE000-memory.dmp

memory/692-1015-0x000000001AD60000-0x000000001AD7A000-memory.dmp

memory/692-1016-0x000000001AD80000-0x000000001AD9E000-memory.dmp

memory/1516-1028-0x00000000019C0000-0x00000000019D8000-memory.dmp

memory/1516-1029-0x0000000001A10000-0x0000000001A1E000-memory.dmp

memory/1516-1030-0x0000000001A20000-0x0000000001A36000-memory.dmp

memory/1516-1031-0x0000000001A40000-0x0000000001A5A000-memory.dmp

memory/1516-1032-0x000000001B250000-0x000000001B26E000-memory.dmp

memory/1516-1038-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

memory/1516-1037-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 5fd34a21f44ccbeda1bf502aa162a96a
SHA1 1f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA256 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA512 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

MD5 80f2bee013dcc322de263a3aeb6451fb
SHA1 5a76799961def035db2b8e5b464f3e9b02f5903d
SHA256 8a5836f73022c0472b9fd88d592e30f28471084d96d3d0b328c1b4d1242fcf4e
SHA512 3b014fb66307523bf673c0963b876d687cc23cd6d7a09013be17bbf5d1576c634725292394bdc17afa4c476bc97201a7587fe5906d1d4bd5245b7a9f657957af

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 3d6987fc36386537669f2450761cdd9d
SHA1 7a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA256 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA512 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 a8b651d9ae89d5e790ab8357edebbffe
SHA1 500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA256 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512 b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

MD5 4bbf44ea6ee52d7af8e58ea9c0caa120
SHA1 f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256 c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512 c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 ed5c3f3402e320a8b4c6a33245a687d1
SHA1 4da11c966616583a817e98f7ee6fce6cde381dae
SHA256 b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512 d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 9d9305a1998234e5a8f7047e1d8c0efe
SHA1 ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA512 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 dd1dfa421035fdfb6fd96d301a8c3d96
SHA1 d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256 f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA512 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 57b601497b76f8cd4f0486d8c8bf918e
SHA1 da797c446d4ca5a328f6322219f14efe90a5be54
SHA256 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA512 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 68c51bcdc03e97a119431061273f045a
SHA1 6ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA256 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512 d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0a41e63195a60814fe770be368b4992f
SHA1 d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA256 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA512 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 2eeeff61d87428ae7a2e651822adfdc4
SHA1 66f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA256 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512 cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e7fb3c83b3a4c31ee12f532c73eb5f1e\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 c8d0cfd7ea5a3c89b127a1214af7da2f
SHA1 a9197cbf9a4f04be613fe16aeb21af32d6632dc4
SHA256 abcf9af541ac712e9d4286a35b994cb05b8bf4c378c36be9445d93bf513db04c
SHA512 ea56e262604b8f738e0d6939fc913a9794396c65ab1a35fd90465a47e01362cda07db114d784a5b43067740b1e6114b2bc22f697b8f3731b84f2d5de52a845e6

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\51e58dbf5e70549d04617590241cb006\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 b3a8f1065c57cc9def496466e7dfacf9
SHA1 253d075d2e521c2b8521fb7d9a33c99782e1ed52
SHA256 d553a81c59f88f15effacf15fbe1d4b8c9354f9f91398bbc40a7aca2114b9833
SHA512 4462f9671aea470d684a0d44d7cc2b785e507d1058c53489529a02d80fb6c2abc75fef61277470bd63c5dfae002114481877feac9b0ec4e5b7d923bc4ec9ae7b

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\68ba0d274b3a8bd4501efa5a30cb8618\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 7adbb9ae7659e6f21d455af44f13015f
SHA1 bd8fa944f1ff178c67ee8e5a6a17d8f5dc3b835d
SHA256 1a7ec88a129baa85bd981b3de44ab09ab61e72d34e3d23abd4d2c76a216947ea
SHA512 83bf828ddfeeb4bebe14fb8cee02b6e33d27c89129c936f29ffe9ec2e1c2993b70cbf0ddd58aad63b56ff43e82fd5433f14792f0721a6f23646d9849991bdda4

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8d29f55a8d425a665b23b23e9a62a83b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 8e93a94d47939eb8c4c0f2ee1eb35eca
SHA1 ee9740bb44f7c67de67a4362e3108582b33d09c4
SHA256 3dd477b3fd9af489567b0e3985f9b26a562d6ddfac666819a8d8337e95901b6c
SHA512 fc7b4cc23bef4d8b2bd72e44eb81f61630735bf5c2f935eb4e18e2473c985682eb7c2d0c5b9e413fcf9b61aba559e1812a44688f8716772a205a81035f461047

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

MD5 10b5a285eafccdd35390bb49861657e7
SHA1 62c05a4380e68418463529298058f3d2de19660d
SHA256 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA512 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

MD5 1f394b5ca6924de6d9dbfb0e90ea50ef
SHA1 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA256 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512 e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

MD5 929653b5b019b4555b25d55e6bf9987b
SHA1 993844805819ee445ff8136ee38c1aee70de3180
SHA256 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512 effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

MD5 d9c0055c0c93a681947027f5282d5dcd
SHA1 9bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256 dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA512 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

C:\Windows\Temp\Cab83EF.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar84DB.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 598a06ea8f1611a24f86bc0bef0f547e
SHA1 5a4401a54aa6cd5d8fd883702467879fb5823e37
SHA256 e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512
SHA512 774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 9958f23efa2a86f8195f11054f94189a
SHA1 78ec93b44569ea7ebce452765568da5c73511931
SHA256 3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6
SHA512 3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 0a4ed78b7995d94fa42379f84cd5f8e9
SHA1 90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b
SHA256 0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86
SHA512 86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

MD5 7835e60e560a49049ae728698da3d301
SHA1 87b357b1b3c9a2ad2f3b89b10a42af021ab76afe
SHA256 df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa
SHA512 b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

MD5 04a6857c04546270358d14398fde209e
SHA1 596a3e11ac6c303c679edfd6c30aa71e8eaf8a23
SHA256 8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285
SHA512 4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

MD5 adc5887e89bc56694a193d92898d3518
SHA1 267f14c45a86d50ad627c6cb00626049e9c1ee20
SHA256 edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b
SHA512 bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

MD5 aae5a97685a809d0a0f661f9319f8a12
SHA1 b5fdd4ec4cc057fccc868de4f4910be89e23e48a
SHA256 c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233
SHA512 d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

MD5 0811b25e0449e04f782127bc6f8ac5e3
SHA1 dc1766e20ee338b12fa80e3ce0052ef97ddf9e20
SHA256 20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c
SHA512 a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

MD5 b1aa17d171be82960213057ca35815a9
SHA1 6c68a8a2c524ddbe04395dfa613378bb311aa314
SHA256 c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e
SHA512 6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

MD5 aefa28d036740086ae52d157f245200a
SHA1 d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55
SHA256 75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49
SHA512 3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

MD5 748bed51a810c033b91c660b5776ab95
SHA1 ec2616fb01949fb9fe4b0eea707f7095b69aa9e4
SHA256 45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7
SHA512 dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

MD5 78c5a493778f578ef5517fe161162819
SHA1 faf377bdc739623fb5f111d51af97e8c78f11525
SHA256 aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93
SHA512 6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

MD5 4ec89a4e8fe1b5b9916ace8dbabc0418
SHA1 dafec0baada7f2fa425978a5816fe852053fb1fc
SHA256 6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0
SHA512 648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0817dd144bd1703a16af65cf81ef80e6\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

MD5 37c49cf471f7ad881127f9e38bed1a10
SHA1 473c3a7a28d138ccfff0d971a1ce9360ab990aba
SHA256 9ef88d67461f4d91de1e16fab938d5561db9d04898d8776f9e716fdd52f91369
SHA512 e88e5b3b41b5763ed7de4d3ef40ec77144252c30d8d67f5b387b905026bd856e9d70889ccf9f78b0c0a7b0298ca8afdbaed133675001dc60593c6fbc31e93c47

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b22777deb45f6aeebf6bc7753dd76eea\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

MD5 5c35887a0b76108f6fb6daac51256ef5
SHA1 3be6ece2f60d205bcb955a5da0aa182d83cc1899
SHA256 9f8de356dab305f2be5cf1f75934eb6b87072e1745ab5ee73ab4b319bb9a2b5a
SHA512 0d1d2e5dd3ec776fab85e8f3b8cde32718bbbb52463c2702a17336326570a2fd624b0e32fd98182bba8c25fdd57ba861edebc1f00cfa66c04ec1c8a6f10fcee3

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 01:19

Reported

2024-08-17 01:21

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"

Signatures

Remcos

rat remcos

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7b7b5dc726e8edb0.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1168 set thread context of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed7c3a8143f0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000416768143f0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000188e4d8143f0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1168 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3632 wrote to memory of 3868 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3632 wrote to memory of 3868 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3632 wrote to memory of 1564 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 3632 wrote to memory of 1564 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe

"C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 23.95.235.18:2557 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 18.235.95.23.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 udp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 8.8.8.8:53 vcddkls.biz udp
US 172.234.222.138:80 fwiwk.biz tcp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.138:80 fwiwk.biz tcp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 8.8.8.8:53 qaynky.biz udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
SG 13.251.16.150:80 qaynky.biz tcp

Files

memory/3948-0-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3948-1-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3948-2-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3948-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3948-5-0x0000000002FD0000-0x0000000003037000-memory.dmp

memory/3948-12-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3948-13-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3948-14-0x0000000002FD0000-0x0000000003037000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a22d517bec4d461afd2a658d4be90d3c
SHA1 db46c3d3ea6c7c5b40ed8d4f83b0a864f4a02e51
SHA256 8d84bc80914b4f11e1a45125577c7631eb4f8782da753693fafa8dc44ebeaaea
SHA512 7258f0f63805316f430d259dbc3289d96a8c2a9e774cf67b003dda6f7fc201e521affc301ec2591f0d6a0568b5a1075d5bfbbfb6a7b6ff4ef7f47b7f22ad0431

memory/4960-27-0x0000000000500000-0x0000000000560000-memory.dmp

memory/1720-41-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/1720-40-0x0000000140000000-0x00000001401E8000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 953a564bfca7fd43f8e2a496bef75255
SHA1 7ca74f2c92887afcf23f9c6c75f41951444b8512
SHA256 50d406dfd3b62aee7b133ce9309915463947ba166b64cdf7aed9a53e3035189c
SHA512 bd39ab0f697f3c9ce214d6ca1b1131d630ed155f167fe0d131efd0bbff0c9feaea19fe9d7c8464cde90371999858d15e631c75e9c6db92cf3ac3ceadddd2e47d

memory/4560-51-0x0000000000460000-0x00000000004C0000-memory.dmp

memory/4560-65-0x0000000000460000-0x00000000004C0000-memory.dmp

memory/2992-75-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/4676-79-0x0000000001510000-0x0000000001570000-memory.dmp

memory/4676-91-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 bf21054f09b8cd20425b6f3dee2cea64
SHA1 0c8cd037dadc4a72207ce16d2c542e983e09ed22
SHA256 01d9cbcb9abcf7b11f417a2596c54c4b649bcd25de04e6aba54b416cf0629c6e
SHA512 ea42b61011b93ac8a460091c4f555e6629d075e169c8ff54545ea487f572e644b16f63367c7601a8e0827d465e26e1dafc6ce103db0a6e42ed8914d9396bdb62

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 3c2c69a0d99cce9669fefd4bd8242e10
SHA1 1ee87018bdec7bc24b41cacb2b09d426d15236cd
SHA256 a66aa7790db0f17fbb1e146942767cdfb11b1651cdd9fd74569bb77e5c2db351
SHA512 c8fe3862a32e42ef2b5aaa71125212d4bab9d728456d397307ee3aedc0018f44a94237dd42e02747574bf5149d4816f921910e8e516d111d3dd424485b92754b

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 5a1af5b2f80922dbf7b096d71b00b34b
SHA1 209fad969da916b12795dc606f37d6175a8abafe
SHA256 097133ed6b26c16ed24858d0a50e8007f889b9591a9bf2bcf19bcb2c5cb855fa
SHA512 9322ee19e4b859e3ecd431a1e07aeb21fea8501e04161d1b2835889fa92d4e58c9feb23348f15cd570b3a84031dcdeb5e79379a9b2b78158fbe2ff006c73712b

C:\Windows\System32\Locator.exe

MD5 575536fadee95dc39d41de1c324fe695
SHA1 0cfa8e237512bf2b2707605cb83eb1681b40de68
SHA256 3f8a502457e0deda2e54e1f92455ab85dadf768bcf94157be417804edbe11de2
SHA512 f10acbdeaa9dd41465a183b492f282439853b80e18dd2060bec20970d2d730a6fa1ece962d0ce3f4e9a255309f94e9d1a3983b0350436330a72efa9378934a94

C:\Windows\System32\SensorDataService.exe

MD5 0ef24df6972f1178bda4d598c65fca8a
SHA1 5afaf46bf101740254658c7ae05d910d8be9d57e
SHA256 97d754e855466fc8552de219c701067692aab592c7c87ecd1778e11d54955f0e
SHA512 237fa65eb1c334b7d84aad4bfaa860dd882b05b0e3569ed647fcbdb4b22d4a8c841dbdebb3f29597117dd765072f27ce1d10b7d8abbef938394a2258091cf52c

C:\Windows\System32\Spectrum.exe

MD5 40001e92529f5c9b495f1e15c23ce62b
SHA1 bf9143bc0622ae7320161e2829aefee899da8bb9
SHA256 07e58e788724f994b294772a8a990f5d4d1f3c2f30bc7e7f1cc17c96683f1bfa
SHA512 2980ee398ec00e0a24b23d3e998f30ecd5dfdae4a17aa601ad7f0bd3e3fd753014a8d62ba1e959897e6fa51c37f185756b2f1fe746fa82b51e049e72de8aec07

C:\Windows\System32\snmptrap.exe

MD5 d5518e4f89e6125a4903fe4906347cd4
SHA1 eef67fbde04f0cc9943c1f480f8f1a6b0aafb3cb
SHA256 299f727012d5efbdabeb62dfe6b6e0e8bf982b206532dfe2cdac32ac814efd1e
SHA512 9f76c0af92e891aa246baa35be4916109726065b0c5739a4634ab4cc5361668a06c8500276dd09f9a7d26eb38342af41c3cf7b08a23c1b85be709e07404432b2

C:\Windows\System32\AgentService.exe

MD5 ba90f27ce144232d560bd02fcd4d21e1
SHA1 2c103f02ed7ecbc947f6fed6d9cea66b675e017b
SHA256 8309cb4c7438c8cf8cf9d6696902470bd8a03e7d073b2207c9f276bfa158832b
SHA512 04b04a829bd7f535c2dc75694f2a1784611452a7480ff98962fa4686fbc8d8b40df2c5e16cb994a562e16fc2e2c6ef8ad882ec79d6719031e97770e089d9716e

memory/4920-205-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 c86d576c5cdcf6e81b6afde7fd9885db
SHA1 f571e3640491a90bc0d854f2e227e852f0b17712
SHA256 55a80a4cea8d1a1a8d355b265a9d58af4663fc474d59f882815b75ab6f1c251b
SHA512 5c4cfc8fcb50dd389a46173f9433ca50270238ca0a11a5b15d9572ac359dc0e93bc34dcc5bf5f1c0550e2c9945bb632a84508ac601d403d6b45bf98c5966a8c3

C:\Windows\System32\wbengine.exe

MD5 8d5eb4a18c13482803bd47e21614f4e1
SHA1 7763684cf8938bcfbaea963279e0f65426340474
SHA256 f344a0cc5596c409bf44bf953732fae341f595d55f0f09a18d11c5bf5638fcbc
SHA512 632bc542832a232ab567d238a27b4c864dd5cfd54c42db961eac2c16723b839ddadac13c6c0fe6990d5e4b8487633e4f0ab37ea675eb8b2051ec9254fc52464c

C:\Windows\System32\SearchIndexer.exe

MD5 256b05848242ae993ca1a8e38a3bbd77
SHA1 552bd7c0fe3a34f95cfdb3d591f1bcd3d4f9e072
SHA256 130cc6362e4fd3733d7702a7e1de9daacb979b842645c2684f8e2c8d31462455
SHA512 8ceb9711f9ed88e0fd8f1ddb74346d60b397a5ee5815c57d6be0693b1d006ab6e21a44d28e810528b7b0b466327f3d0c41b9014e1c7f1dad008077598bf7f808

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 fe0ef5878d56d776fcb2a73bffe77ec5
SHA1 16b7dce3c0f8c0222c699c734bdadcc220bf9028
SHA256 f467a4d8da0415214d525adf63e340c05fc7631c0ce516e7f823de349b68a154
SHA512 533db0db4d94c8d5e9eee5be05bcd01b094c14ea099bf995a6f6b260b65328f3095b4ff113a8cbdaf18bd140d1a41c94c96536876f368a9a5d78feebc215a267

C:\Windows\System32\VSSVC.exe

MD5 b881c1fa137ab70e7b7bd9575d342f0d
SHA1 77d7ff2262cfb90411eab9ea84717c3870abb167
SHA256 bc17fd4bdbe26899b820593e83140a71e11b9fc191f16d6a31709ab6df1e57aa
SHA512 a44dfe8a66917096266b653fee1a509e905401bd17e6715e99a7ff0ae086418ccead90ac3016178a8b6ac893a580bba7629ae84d5835a6f58b79b8bab4eb785e

C:\Windows\System32\TieringEngineService.exe

MD5 8336f43fc71b7d3a64a807c454b18d09
SHA1 763dded0099eb0be8b4cd7d82100185527973e4d
SHA256 670ac233e2f9079ed591cb38dd47e0e31671c97c54a78cb00b0b22bbfd98ec69
SHA512 96d939cef391f46767e02880ab4934bf662428fecfe9f0288addfb69226b2cae076e20a9187361dd177d2d65d8903d56d68cbc70a068bb33234286380ab19a2a

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 51e9971b8c46524275a0406860ef901f
SHA1 36ec61e5bbfb646fbdbaa06794ebfc62eb6ae209
SHA256 1cc0772d60d99f65be8681b33c24596588c1463890695f0cf4048969e40fed9d
SHA512 8ce0a335d701648ec308a433b395f4bbbe3eb7dc44afbe10bceb5302bf2dec4b0ad01a9139f8630110b2351f01996cf323f6a61758a06306eb09c7613b7b5f6b

memory/1276-301-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3532-304-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/3356-306-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2512-303-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3800-310-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2680-312-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3632-315-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4024-314-0x0000000140000000-0x0000000140205000-memory.dmp

memory/4348-317-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/5048-311-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3372-309-0x0000000140000000-0x0000000140221000-memory.dmp

memory/404-308-0x0000000140000000-0x0000000140241000-memory.dmp

memory/5104-302-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/4468-300-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/3516-299-0x0000000140000000-0x000000014020E000-memory.dmp

memory/2992-298-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 0b7c79bec46a6bb2dcd40128ed19f52d
SHA1 dbc4bf2b309bdfd2d8e7dfde04a16cbb56ae15a3
SHA256 9dc224a53469cd4e9cfbf337c04340e0590375f0e2a2b74acaf533602cf7f23f
SHA512 2e79b9e20d87ee955c7cde535c947bcfd4f93087c07b58c182b65966082fb55c12e07cc78faa8b249212ec414c7a515bb9aa1958f2b41d88a5aa8949b9151c06

memory/4676-85-0x0000000001510000-0x0000000001570000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 16a9a2ba2b3201c16b5303e3f28d14ce
SHA1 6bbe8e9ffe43de9a0d605bb41e900832c3589dbc
SHA256 0c1b2de2bbe104bf61e58dcf7c94ff23b7ca7039dcba445ac21615892d608f2a
SHA512 4819bfdd7415043d29312fff4447916351aa08c2b9044375a2d451dcb16597e4bce174f389e002591447aee31ed93dfac834301b43e327de9e69bebe0c21a88a

memory/2992-69-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 6b8ac16ee2095a4795518eb30a3dca28
SHA1 c1201e1a8235f9eaef35e13a74b0ee8b642db4a6
SHA256 83d9648c7acab869c39d6de2f8a3455b318a9f9454eb0e47b88dc80568e5b24d
SHA512 55901089d401bc348f4b23799a38212dfd24726e2c6820ff9c79640b0cbe22ff18e930ba6f1283ab7cb6493bd829ef9c525b4c4de84ce483a6498e3cc9183301

memory/4560-67-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4680-63-0x0000000140000000-0x0000000140234000-memory.dmp

memory/4680-61-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/4680-55-0x0000000000440000-0x00000000004A0000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 9a272f549e1225ec192081f1245e3e07
SHA1 fc28060049b053c8fb46af1551c3f1406bafec5f
SHA256 8079edb1561618197193b048ff02eaf45214b3b3d74af8fe6ffb1b8e2a7bac70
SHA512 f8a1d185d767ed40ea1b03c5784379077f3d3bfae3dc088d67d3d53b139e7883e3774ba25a47ba909de0b9ccdc832e475edd0850f8fce7d9cf3143fca4534c4f

memory/4560-45-0x0000000000460000-0x00000000004C0000-memory.dmp

memory/4560-44-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1720-32-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 48f7165450e02efb70e613c0ed8e8251
SHA1 fa12772f4ad61366255861f4279b2542cb9bbc72
SHA256 5f6ae6005b6214e490924d4c63a4201b522a12c7249dbd36057f0664950e0b81
SHA512 82d93a7e50c8ba23ec80b599e34e90c6155ebaa73d33bbf3fb87ee1b2357ea0489e6f1b9cec72df1c6c52ade786c075a918a0db6cee8975bb42282c4f7e681e2

memory/4960-26-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/4960-18-0x0000000000500000-0x0000000000560000-memory.dmp

memory/4960-429-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/2512-471-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4680-504-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2992-505-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4024-656-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3632-667-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 55ad6089e46d860bf56850fe9f670080
SHA1 e62847110dd9ae41269e09fe3772cbd3be34e1e2
SHA256 bb439ad5a1488d8c3870c27bf2b376b0d3aa8924811e051bc51a407716b2ebbb
SHA512 ce613914de63075f451ce746a302099a2f8196ac6b8359f2505fe4b3b97cef114494bb5de7e7072c36a934342b0c471cdf6e46605d4a2817b6adc3ddd501b5b8

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 039cc46863d32a80bb353835c7de98df
SHA1 1503b62ed8a00b5a166777dfdf6f70f8b448cd15
SHA256 470328759b3053f6746543e05cdd5ddf1601cb5346f00451fc54498d2bc19214
SHA512 c38c83576577acffd491547215ed7cfbd5eeb43f8f3310930dd59a35ec9f5ef6da7b41c040c07f494308c5bd7d34f09adfd9c19758b36a5e5d52038fb52a1c13

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 bb2d6fdb0aae5b6eec18378f61d9adf7
SHA1 cceafb48a2d6fc7540ae3037b86d0a8177d7fefe
SHA256 bd48d61dc7ae95d77b58dd9c3f81d3f34b8191f4196e63bf967f02bec14da0f7
SHA512 c45186e8db66571d8cc8b75dbd1b7fa34250ed8a7ab4d9f58e12ffb447d1d8fc0a2839cfa0a92954f0e3878d650b241b314bd0d42fdf9fabb89e9f3230f1f8e5

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 b17ebdba41298809f3654102a338343a
SHA1 7daa9b8b8ef872d47ace3d49e3abb6b63d3b4dd1
SHA256 979e5fd27a97b0b081d1d007fb1a34d3e6111a6c694c74844f8164e0910c9d04
SHA512 8dba9c270a274a228cb2aa8c169ab4010e9663a152c9907fade40e009cf3a3f9c6028378f607ba53d359e91066284a971917e1c7fe04814832a8fec50cefa5f1

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 10bc4f215623d929952d520341b445bf
SHA1 5f5755d7012101850c3737e3a40a3b5b254ae114
SHA256 071db5149009bc5d33b3172726a442280f825d3d147931b614e94606ea23f1eb
SHA512 594a365749982879e6b0d5a56c96a5d261e4294b22b7c6483b85d0c30ba45257145f4ac8a065709ac7bb42d5b9d22f745fef463acb68e5fec82ce3f79079777c

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 00bf9bdeff7f45477ae7b022d9e4914a
SHA1 078f3191a7922ab1c28e64e2c01fe1a7aba66353
SHA256 9ccc9fe563508357f51cd55dd10842d0babbdaf130e08b5a750f4b9d651c38cd
SHA512 55fd6f5c6c144102441621ff491503ccf9d0af33d331b733aaa351cf9bb36c01c98739cf63b55284744516354ca255ae8c1e40a6b94e8ab26d04f7fdf96f1123

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 7eeb7e1e6c7e678e642c8ddcdc1bd010
SHA1 3e39a71abd62763d0b123602b9e31f1f69d1529f
SHA256 cc947a026ba3eaa736d20ce0b2a6466920ad141e4ce6a965fa1aa66ed2e32ac9
SHA512 d890c61be45ca4aac6312c3701dffec097668f26d27ef3fc6cf6605a243fdcb78924d4f0ca923c3d2dc962913c1ce77268baded6e48daed015ad113fcc054458

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 51ff7e2d6fe4b9d27c8c22c0a9a8df88
SHA1 2a0958093dd2001c8913c5aa265a6fc5c2c2fabe
SHA256 fb4de9851d9fc491bd8c8b37dea4ff4e38d9d7278f45d557a49d90e8c1522d69
SHA512 bfcd062df25960066e13520b400e4a10e64da4bb056aed92b7b0094e153d2b21e48135081ea21a939bd073fcec3fdef7ad9839b9047ad000ce888bb274446267

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 705975d5151d94faf7c24152145c3dfe
SHA1 a822f40a6c44d46ce2958cd68dcacf65c4517f10
SHA256 ede7647f544bac06be96719f6a40949f9e8ba9b3c32c10b2ec289b9661c2e3cf
SHA512 76f8043ad2bab350dffb44ed81b84d3c3c86d1cbcc1641abaa27dbdd09999a45ce4e62069cc52747646016b66a32fc3c14dfac4f3709d6dae5b1e178ad4734ba

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 411c401882e4dbcc31660c94d8adb21e
SHA1 cfc9ba23f3f5c4bd0b25c75355bc415bc0fd5b0b
SHA256 dae3167be53c1e0269917a3c9a7ff4a906f874d5a9f4349f8b2606734d60c12b
SHA512 a0d35325d5dd127403453e454dd5ac45a8bc0124d940e42fa34c065fefc3bb33a8d5378f1bdc8b07d8ad126ee782e983d48240762c76c900fda4eb7e6c47af01

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 1f4eea04cec18b2e4a2c3d03cd3fa454
SHA1 b66dc95296893caef66c7212f71094d434815cbf
SHA256 c2625fe853533b8f65b560e3d6f2f7c3b3b3577f41b765ebb4db0fe299f74210
SHA512 28e78b97a0ff6d2bc9f372292bfc7c77cc2f6d97f9f904e666f79c09c281c8c2ba6a2a65cdded136e4581006244099c3206f4f5820a791b85e16d76e57f10d1f

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 b77e69bc1bf9776d7543687a32dfa972
SHA1 442bf19e05c22d5f612b363c111138003b0b35a1
SHA256 95439a9726623a5f8ac9ede900a00f2ed4014038f8123eb8d6a9e6897403e89f
SHA512 d1c09435b3ee0e0a85acf57700778e87641a6ba04ee565d63053b388dffdd0dec9123bffa896bc21a63e43b1f708e328fd47aebd3e6b3623f7b2e13ea23189ba

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 b4230e29b044cbeb294aa6492aa3904e
SHA1 7fb8244395b023a1017944610dfcc393f6d7ebc7
SHA256 b594dfc94893d85372a744c0b9fc1bd3b6fdca563830414fbe3330cab2a2750d
SHA512 f21d0cf3c86eeaf8047ac14bef683495b2034d122ad6d5f50477c464321a8ff1285fe4062fecc3452973f58b0052308294f2d649b97b867e0ad09efb5eda7ce6

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 16c143c5c847e6cdff21c863406fb843
SHA1 bcd0fb5a9a2cdacf74e79d5f0bdfc199af14ad0f
SHA256 a69ad2ed814e18dcf6e8ac43eda030b11742ac7b305735017999061ce68e4320
SHA512 adece14d180b46cecb548cdefbaf3fe28119c3aa0a906dac5daff09fdfcb9fa0ba0e1591527930a9ecf7eb4a4c9486783661fcc786059b1e76b0778c4ef79588

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 e437c45e23319fbc9c3c7c898376b3ac
SHA1 25559ae5936d8e9b895485650d6c9a4218af41e3
SHA256 cd90179e768d869ac65b28e7db0c1acfd5ab3945bd8c546dee10dc679487acfe
SHA512 78cf0c96e17049473b0922636e590e678d744d70a7b8d2c22809e9d333df4a9c06b23ac83d0f79551b40a6a499f0929527bdb8141d05524706cddf8921c55c7f

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 cfa87a19726685456fd8c8c978dc7268
SHA1 a12b04c567984c2acf88e7b95a7796c43f9c7639
SHA256 c99d41f25f28a5d7971cd334034c1e773cdc137ace63f13b17a31bd5d9d9374c
SHA512 9ebebec254a865c234970710165c722857e026f41404745aff950ccaf94179d99d75f61201495cd6f6bd1515080d17148e1d19f9ac216df19acf300133aba6ab

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 fafff1b69867072107be4994d7abe6dd
SHA1 3962471b2a08bef8c0e2efbcf5a552703ed5236d
SHA256 2d39ad6c5cd432bbffde86cd2ad4217518e63725cad197b7f9e37b196f996010
SHA512 a519935724478c59ca5287e8440d4744813266d4f98c7375327e44a08caf7d02887a29e9caab73d4306432c43852dca4db52863d0eca63eb33de8bde3079574d

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 2ae970bf45e3d500142cdd3fd415c4c7
SHA1 442b4585e61bbf2ab1ccb576399f1e98ce432267
SHA256 6e62f6abf37347820034ccdceaf5a8e5313af9447b47b74e5db5f50cb9ee0afe
SHA512 82c4be2715c1235409d167e5c7041ada1e07046d370654f756fb151bda41c93f154dfa2737abc829adcec1257e16cce8d671169e886cf0b06a6d400a9f1a7170

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 6006e7ab38648d43a863622c158d3f15
SHA1 9cfad8ccb54e3a300fe9de7666405e5c822f61d4
SHA256 5bb0dceb8cc75ed51b024f1a36ffdccf83958ea8ef933c0cb332541094673dfe
SHA512 cf8544105883ee0276fecb4c1cddb54a2a8f6955cc3c357f502bd2c9bd36c0440e4aaa5c0874f04ad643f6f72444120f19756ba0ebc24a6d48e3f9dc8e4b8ceb

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 334fbcffec83b96f6b58e3c20140cc48
SHA1 52ad79133c9695d69b692b3d3f3e810c9f46fc72
SHA256 386ae99016ba24753298f5e2fcd3344b489fde8effb1a96b7721ff19839bb5db
SHA512 3a3778438e06fedf2b601c6826e894db0aa687b915e44e51747f060dbd93393231dd58c82f8c5f4d7999cb2f04b5019e7bd09f70e435804bc7002091f9c30c9d

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 ecdee961c3eca861f795bc5e1dd03c57
SHA1 8a3ad2833064c5114ab1f310ad9266e54c2a5773
SHA256 677ed199d1915f408e7dfc2053ca3db20ced2de81235f70732f8de2c970ea5e1
SHA512 cd2a99fe9c996557d83b8f1b94d47343687ceca45c1f31713eb05c2c1b9a3d0ecf5a3ce4c9cc58dc5ef932dec2a6be70e4affc97d05708df9b60de06bc017ea6

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 ce0123db7268986cb15a93cd716432e3
SHA1 55cf2b67729052478f27e3aebd024028d879fa58
SHA256 5623ffbfaf7fb58bff7eff9087140767436aeda4fc2e044fd55539d795e1bb81
SHA512 bd1cf30fd4dec5bcfc5e263394c54306aff6459db0b3bc0dae4e65347a1158e525bda5c0c53cdf224eebe16b85403d82c4c01ee85c3126a04328f149c5772264

C:\Program Files\dotnet\dotnet.exe

MD5 806354c8f78a298f6b3ff92330ec85c8
SHA1 b9f519c9d82d416538854ef8edeefac9189356bf
SHA256 afdb6cfe1ae64c20bf1984c5b10e8d8207a9f56d416579f1fc03a6f8a134166c
SHA512 1278fa474c50a756bf8b3f41dd5bbdb048fb0721b91e01dc6a0b9c5209395d4eb6a8fe484746e8b3150e593574bbb626f1ecd96835505e9f687265b2ae671ee7

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 b0b7c48a4cc55bb4421841d916e9c2ce
SHA1 68b4920058242fee524d9947d0a2df85bacf8001
SHA256 06da2dd6499211b018ecd189114822bdcde4ce0f4b9c366669dd273cd7a51844
SHA512 ce438226875d289d5061a783db8d2301b045ad6210af13f67e9b975d494a019b40c137523e964f2f6986ad79515c3285ee33c5ecc418582e7fb028cb5d871941

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 845cfa6958c07006a3d0cb755147342b
SHA1 5b0f8db1156bfc03dafc42ea72d5a4cabc2c4a4e
SHA256 5290ca7f965acb5f786c3cd9b5e4d24d16379ff05a56add48d2422edc9f90a0b
SHA512 0637fe361650de81c6bae7e597db6991edbd974a0aaf8490c8d3724518865eda78564aa5196942d1f9ce72c9ac176e6695f4368c657d6606094395491d14ccd6

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 bab1f5c5e493b8fc79650f27441e1f75
SHA1 83108446677f0b7159515a34de18070b1ec36f77
SHA256 2bf0bd2c4c788969bc5eafda3f01cc1d0f8e66728c247e3b9527e455082066fd
SHA512 9c1b5ea8910efc089e8d515168379f075e13b7f83fe2b9b6bebd58dc7a3cd0d1224a56997399917a5f5d73b81080a82c759e265f3bd41f45f71c828ecac06715

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 91ade0b43f5a1c7026f9b1369796b174
SHA1 02d264a349d92c3ba8422660a6085ab8fff1ba5b
SHA256 a257b44827c0b691fab07ace8dac9aa7a65631e89582cc243d71e727c76b0a38
SHA512 ace89d55c5cd53b8d6c309e8a9d23fbc43e8dca5073ff3616f0fcb0a5948d0b917510d295491dda7c8073978b3be0a81fc587ae09d04f5fa381c9cc31a30ca93

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 9be03d6a0a05ede3568496a15d012770
SHA1 f27ffd5c9fcbe4ca2baf590318f489ffdee9352f
SHA256 35585547367d3d62378792b7cc62e58db038041970474226491a0f94b92914ae
SHA512 7a57c1f245a13b523abb41711d42b91734d8af0ad7587c0eb40666964b588beb80f23d811444ced16e9a3841febf2fca9c02ab28c9926058ee4af355347c836a

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 d63b6d2b7648e5bb323ae244436fd8f1
SHA1 a20f065b2d5e7acc4d4122f4b6f4df27e45a6fc7
SHA256 032bdf5c23e6517fdd6802d52aa6c3771daf8101db73ab0c9145a498106a3e19
SHA512 1a5e0f96d27c50a56b72dd24175a200acde10e24a98bf96fb935a08371d1c860367b0cc7a2ce680c59e2f09013a3713391d5a93d33ef36460e84f9fd31dd36d9

C:\Program Files\7-Zip\Uninstall.exe

MD5 6ca4d20f8358e0c271228ab86a95d448
SHA1 29345f6c984ddd3e90ec28622983dfef175260df
SHA256 2329b66a3d132f72b943c3e160531fbf878a5994ed2413a9dd6d01b986466c60
SHA512 51f2c6704dc8630f38cf42f96caebf39272b70d237c84e9e6d9ffe9cd916b8b009d82de3067e60b434923660a2b1ccb98cefcf3a839cdbcfc0ef86c6c88202b7

C:\Program Files\7-Zip\7zG.exe

MD5 7f3d0150e8b0ca93b621db083b0ccdaa
SHA1 9325f22353c93cd05d7217a90d7f96fc9191fd76
SHA256 ef6ae45a53d3977871be13c0a8c791cf89fd130e1b4e228b4babc23f4d7dff0a
SHA512 4486dfb3207f1bf0bd5560f5c5b3e871e94ef908bff75743489008e175f9d08262712f0aeff7234a2e7230738a578bbed38318790960f3623d676f7dbead53da

C:\Program Files\7-Zip\7zFM.exe

MD5 bf58a4f7cf046cc6446a89cafbb79b93
SHA1 7ede1896f2c8cb464b255ab81257406c267e94c0
SHA256 a682c87991cfdb9472a14e193dce79c34eeaa0dbadd5f6e0ce459b2e5e0dd567
SHA512 a778b27dff46494800155e4abb5b5f7b1aa82e72d76406a19ce4e0266aad1d1a8a1bf07af0836dc0930f8768f084de3afab473f0279234c1be3d55c4264d455b

C:\Program Files\7-Zip\7z.exe

MD5 b6b2366b2c3dcbc378db7c86bd0ad5e7
SHA1 28d33c1848989ef3653b6e2de36a4cd5a4875db9
SHA256 1562a8567af546ae141f40899a8fd0fd123746b6246cd67d1da864aa5340a443
SHA512 b86e880b0c7446b35cac0609566af6e7ec04aca188b361340580733a481d2724f3f2045d4bc31addf61335d1a462d7f73eaf5caca35c81bebb99c3a309b2aec5

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 f5a5b1c87097949e90e325643a21f758
SHA1 e6f60352f848af73b7c8206276d0b66998094702
SHA256 009cace8fd086033690dd8c83e5fbf41182c472f7b7bdb90f9ea9fd27cba57c9
SHA512 cc9cb832ecd86e4e64a4a85554b6dc1a901304eec36bec70b7142b730ec03958b38bee4d2efb05a082857cd7ca23a8993fb36984b7a346995d2f6a423d4b33dc

C:\Windows\system32\SgrmBroker.exe

MD5 31182e6900a11947d717540632a6078b
SHA1 bd2ef67dd8b20f460296c99b6abb69b4c47d644d
SHA256 bb367ea00a65b1486a9c204ff4a895fd23db1a5d2cc68cd40e24973989673494
SHA512 66608ada80dbecdc018761b84a963afda3a3ffee2725f6cd8639dbdeff4abd27f7eda968b92934b806a9ff6dc838237b5bb0f5f648230e2dfe9d37a9880795de

C:\Windows\system32\msiexec.exe

MD5 342010d4c9f855412f039ddbf52922c7
SHA1 ad134c78345ded5888d4fc108fc7cf5f81d02b36
SHA256 7b2593cff73cc0f3d5a52194a57cbd37e0ab9630655d00a19a3972bf666a778b
SHA512 dd97ed0510e984ccb3de441b2989fe03808fc943358b1cb55516667b13661844adecb2a415cd4cb5ff9b22342de3970e0c61b6ab01e2c8652aa5bea3724d5ca2

C:\Windows\system32\AppVClient.exe

MD5 9117c9776c49ead9d27ea7976f41be04
SHA1 b08e8a92205a7ba9ab609f96b8641df1550484c6
SHA256 371a34a456418eb2d14c501712758b33d4fde36e24b1c70fc7e3b64652135a67
SHA512 0059d32f075c1dbb25ba7da9ebc8e42ae9f352036b80de193aea87fe4d7cad7f6f914b341d61846f7ca438559f82650ddf0005dbadaae99c6bff1680701fc846