Analysis Overview
SHA256
d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24
Threat Level: Shows suspicious behavior
The file d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy WMI provider
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:11
Reported
2024-10-25 21:13
Platform
win7-20240708-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP98F5.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9DD5.tmp\Microsoft.Office.Tools.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC571.tmp\Microsoft.Office.Tools.Word.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE12B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA1BB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE678.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5FF.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index154.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC34F.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9CDB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe
"C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1ec -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 26c -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 1d0 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 1d4 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 274 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 24c -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 290 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 274 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 28c -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 290 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1f4 -NGENProcess 24c -Pipe 214 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 238 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 244 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e4 -NGENProcess 24c -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 218 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 24c -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1c0 -NGENProcess 218 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 29c -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1c0 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 254 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f4 -NGENProcess 28c -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 218 -NGENProcess 28c -Pipe 1c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2ac -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 268 -NGENProcess 28c -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b4 -NGENProcess 268 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2cc -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 268 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 268 -NGENProcess 2d0 -Pipe 218 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 2d8 -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e4 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d0 -NGENProcess 264 -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d0 -NGENProcess 2e8 -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ac -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2f0 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2fc -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e8 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e8 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 300 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 2fc -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2ac -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2ac -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 31c -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 300 -NGENProcess 2ac -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 328 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 318 -NGENProcess 324 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 33c -NGENProcess 334 -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 32c -NGENProcess 2fc -Pipe 31c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 344 -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 334 -Pipe 2ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 32c -Pipe 33c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 328 -NGENProcess 334 -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2fc -NGENProcess 344 -Pipe 358 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 330 -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 35c -NGENProcess 334 -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 334 -NGENProcess 328 -Pipe 364 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 348 -NGENProcess 360 -Pipe 34c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 368 -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 360 -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 330 -Pipe 35c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 328 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 370 -NGENProcess 330 -Pipe 384 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 328 -NGENProcess 38c -Pipe 370 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 354 -NGENProcess 380 -Pipe 360 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 388 -NGENProcess 394 -Pipe 328 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 348 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 398 -NGENProcess 354 -Pipe 330 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 394 -Pipe 378 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 394 -NGENProcess 348 -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a4 -NGENProcess 354 -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 354 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3ac -NGENProcess 348 -Pipe 398 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 348 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 394 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 368 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 3b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 354 -NGENProcess 3ac -Pipe 38c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3c4 -NGENProcess 388 -Pipe 3a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c8 -NGENProcess 3b4 -Pipe 3c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 39c -NGENProcess 388 -Pipe 3bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3d0 -NGENProcess 354 -Pipe 348 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3b4 -Pipe 3cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 39c -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3c0 -NGENProcess 3b4 -Pipe 3b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3e0 -NGENProcess 3d4 -Pipe 3ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d4 -NGENProcess 3d8 -Pipe 3e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 39c -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 388 -NGENProcess 3d8 -Pipe 354 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3c8 -NGENProcess 3f4 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 3f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3dc -NGENProcess 3b4 -Pipe 3c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d4 -NGENProcess 3f0 -Pipe 404 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3ec -NGENProcess 3fc -Pipe 3d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 408 -NGENProcess 3b4 -Pipe 388 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f0 -Pipe 3c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 408 -NGENProcess 3d4 -Pipe 3fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f4 -NGENProcess 410 -Pipe 3dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 410 -NGENProcess 40c -Pipe 3f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 41c -NGENProcess 3d4 -Pipe 3ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 418 -Pipe 414 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 40c -Pipe 408 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3d4 -Pipe 3e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 418 -Pipe 3f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 418 -NGENProcess 424 -Pipe 40c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 434 -NGENProcess 3d4 -Pipe 41c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 3d4 -NGENProcess 42c -Pipe 430 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 43c -NGENProcess 424 -Pipe 428 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 438 -Pipe 410 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 42c -Pipe 418 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 43c -NGENProcess 42c -Pipe 424 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 44c -NGENProcess 438 -Pipe 434 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 438 -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 454 -NGENProcess 42c -Pipe 440 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 450 -Pipe 420 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 450 -NGENProcess 438 -Pipe 444 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 438 -NGENProcess 450 -Pipe 460 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 450 -NGENProcess 42c -Pipe 45c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 468 -NGENProcess 3d4 -Pipe 454 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 464 -Pipe 43c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 42c -Pipe 458 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 3d4 -Pipe 44c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 3d4 -NGENProcess 46c -Pipe 464 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 3d4 -NGENProcess 474 -Pipe 42c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 450 -NGENProcess 46c -Pipe 468 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 484 -NGENProcess 438 -Pipe 3b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 474 -Pipe 480 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 450 -NGENProcess 490 -Pipe 484 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 470 -NGENProcess 474 -Pipe 47c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 494 -NGENProcess 48c -Pipe 470 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 48c -NGENProcess 488 -Pipe 474 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 49c -NGENProcess 3d4 -Pipe 478 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 438 -NGENProcess 488 -Pipe 498 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 450 -NGENProcess 494 -Pipe 4a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 490 -NGENProcess 4a4 -Pipe 4a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 4ac -NGENProcess 488 -Pipe 46c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b0 -NGENProcess 494 -Pipe 48c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 4a4 -Pipe 49c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 488 -Pipe 438 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4b0 -NGENProcess 4c0 -Pipe 4b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 450 -NGENProcess 488 -Pipe 490 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 4c4 -NGENProcess 4b8 -Pipe 3d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 4c0 -Pipe 4ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 488 -Pipe 494 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 4b8 -Pipe 4bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 4c0 -Pipe 4b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4d8 -NGENProcess 488 -Pipe 450 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 4b8 -Pipe 4c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 4c0 -Pipe 4c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 488 -Pipe 4cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4b8 -Pipe 4d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4c0 -Pipe 4d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 488 -Pipe 4d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4f4 -NGENProcess 4e8 -Pipe 4f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4dc -NGENProcess 488 -Pipe 4e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4fc -NGENProcess 4ec -Pipe 4a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4e8 -Pipe 4f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 488 -Pipe 4b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 4ec -Pipe 4e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 500 -NGENProcess 510 -Pipe 504 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 4f4 -NGENProcess 4ec -Pipe 4dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 514 -NGENProcess 508 -Pipe 4c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 510 -Pipe 4fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4ec -Pipe 4e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 508 -Pipe 50c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 510 -Pipe 500 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4ec -Pipe 4f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 508 -Pipe 514 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 510 -Pipe 518 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 4ec -Pipe 51c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 508 -Pipe 520 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 510 -Pipe 524 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 540 -NGENProcess 4ec -Pipe 528 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 544 -NGENProcess 508 -Pipe 52c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 548 -NGENProcess 510 -Pipe 530 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 510 -NGENProcess 53c -Pipe 550 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 534 -NGENProcess 54c -Pipe 538 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 554 -NGENProcess 544 -Pipe 488 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 558 -NGENProcess 53c -Pipe 4ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 510 -NGENProcess 54c -Pipe 560 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 540 -NGENProcess 55c -Pipe 548 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 564 -NGENProcess 53c -Pipe 508 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 54c -Pipe 534 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 55c -Pipe 554 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 570 -NGENProcess 53c -Pipe 558 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 574 -NGENProcess 54c -Pipe 510 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 578 -NGENProcess 55c -Pipe 540 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 53c -Pipe 564 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 580 -NGENProcess 54c -Pipe 568 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 588 -NGENProcess 55c -Pipe 574 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 55c -NGENProcess 578 -Pipe 58c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 570 -NGENProcess 56c -Pipe 544 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 590 -NGENProcess 580 -Pipe 53c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 594 -NGENProcess 578 -Pipe 584 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 56c -Pipe 57c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 580 -Pipe 588 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 5a0 -NGENProcess 578 -Pipe 55c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a0 -InterruptEvent 578 -NGENProcess 594 -Pipe 5a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 570 -NGENProcess 5a4 -Pipe 590 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 5ac -NGENProcess 59c -Pipe 54c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ac -InterruptEvent 5b0 -NGENProcess 594 -Pipe 5a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b0 -InterruptEvent 5b4 -NGENProcess 5a4 -Pipe 56c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 5b8 -NGENProcess 59c -Pipe 5a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b8 -InterruptEvent 5bc -NGENProcess 594 -Pipe 578 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 172.234.222.138:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 172.234.222.143:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 54.244.188.177:80 | tcp |
Files
memory/2096-0-0x0000000140000000-0x000000014018D000-memory.dmp
memory/2096-1-0x0000000000A50000-0x0000000000AB0000-memory.dmp
memory/2096-9-0x0000000000A50000-0x0000000000AB0000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | a82e95d7f5dafc6a769bb349cb125845 |
| SHA1 | 6e9fa67e884c5e9323dfe3c5861407792577db26 |
| SHA256 | bb8f4b036c48819b49353d19e7527af94f915e8d2c6ae4d1fcf263ab7d94b72c |
| SHA512 | 9b566b00ff77175f5138c9f0f3bb0af881b3af8e2a434eeb4712bd9f3f3edf7ed8725b539be64a08aea35b22c9822db2ec93c3ad109b3a1a1591df25c539b98a |
memory/2688-23-0x0000000000780000-0x00000000007E0000-memory.dmp
memory/2688-22-0x0000000100000000-0x0000000100184000-memory.dmp
memory/2688-14-0x0000000000780000-0x00000000007E0000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | f066f00818140ef0072c8f20b231e48b |
| SHA1 | a28f7f98d681dd7b6eef7ce3575843360dc5de26 |
| SHA256 | 397798663754acfbcea7845de865f44cddec6201038bc6ef3a1184f230fe9630 |
| SHA512 | 698b535bb97201f1177d956c623a9d7de754df5144c8e9195fc9e82fef396d98aa6e1b237e554aac26900e77479bbdb83ba5dcc8877675c5ef7a02c716dea80d |
memory/2672-28-0x0000000140000000-0x000000014017D000-memory.dmp
memory/2096-29-0x0000000007930000-0x0000000007940000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 85fa11ea9c7cfb2cd667e24d90ccee7c |
| SHA1 | 8066e61567fd4eb2abc3f88b6ab07070238935dd |
| SHA256 | 95132bdff75f72c8f0177c56ceb2c15e6447aebc9dba50db88e473d8fafded64 |
| SHA512 | 058ba6a3d0a739abfd10f1b7a16f5825da68d1c032738888ba4cf57ba6ff99fe96d9455bb263eaadb834950d7313b685b9b0adcb08a66d840dabb85627fb2cfa |
memory/2616-32-0x0000000010000000-0x0000000010180000-memory.dmp
memory/2616-33-0x0000000000500000-0x0000000000567000-memory.dmp
memory/2616-38-0x0000000000500000-0x0000000000567000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 014bbb6a2466b3cfdf50157cc1c69d3d |
| SHA1 | d91adcde17f3f452820ea2bd394d670137f2f604 |
| SHA256 | 66486403917a5590cb566a69caa811efaf5b888ca61e396fc9140b13c7acf997 |
| SHA512 | 0d409807add2c399fb99819c217a939a595b289d9e92476d1ddac5748d8b83fd85aa17cbeb464e9752ba4a841239c9dc65f3cd244675cceb7b740db04ce2d309 |
memory/1076-48-0x0000000010000000-0x0000000010188000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 8a96f2afa91b06aad2a2a8d04f9f0567 |
| SHA1 | ba811c27b49a2b32bf9a9422dc0c1d183ed7447a |
| SHA256 | 99c7d98edcb6c6bac715a2620902324249f7368e00075c42d94b21acbfd40aa7 |
| SHA512 | e2f8ff648956324f15f81e1185f790eb5a43907cf264759973d756fd83cd5a1e22c00fb8cacdb13e01bcdeb10ad1c2de55df83cba7fce245d773d932fd74b0b6 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 60b13fff86eee5b9c9b9242844f79a8b |
| SHA1 | 540f74971f253506ef9e8bd3629b183aa1806f6d |
| SHA256 | 9dbb3fcd5391af61a3d86ec0172d1dae985b73dc503aa6d2385df8cec39c1a2f |
| SHA512 | 1489d12cf866456aa529f72f46c41d7cf66822855172429c8bd56f93a7dd5b396fbb6d3d83b757cc9a682d8522bcb7ce236d0703e18f8e82bbe32eedad82a2c6 |
memory/2136-55-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2136-57-0x0000000000670000-0x00000000006D7000-memory.dmp
memory/2136-61-0x0000000000670000-0x00000000006D7000-memory.dmp
memory/2616-68-0x0000000010000000-0x0000000010180000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 3ff0926607633cb7f5180f38ee31d7f2 |
| SHA1 | 7019aef85d772687059083b8e07566619344868e |
| SHA256 | b189dd586aaa969b3eb4f14a3837bfed27b3d83de6108e032cb444156255273d |
| SHA512 | 282955c429ba2d6d53c8aab35f58e714aa60d32ed9c4e7473179247eee35251f1d2e057ccb6e09667ec27a602116d5d2a6422fb45f1784995f64114e9d5fe93d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | c7a2fddab9c0e6f7cd59587d736a4386 |
| SHA1 | 9f75e8a3e4e273a6e8a8191b30c8e737300b1785 |
| SHA256 | d308e7cd52dec259bdd24c071ca4a34fe4e0279b00d770c6bd8d41314738bc9f |
| SHA512 | 2d94fec208cc02b881c84be45fad342536dcfdb387ee8e73289ceb9c204a1210b2915cd1183d3dec96a104bfcc15196754c575d5d3cae2bb94cd019478d082ff |
memory/2900-80-0x00000000005F0000-0x0000000000650000-memory.dmp
memory/2900-82-0x0000000140000000-0x000000014018E000-memory.dmp
memory/2900-74-0x00000000005F0000-0x0000000000650000-memory.dmp
memory/1076-88-0x0000000010000000-0x0000000010188000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 2beebe7080e2c722530ef79c4a821198 |
| SHA1 | 3bcac0237376130335319b01a409f43eae7f25f7 |
| SHA256 | 91a71f213841d406660990e98054ff63302b8f47d7791e220d212c80fc20588b |
| SHA512 | 2a2bcca5275203c2fd3c02ec3dfc7f39b403c09f7c69a5c0d68e16d2f907e0cb7c1d47ccc6124f8c5af4cac5a9cadd961775e3850973a9df633d1f47aa5c22dd |
memory/2192-91-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2192-98-0x0000000000280000-0x00000000002E0000-memory.dmp
memory/2192-93-0x0000000000280000-0x00000000002E0000-memory.dmp
memory/2192-103-0x0000000001990000-0x00000000019A0000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 1525189a10bbd4ef702109be21b3001c |
| SHA1 | b0f2909d1dd3920fd2cf861ef7488e6b9582b670 |
| SHA256 | 7359efe71c4bdec14b8824d794d11196eda101adae46c2764c78d063368065de |
| SHA512 | 470173614087f4fd52674a007933a06dc4f6d0e98e3ce08e6cf388a3b7a45ce1863a5ade7c30258b3cb54a69ebc7ab5b3d5b7bb2f9af5949aa20843fe3405aad |
memory/2372-112-0x00000000002B0000-0x0000000000310000-memory.dmp
memory/2372-106-0x00000000002B0000-0x0000000000310000-memory.dmp
memory/2372-116-0x0000000140000000-0x0000000140192000-memory.dmp
memory/2096-114-0x0000000140000000-0x000000014018D000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 154e55468547ee1a686df2d74963c357 |
| SHA1 | 44839dc47df074211330c19577cac45c7aedc34c |
| SHA256 | 4acedea99a626f03ede3396ace594b97d2589083ab35949091ee477dfef775ca |
| SHA512 | ee1e04c99a4d2e1e30ab36f65a0651c1f42bd8448ad361fd2307f4302a9ccd5e322171e1336d6b2cb9f01d42eb204a5163e91ecd4e0b7d6a54ad8a4fc3590cd4 |
memory/2064-129-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2688-127-0x0000000100000000-0x0000000100184000-memory.dmp
memory/2064-119-0x00000000008D0000-0x0000000000930000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | 04dabdfaf5cccf036b2b1cdfdb6ed2c7 |
| SHA1 | ec8e4398a0dac7e703b6fbe4ac028b8612938f9e |
| SHA256 | 5bb138c9590f2560008c6aa51e1afb379b4b8e63b626bbd8be4fc61bf1c16f53 |
| SHA512 | 432708a8ceca283df1e9a10f16a58f568482c772c2606928545d3c804d68dcbc4bb21f2edf60c901ff64d5b586736c1b096bdba2c897421c2fd9c106bfe26055 |
memory/888-138-0x0000000140000000-0x000000014018F000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | ee407aad39318582c128924fcf3d278f |
| SHA1 | 916f67cd40798b1fb91a208b2e626db61607b6ea |
| SHA256 | f8ecde50b1a596e40d08ba44b25c9075141b0287234a4b7f15a824562d405afa |
| SHA512 | 10852de55d7d437d133a35b0868befbd5890623335c299f9163f73bf90677a43bc4c30e6800a2186979aa1791344f14cb4dc3a2459180210e456b7fedf32278f |
memory/2324-150-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | c6dc69245247f5c41aaa64bd4d62876b |
| SHA1 | e3ab1b014a92dfd137fb1a11db53a4b23657fce9 |
| SHA256 | 4cae78c08ab71f8ef256bdff3d29fc544b5f9c7c308f3fba8a9ba72d54057d9d |
| SHA512 | 3480612aef88b9167d694bdc80271314af5c2a45912801cd1559ece754543c0e9ba725b29221ab8d6f7882e6b028c9e8c10c01b796a3a6499a05d06411d247d0 |
memory/2672-161-0x0000000140000000-0x000000014017D000-memory.dmp
memory/2060-162-0x0000000140000000-0x00000001401AB000-memory.dmp
memory/2060-168-0x0000000140000000-0x00000001401AB000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | 3ae1c3c80184e2896e71fe6c2038188f |
| SHA1 | 972cbadbfb79f4e079701dfbc513ea876837a6c3 |
| SHA256 | a512546b8185a158f29dcb4ff06f69fb4d2a059696dc56ebcbafb112bb8c05bb |
| SHA512 | e4ecbea125c0d9672a4391bd79a1ae4725b814510bc7b8c689963079be194bc156d2936cf2d33af32c112146345d465a5cc73b4c502a168ec5a9a756659fc459 |
memory/1760-171-0x0000000140000000-0x0000000140196000-memory.dmp
\Windows\System32\msiexec.exe
| MD5 | 1038ad01a3cb217c4135b2d1c22cdaa9 |
| SHA1 | 48bfc34b0763cb70634adcc91c083d934644e9c2 |
| SHA256 | d18c5bf12a1c774fcaeb739b1016a240630340f68a9a9f026ebcaafb1ef393f5 |
| SHA512 | 6a9e0bd5c723eec50604456926d2e08e34ce066cacdcc46895a2fa34ffd735f5d31fc63bd7f7fb896963a2920f3eccca52fa218533257bf6d61fdf53f726c223 |
memory/2136-194-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2228-196-0x00000000004B0000-0x0000000000643000-memory.dmp
memory/2228-193-0x0000000100000000-0x0000000100193000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | aad5b6b89f8e1d0049b5f00ed2759084 |
| SHA1 | 5609f3cf459a5ed99445c893080fb98f9c8242ea |
| SHA256 | e9a32d69ada465cb065befc28071e1f580834db898b08b9c64b1cd0c6e3c9618 |
| SHA512 | a33fd8e28eaae724a9959e1f61b806a77ade0e4342913b1f019e0dc8169abfd5d5868f69fa49563a183b2cadafd2a951fb17532b98c496e99e2fca13bb141f9b |
memory/2900-209-0x0000000140000000-0x000000014018E000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 02e7cad5d7910d7db14568da149891b7 |
| SHA1 | 5945b022223a6646d727c8901f9833399ff2572d |
| SHA256 | 73645f95a8727ff4544049b07677e290996f8c483a6463aee8d003fe8a6df2de |
| SHA512 | 51f0a11cb3799e909f5bfaa21c3d4bb3dfd1355de53cfb1984562548176fd3752cd124619641985af4c17be321c05a5ca60ab3288ef881c44923edd01f1e644f |
\Windows\System32\Locator.exe
| MD5 | 705f1d092e94a21223831ab15a836a55 |
| SHA1 | 13f67cce1822a912fe47998e376a3256934fa829 |
| SHA256 | 12839553208f12c7cf71e28019756b6574f98911f0472dbdf38af697ee90a436 |
| SHA512 | 1dd3c68ef94bb075a3fd8fd96926abb34233d9edd2d85e2bf083700283fef2d7ac1c0b523f96b8569d08d6a6762cdc8a10523a8f149522f1e8b15290c84d389a |
memory/2192-221-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2816-220-0x000000002E000000-0x000000002E196000-memory.dmp
memory/2660-246-0x0000000100000000-0x0000000100176000-memory.dmp
memory/2064-245-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2280-244-0x0000000100000000-0x0000000100175000-memory.dmp
memory/2372-233-0x0000000140000000-0x0000000140192000-memory.dmp
memory/264-222-0x0000000001000000-0x0000000001176000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 322ba4ea34a9e56fb37d687533c906e8 |
| SHA1 | 8b62a8738e5a8dc919d1444e27a3f756c3e151b7 |
| SHA256 | 32185bba471661d3dd1729e87efee6aa489baf5b2e8bc678015dfa0bc4efcce0 |
| SHA512 | 9ab41ae90b5d9bdf349a20c8b7de073d152b8510cb56d706f0e5ff768874e2d2d03162051b663ea3c63a4c3067a2e062bc2d2853be3469b66b33e51141550395 |
C:\Windows\System32\VSSVC.exe
| MD5 | 8a74de5256fce464858a0003d0c3c5ea |
| SHA1 | c43b3dbc17a213208eea65f65d71e652742f7f93 |
| SHA256 | 5373e52d981f85816fdded62590e2ca633783e0670d70038deccbbfd94653ebd |
| SHA512 | a6bbb44247285e013430a82431b025726d4d8140d9db4af6f1538b2a39487bc063acbf2affb1d3c43a6751c3ff242eb25ad320c69ce7b69275593c8f37ab4732 |
memory/2324-267-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 8a4657ff41c52ae3b56050872b978068 |
| SHA1 | 0dcebdc05fe5fc1b00c9dfa13c599eb184ff3caa |
| SHA256 | 37647f74db68cba9e6b0700c9687ddbdfb3e59f1c3a351cb78b15414cea08ad8 |
| SHA512 | 8139cb1751da7447cb4176e2eead22da8d50024832212021920e90ba4c73e57c5eb96206e953e8f2216d4376c13849187a92a078467251fceb6c0d29b2b2892d |
memory/888-270-0x0000000140000000-0x000000014018F000-memory.dmp
\Windows\System32\wbengine.exe
| MD5 | 82033db343959dcda5fc864fceee5173 |
| SHA1 | 55311df56e8e3e651d1c98ec0cb0b6042e55601e |
| SHA256 | 56efc1c9b1a94f70365b1f176c7ec7c2735ff5c1ad017d401bc78254446ef24a |
| SHA512 | cd2f6d557b3778bfd471d242b21d92eebd0176ca02c0afd1386251e5b7c7cf9b78a0647fcea49fd4d911dd838165dcde1e00ac52d606d10be177a0098da7848d |
memory/2392-293-0x0000000100000000-0x0000000100202000-memory.dmp
memory/2880-282-0x0000000100000000-0x00000001001F5000-memory.dmp
memory/1980-295-0x0000000100000000-0x00000001001A5000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | aa4b88eafbf00a7008d7606f0acdfb0e |
| SHA1 | 039d7f7d6cd38ffead64259b7babb75ecdfec2c6 |
| SHA256 | 637a59c0ff7f11a6c4da1a7a7e68ea09be1925982238ef4839fe2a26517a57d1 |
| SHA512 | 55f589be2be7b334662021e9b208b6da899dfeb145d173c5cf49aa178ab49e16e1d4655c9ab9a32cf31cccbd51ce082261dc750e7ca65955a4241128ed31d625 |
memory/1588-269-0x0000000100000000-0x0000000100219000-memory.dmp
\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | b1f6e14c36e94f0863f4999422ebd779 |
| SHA1 | 441b30d1ff2ff85282b3ce1987d980fca2ce3164 |
| SHA256 | e6bb1c0b2e656d8efc09656f7c5ea2c9c54129e95104eacf4a908eb0a3c966a3 |
| SHA512 | bc719674e189863b6e8e923b625a4d5a622ad2b0e1f380fec7e06419c92d329cedb6fc6db4d57874bfb26b01b6df4004d774ba515a057c980b5c8236a8d4b8b5 |
memory/2896-310-0x0000000100000000-0x000000010020A000-memory.dmp
memory/2228-309-0x0000000100000000-0x0000000100193000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 8a2425f3baeb3521a064fb35d0414eb7 |
| SHA1 | 1db213c5650dbf1128466cda3cdbf488a64c1993 |
| SHA256 | ff8e4eb43288382bd696da02e2aaab7c732330611be41401c5f0a309fa674b03 |
| SHA512 | 7081b1321335b529fc291811ee71c372a0c08f5a7a3ef1222338a9bfd1b672c075fe969788bc33352fcee0a51b009a261aed2abdc3a85dae139b6c5d61033dd8 |
memory/1576-321-0x0000000100000000-0x0000000100123000-memory.dmp
memory/1760-308-0x0000000140000000-0x0000000140196000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 6878757d876e53788ed2eb199c5ef16e |
| SHA1 | 18b215c92d3dca6974beebf7eb964d79b1c693b0 |
| SHA256 | aab0ee48ebe0bc2d068ef5a82b5c0e1f04377657db05272f82823a0df75439db |
| SHA512 | 866460288564157e6bc76e990b5645862ec9648a7d4025b28c81b230d97daf6e3b81bc8badd6f38d30bdeee61bb8cc791d9a43cf5c53ee6a5bc42c7aa9755a21 |
memory/2228-434-0x00000000004B0000-0x0000000000643000-memory.dmp
memory/2956-497-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2816-496-0x000000002E000000-0x000000002E196000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/1848-536-0x0000000000400000-0x0000000000589000-memory.dmp
memory/264-531-0x0000000001000000-0x0000000001176000-memory.dmp
memory/2956-539-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1848-550-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1572-552-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2880-573-0x0000000100000000-0x00000001001F5000-memory.dmp
memory/2348-575-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1588-571-0x0000000100000000-0x0000000100219000-memory.dmp
memory/1572-578-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2660-569-0x0000000100000000-0x0000000100176000-memory.dmp
memory/2348-592-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2240-595-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2392-593-0x0000000100000000-0x0000000100202000-memory.dmp
memory/268-617-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2240-620-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1652-639-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1980-638-0x0000000100000000-0x00000001001A5000-memory.dmp
memory/268-640-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2896-647-0x0000000100000000-0x000000010020A000-memory.dmp
memory/1652-653-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2904-649-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1848-665-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2904-666-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2556-676-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1848-678-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1576-664-0x0000000100000000-0x0000000100123000-memory.dmp
memory/1316-690-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2556-689-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1316-701-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2728-702-0x0000000000400000-0x0000000000589000-memory.dmp
memory/844-715-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2728-716-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2628-726-0x0000000000400000-0x0000000000589000-memory.dmp
memory/844-728-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2212-733-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2628-731-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2212-741-0x0000000003CC0000-0x0000000003D7A000-memory.dmp
memory/2956-750-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2212-753-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2332-765-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2956-766-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2332-769-0x0000000000400000-0x0000000000589000-memory.dmp
memory/268-791-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1460-789-0x0000000000400000-0x0000000000589000-memory.dmp
memory/1460-802-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2372-875-0x0000000140000000-0x0000000140192000-memory.dmp
memory/888-923-0x0000000140000000-0x000000014018F000-memory.dmp
memory/2192-929-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2136-939-0x0000000002350000-0x000000000235A000-memory.dmp
memory/2136-940-0x0000000002350000-0x000000000236E000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 8c69bbdfbc8cc3fa3fa5edcd79901e94 |
| SHA1 | b8028f0f557692221d5c0160ec6ce414b2bdf19b |
| SHA256 | a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d |
| SHA512 | 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 4f40997b51420653706cb0958086cd2d |
| SHA1 | 0069b956d17ce7d782a0e054995317f2f621b502 |
| SHA256 | 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553 |
| SHA512 | e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
| MD5 | 9de171c5835ed25eec54106487b1d30e |
| SHA1 | 9249a162187ee353e34f988855b24ff9adb63807 |
| SHA256 | 1bcce5af47a26660d2b870809dc9a492fed007bae65049d87c610aa5d5de31ef |
| SHA512 | 5486a1847db4130d188b517490cc883b79760d514832880549073816111ac31b8fd69048eeb187548263f1258390804e946f808ab598be394fc307f1ded46112 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 71d4273e5b77cf01239a5d4f29e064fc |
| SHA1 | e8876dea4e4c4c099e27234742016be3c80d8b62 |
| SHA256 | f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575 |
| SHA512 | 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | 3c269caf88ccaf71660d8dc6c56f4873 |
| SHA1 | f9481bf17e10fe1914644e1b590b82a0ecc2c5c4 |
| SHA256 | de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48 |
| SHA512 | bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | ac901cf97363425059a50d1398e3454b |
| SHA1 | 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7 |
| SHA256 | f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58 |
| SHA512 | 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | e3a7a2b65afd8ab8b154fdc7897595c3 |
| SHA1 | b21eefd6e23231470b5cf0bd0d7363879a2ed228 |
| SHA256 | e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845 |
| SHA512 | 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 2735d2ab103beb0f7c1fbd6971838274 |
| SHA1 | 6063646bc072546798bf8bf347425834f2bfad71 |
| SHA256 | f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3 |
| SHA512 | fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | 9c60454398ce4bce7a52cbda4a45d364 |
| SHA1 | da1e5de264a6f6051b332f8f32fa876d297bf620 |
| SHA256 | edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1 |
| SHA512 | 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | c26b034a8d6ab845b41ed6e8a8d6001d |
| SHA1 | 3a55774cf22d3244d30f9eb5e26c0a6792a3e493 |
| SHA256 | 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3 |
| SHA512 | 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | aefc3f3c8e7499bad4d05284e8abd16c |
| SHA1 | 7ab718bde7fdb2d878d8725dc843cfeba44a71f7 |
| SHA256 | 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d |
| SHA512 | 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0fd0f978e977a4122b64ae8f8541de54 |
| SHA1 | 153d3390416fdeba1b150816cbbf968e355dc64f |
| SHA256 | 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60 |
| SHA512 | ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 6eaaa1f987d6e1d81badf8665c55a341 |
| SHA1 | e52db4ad92903ca03a5a54fdb66e2e6fad59efd5 |
| SHA256 | 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e |
| SHA512 | dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e54ae44da56d4a7749926b64c9a73d14\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | b4f0fe2a05351621a11ebf89d0eadf00 |
| SHA1 | 12053caa6509003b2dfbbcde9eb044de95dc4090 |
| SHA256 | ef11d5230512c425f2f4ebb0051f882b9cfa64217d2aaf1f355a3690273e703f |
| SHA512 | 2ec618c639f75a1e508a46d7781f3e5d0b61ce8870d9973ff0e5964fe1447509145da6f20a7dfd7a1570d11efecb7dc5335fe3245f0c2ab2666295f3e84486c8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | 1fa4c663eb7f4f3f5e7547c8d2849c90 |
| SHA1 | 7a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f |
| SHA256 | 3febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166 |
| SHA512 | 3a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ff3d18e5d3805377d19db8b50f342a9b\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | d689985a6b4e0fdcf051a70d16c30f56 |
| SHA1 | cdd4e34b3dd207ab944eafa2faf9f01194859e4f |
| SHA256 | 1aef6ab2408f4edf1b5fd5198a2a69cbc45c4c45ca906cf71bfed955364dfcdf |
| SHA512 | 5a97a707d0583af9cc0ce6c83f3aa814b16b87e501ba7dd5db7f0b17767ab5cc262443dda3531f6b3efd02b08307b6ba360812b8cb05f0fee1d67eb4336321f6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\050be9aead501de39c633f80beefe345\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | 5cea050b675cec9d913f5e631eb8dc12 |
| SHA1 | 2d8a061b05732d274e804dec48768c095b95ed3c |
| SHA256 | 3e2f98a26489aeadeb7805a7658740e903abf20f70a8140179fd23b3327c5480 |
| SHA512 | ea754b51333950a31668267cb3dad7538a26db9db498c54740bd788d94704ba8d1fd86dbfbc2fe470c016e95fda61d67904f8c490a159bfc1960972787a2396d |
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
| MD5 | 7812b0a90d92b4812d4063b89a970c58 |
| SHA1 | 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea |
| SHA256 | 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543 |
| SHA512 | 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed |
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
| MD5 | 3e72bdd0663c5b2bcd530f74139c83e3 |
| SHA1 | 66069bcac0207512b9e07320f4fa5934650677d2 |
| SHA256 | 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357 |
| SHA512 | b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
| MD5 | aeb0b6e6c5d32d1ada231285ff2ae881 |
| SHA1 | 1f04a1c059503896336406aed1dc93340e90b742 |
| SHA256 | 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263 |
| SHA512 | e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
| MD5 | 006498313e139299a5383f0892c954b9 |
| SHA1 | 7b3aa10930da9f29272154e2674b86876957ce3a |
| SHA256 | 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c |
| SHA512 | 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
| MD5 | e88828b5a35063aa16c68ffb8322215d |
| SHA1 | 8225660ba3a9f528cf6ac32038ae3e0ec98d2331 |
| SHA256 | 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142 |
| SHA512 | e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
| MD5 | c76656b09bb7df6bd2ac1a6177a0027c |
| SHA1 | 0c296994a249e8649b19be84dce27c9ddafef3e0 |
| SHA256 | a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0 |
| SHA512 | 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
| MD5 | 0637ad2bf6fc5ac1d29e547155bc818c |
| SHA1 | a502879466b6dd37eae5881bbb18353f97623852 |
| SHA256 | 868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f |
| SHA512 | 1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
| MD5 | da9f9a01a99bd98104b19a95eeef256c |
| SHA1 | 272071d5bbc0c234bc2f63dfcd5a90f83079bbab |
| SHA256 | b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d |
| SHA512 | dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
| MD5 | 87111e9d98dc79165dfc98a1fb93100b |
| SHA1 | 4f5182e5ce810f6ba3bdb3418ad33c916b6013c8 |
| SHA256 | 971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42 |
| SHA512 | abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
| MD5 | d74d434aa70ce827715b5e0ac7eda5be |
| SHA1 | b53f3374be4c96af51c78fd873de1360f17c200f |
| SHA256 | 54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496 |
| SHA512 | 631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
| MD5 | 7ebbba07bc6d54efd912bcd78b560b7b |
| SHA1 | a6aee1a80ddcdf201301ac29293c62d58bcc941d |
| SHA256 | 637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a |
| SHA512 | 2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
| MD5 | eb09a7062a66a50fe2cb16c4a80561a7 |
| SHA1 | 33b4c71ced7644be9802374a4f04c866394daaca |
| SHA256 | e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256 |
| SHA512 | c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
| MD5 | 7687295a6e19cc656b077e6a61629d4e |
| SHA1 | fa1025de5cffb56a3d1f8cae9d09b7171b33326e |
| SHA256 | ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86 |
| SHA512 | 19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
| MD5 | 58cacef7cbc000bb5ddeedc08a598f36 |
| SHA1 | f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7 |
| SHA256 | 124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270 |
| SHA512 | 9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll
| MD5 | a763a9348ab4ee3bd593bb17d854e51b |
| SHA1 | 4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9 |
| SHA256 | b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b |
| SHA512 | e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
| MD5 | e9ca062e4958cc25400c804029a5bf62 |
| SHA1 | 1ed4374d0d0f568936fdebe17d9110481d6b3344 |
| SHA256 | a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0 |
| SHA512 | 43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
| MD5 | 7bdf8e0c9aa04b71a52dd964005f4363 |
| SHA1 | a87e809146d3c70093a189c37f0a96b8bd0ce525 |
| SHA256 | 0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b |
| SHA512 | 4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:11
Reported
2024-10-25 21:13
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077c060752227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c18dab742227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000866f71752227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9a09f742227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eabbbd752227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000220aad752227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067e05c742227db01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2832 wrote to memory of 5696 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 2832 wrote to memory of 5696 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 2832 wrote to memory of 5732 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 2832 wrote to memory of 5732 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe
"C:\Users\Admin\AppData\Local\Temp\d0fe6b6172846dffae4b0fd75b92a76d751915b40c942579fa2e86c454cc8a24N.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 172.234.222.143:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 8.8.8.8:53 | 212.31.129.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 172.234.222.138:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4312-1-0x00000000008E0000-0x0000000000940000-memory.dmp
memory/4312-9-0x00000000008E0000-0x0000000000940000-memory.dmp
memory/4312-0-0x0000000140000000-0x000000014018D000-memory.dmp
memory/4200-18-0x0000000140000000-0x000000014018A000-memory.dmp
memory/4200-13-0x00000000006E0000-0x0000000000740000-memory.dmp
memory/4200-20-0x00000000006E0000-0x0000000000740000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 77bf6cef73d63a2f50af1e5503c4d44b |
| SHA1 | 1dab2a8859a3fe1747cee7118f53f9bf0a30bb0f |
| SHA256 | f6eeb379157133dfbe33718a01d4ec97246af8ba12c27b75c013b064921675b6 |
| SHA512 | e47d080b1413839d13ae309b04c3f959f409ab9b1e4f2da30818efbebebd810b7b3b2d8290007b1b4245894972795e92fc13f5adcc2fd9391aa0dbcc29ae2ff1 |
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 76e00c9dcad183230c3f85197e0d9e02 |
| SHA1 | e5635a1f8f50b1d3a89f5c89d8a0d2b373789ac8 |
| SHA256 | 6b755a6485c6446a916773ffce5520f9dd7e38817de24c891c49683f7a20c34e |
| SHA512 | e589f3c379460cecefc7976e7509acb0e2433c15d833fc5c85d5f8d487a0a3f80c6d4b3925f7f1bba6e9a33d04023f01768b0b1e521f253d891dd45dd2c37803 |
memory/3576-35-0x0000000000680000-0x00000000006E0000-memory.dmp
memory/3576-28-0x0000000000680000-0x00000000006E0000-memory.dmp
memory/3576-26-0x0000000140000000-0x0000000140189000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | e1e552b4efa1596269ab68ab1c2bca5e |
| SHA1 | dfe4c3577991c38a54e29edddbf7b652f9ee11b6 |
| SHA256 | 033eb510824984d08a39cd58e760da8eb4ce9a73344f1b6da535411a6259ba3a |
| SHA512 | db2d28fd95c1e45f08ffdad01d455afac35c66bceebdd91277f3a71dd9779135b617e2e28a32d1ace80802e992eee628d6308c32e1e055c19053610757a3ef45 |
memory/2324-44-0x0000000000CB0000-0x0000000000D10000-memory.dmp
memory/2324-38-0x0000000000CB0000-0x0000000000D10000-memory.dmp
memory/2324-47-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | d1b896b0754d1388a98af90e0a0cf99a |
| SHA1 | c6dfa6e76b49af014b91e82de7ce5a786a666ce3 |
| SHA256 | 67b32509396db262c00d292fcea5af376f43353b6465c0ebd5a21f1d6cd0902c |
| SHA512 | f3143f85f4987d147d100381ac574ac14666bf8a82046feedfd1d1aa6928cf7cf41ba191a4e57df83a1a8c424a0f6e6f1c0a5b0c0901e5fe9cb389089cde2463 |
memory/4716-55-0x0000000000C80000-0x0000000000CE0000-memory.dmp
memory/4716-58-0x0000000140000000-0x0000000140234000-memory.dmp
memory/2000-66-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2000-68-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | d3c21a6ad18b20c4275b80d8c1d391f5 |
| SHA1 | 0ed76615a180429f6a4b0a6e2aaeea4f7253bc51 |
| SHA256 | fa87490831250f1f9e5384cd0da8a9e4eb434a4ef38ec48cf0b89913289a366e |
| SHA512 | 3c39662db41f2651a03222df386ad9db4bc1e5d193ae1e1dc88947d3bab84f287bccace87d17a49d850195eff165de23ec3fb60dffb7c627297b4d5469b7bcc1 |
memory/3984-80-0x0000000140000000-0x00000001401B0000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 382ff1eb2d647bbcd7a7685ccb442c49 |
| SHA1 | b3ff80e4fcec3e5107f864ebd8ce6b60db97c1af |
| SHA256 | 9d79d753390bf3f6096f1b28e865b79c35eb8f764a733e04d115367f3566c125 |
| SHA512 | b491a5ffaeef640272c35a381816af6aaa7ced848672674acbc7a2c331bc8fcdffebf5f7344f233fadc1c84832860e53198842901af8c2164da96ad552a5120b |
memory/2324-98-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | e0697c3a4366e166ac7104410e9d98f5 |
| SHA1 | 4e1bb2e27beee4bccd4095f4613f739eda9e9d73 |
| SHA256 | 9fe073614c2773e5aa10e80e8978758a2d3cdaf6460272abd99c8d621aabd963 |
| SHA512 | 4e958f9cd5fb4d98ebaf98caf0f09673a14e1ad5b28777fd4ee42d90fdb517e7a27b9735bc4630bb7d21d8159585537a6a841d9e2a739dc815ac1b800f7bd0dc |
memory/3168-126-0x0000000140000000-0x000000014018B000-memory.dmp
memory/1492-129-0x0000000000400000-0x0000000000577000-memory.dmp
memory/2476-141-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | f985a1c60bba3c2b595f1c1c04816de5 |
| SHA1 | b531aede988a47a5b92113cc9bc5937f83c9e969 |
| SHA256 | 5b12d5c122e03e7726e1d2ff2de438ebc6e02eb992e81210fedd44e84a02890b |
| SHA512 | 2b275016babac7791469541690a6c9f47ccf7171bf2e5a1b4f5e677839eb2e85c9d3482aea6c8c69c22e6f5d59b06f2be5475472f5c016af1f470414de0b9fde |
memory/888-164-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3592-175-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4376-189-0x0000000140000000-0x00000001401E3000-memory.dmp
memory/3264-214-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/1296-226-0x0000000140000000-0x0000000140147000-memory.dmp
memory/1356-229-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 05b2cdfbd07a13f561aecaf4d55be2de |
| SHA1 | 5805f27402c9128956db27d3e45d24602e8c68c6 |
| SHA256 | 8e1930dd9d0bb0bad96021f4bed5965a4a258209ccd8ed877f0a5e897bbf6c6b |
| SHA512 | 4145b505c3e39f81db0bcbd6fc4382268673153aba1221b57f5a2c5cef17b1192b503a7c6789eb98d5c7cb545c20f52a85f0b697203f9f076e6c8cbf3c96548d |
memory/2364-259-0x0000000140000000-0x00000001401A6000-memory.dmp
memory/2832-272-0x0000000140000000-0x0000000140179000-memory.dmp
memory/3648-271-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 89d0531ad5e1472199082b7580d736ee |
| SHA1 | b6df00515fc1aa07200a44c4430430e89102e3ab |
| SHA256 | 21b07a1c6e2e50b0cebca368751b8f8395f300a41878b3966854bc9a3f08f22b |
| SHA512 | 513436fb172213bf882050cf72c1fb08f07c19c328dc6e98a91bc5247bacd789c3143e3e0e9d803073e57bb026049166d4d46ac7301562ab3c920c9617c6b6b4 |
memory/2476-258-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | ec1d1c544c99a1a7dcfdbde93142b79c |
| SHA1 | 347165d3e82e0679b8310d01c6d46ac7139ad265 |
| SHA256 | 4cefd04742ed4e403b0e09eebe0e2672dd70faee06ff9db050419a729ab0ebc4 |
| SHA512 | 2bcc3416298604ae749564607adc42b672daf6990ef0e9d39edc7030b628bdffd2bc03463019714af274327d5cc8dc65b8892ef74d900648b80f13031cdba20a |
memory/3256-250-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1492-249-0x0000000000400000-0x0000000000577000-memory.dmp
memory/3168-228-0x0000000140000000-0x000000014018B000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 77512c4a482ec98ef940b823a7d1c266 |
| SHA1 | 448a61816584b1b593d5fcb18171e0c0101c8bef |
| SHA256 | ea01ba1e1cfd89ea48c659e4b80090f3d253537e6f1c58503a0ac80ba79ced43 |
| SHA512 | bb7144961220796ea529b035958220bb8fe30b826c92db89bb4402b2b6a43f2f5e6bed4b1da2ab7206d9d22789124d3432519d587db364e8faf0b852226b33fd |
memory/2572-225-0x0000000140000000-0x00000001401B0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | dfe2baaa231e0e49c7b256bf5c882b22 |
| SHA1 | 2ca577bbbf1b094e3b0674a0eb1b0cc733a2d79d |
| SHA256 | 05174da0c56a2ee7b3277163933a057ac9494a625528cdfe99c0de4226e7e105 |
| SHA512 | d47251ae3a325d200d579d939c8a4b5e80e1c68cf8487a362a54ce7af4795335fb90cb9b3337765751d4f28fcb8592dbdcdc8bbc7904f40fc3e938a9086d81bf |
memory/3264-210-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | b89dcbd0508c9c2b81aa6404852445b6 |
| SHA1 | 5227dfa2505d3301a02ddf3ba068e7725e44e8d6 |
| SHA256 | bab7aecda5dcfdc83e2cef50c505d324cc40af46b18de3622e1599679f41adde |
| SHA512 | d3a1e24cc0a623a8927976e34f5eda6db2872aa0ed71e26f822c315bfad84210e49f523824b980341ff5c14c2a0617550d2d1696a2fbfd73c0ec0ceeb7526eff |
memory/4212-200-0x0000000140000000-0x00000001401C2000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 08435408e9504b851e9dedec758b8d49 |
| SHA1 | 17305a5d7ee4f6101a36c47f11ac7303dbfd3779 |
| SHA256 | c218398612e70c975411f1b54f9405b96f71f4a51c9a9cbbc17e323aaf23e7ad |
| SHA512 | 7d0a5085cd162ca38033b30f55e552f6993975839c5490620d871f78999dff02bed7549d7de0e6de82548c4a8bcf684f142633bba17220d3d2ac43ea2c786407 |
memory/2000-188-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | dfc0748650bb2fd35490fe1304aa941d |
| SHA1 | 3e11e5381899d9d4ee7cb5c8bfbbcb5db82da749 |
| SHA256 | 4a286fb3dd50116029e41c52a91a0e3ff1e73152a7e6972432832cf6bae1353d |
| SHA512 | be15e215ff291d133145a36da7ed056b710d5e6f6bb3b2438334b70f2702bda3dcf3be203f13ac61a3dcb31ff5d14cfdd56fcc23bdb4464fb5fc73d1d2d70e3a |
memory/4716-174-0x0000000140000000-0x0000000140234000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | c90c17b2cca3785a95326027202ad58a |
| SHA1 | 17ff782f32ae957e07006fe2249e1a7acb91010d |
| SHA256 | 12c27a2f7a2c3dfde3045e01827d1cf7adb25b8e3a90eeba1f5e6d3be9a8f2c4 |
| SHA512 | 0f8454113ec2587409318f22f87a5f9adf78a289b8cb1ee6e5b1c0ad5adc1175bc5ebd5748304a4dda23b16e646eb9c178ef5e770960873864d52b2519821b78 |
C:\Windows\System32\snmptrap.exe
| MD5 | 356e3bcc10c62ca15ba73e0c6a31f1f7 |
| SHA1 | 0917c6cc38af825a4353a686996f20cbc9180e62 |
| SHA256 | b63e9be06faf6258f7c3a91cdec87f566f200c25a4731eb12cf3b5fa919cd31e |
| SHA512 | 2c7d5a420beb46f0b18f2d61ba5ffa325e010b0c922b74d3b95cf84bc978d225d4801318dbfcc9e43110b003b19f196b54662048bc88c3f9600249ea6a4a4e41 |
memory/3648-151-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/3576-140-0x0000000140000000-0x0000000140189000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 322f2e00a31e01d200bca1cef70823ac |
| SHA1 | 73f2a72ff93cea87711cf55f0dac974a917a45cd |
| SHA256 | 9dbd1637ba9f7695c1bd74339f160af5d4f8af9a2ade29389719e1ae40080e22 |
| SHA512 | f008f7198af9dfa355ebd332ad465e40fa7a6fd8477a954fca0122b9f4d9a4b70676166c860ac3df675ca035719b4ad06ee2b8606080e491c1332e30300c8001 |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 47f6ce15ff0b156e934f03da71331351 |
| SHA1 | fe133876973ea4699cd0603cf2db186a72488b66 |
| SHA256 | a44e5d74230ec9c1746ebb69b1ef69db7550a68d65c2be012fa3eb4700293483 |
| SHA512 | 4c04099b611db49ff6135cf9d4a10a6f66dcfd4ba1d19e3b26c61d1df0544c247267b5b01a7be839977e12c1843f91dda6391f86ac1aba713cb8abb8bc210a7c |
memory/4200-125-0x0000000140000000-0x000000014018A000-memory.dmp
memory/2572-111-0x0000000140000000-0x00000001401B0000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 17f7c994006fb6be3dfcc4bedd9374ad |
| SHA1 | 0ecc872b97233c84d164d8581de60414d2e88657 |
| SHA256 | 422d424012626c6fa0753892aafea291b324b65cc67ca7f5589ce9b94fb2939b |
| SHA512 | 05c6a56158e1fd73592560fc524721c0e85b24d1964077ff76f6611f38f24b38fe61de654d6120285fd4c387550c05014a2af0bd0fa5dfd3f3ccb633153b48f8 |
memory/3416-95-0x0000000140000000-0x0000000140199000-memory.dmp
memory/3416-87-0x0000000000730000-0x0000000000790000-memory.dmp
memory/4312-86-0x0000000140000000-0x000000014018D000-memory.dmp
memory/3984-84-0x0000000140000000-0x00000001401B0000-memory.dmp
memory/3984-82-0x0000000001870000-0x00000000018D0000-memory.dmp
memory/3984-77-0x0000000001870000-0x00000000018D0000-memory.dmp
memory/3984-71-0x0000000001870000-0x00000000018D0000-memory.dmp
memory/2000-60-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | ca1723b583510b1f24158689da2f282c |
| SHA1 | b3783b82cba5c62d18d71333817bb94611fd881e |
| SHA256 | 7d1d3ef092eb76f85db24eae780af6689298a2195656b65b2c1c2f78b2c05bc2 |
| SHA512 | 7369dc5cc3468f65d2adf9d328fc1b3c67b876a769729459bf8f92838cf89230e95635812cf16d43838928e0841903208d07fcd2b93fd3c6bd4aec60a4cf56b9 |
memory/4716-49-0x0000000000C80000-0x0000000000CE0000-memory.dmp
memory/888-373-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3592-431-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4376-448-0x0000000140000000-0x00000001401E3000-memory.dmp
memory/4212-467-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3648-474-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1296-475-0x0000000140000000-0x0000000140147000-memory.dmp
memory/1356-476-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3256-525-0x0000000140000000-0x0000000140216000-memory.dmp
memory/2364-542-0x0000000140000000-0x00000001401A6000-memory.dmp
memory/2832-543-0x0000000140000000-0x0000000140179000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 3407d0e980767aa9da28fe6ef5e88959 |
| SHA1 | 1ac4e415af05a3af392f1c94a77df0fd759ca0a0 |
| SHA256 | 3a14c1f6d344c985f1e16f0fe2c753dcbf2f8de0513d2943cc9c34bb3d94c5c0 |
| SHA512 | f2fda52b7f8108d4a482112b78669e2c705839d7abd935c599bfb0c69f8e1c480ea165178e10446b7cb479d529a85b3a118c6dc3f123da9445ebeaa76aa81428 |
C:\Windows\system32\msiexec.exe
| MD5 | dc8b4509ef2ecb23edaf66133e591f53 |
| SHA1 | 6977333df1a37e449e300b134de5782d860f40e5 |
| SHA256 | 823995959e6f005137aeb5c01efa6193e15a64aaa532f1982b9e25f7742cda94 |
| SHA512 | 391cc1f0efe7e5afe6ce744687d9ee050bed54582744da935a4fcf1168ee82b0a20984cdfc9211b7d5b4748b15eb67edee798fac134d2dd194b5dc9c9599bdf1 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 215d9fb6524e258b9dddcf9762434d9f |
| SHA1 | f866707b6c9915dc5b8e58a22e746e52fac13ed5 |
| SHA256 | 54bd210793fc805f9c508f36beda524aa2ec7b86d10fd849f65d7ac890b4c95c |
| SHA512 | 82d4ed45c3c472b29cec64538dc56986d016eab73d22c3cc5b3aaf6a4fb0175f7c625b71be34a460d59641f8ad09ae5002e204a36a9c503c1ae7445d9b419306 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | c8b8da95dd811fa57f565bb4df4be321 |
| SHA1 | f81d6111fa1714ab733957db5ad9ab871a2d83a4 |
| SHA256 | 5d4868e483923f18d0b5ec5191aad22cb75a2978c31768e8264e4b6a8a09e25a |
| SHA512 | 6b0d221b7f3bf5312cad5f172d3e67dfd0385655c6750fb6811e9c48833e88a90f8bd7e2cceba0f0547890f2aedd30cfe836e5de5ce40fb74356060a717d6a4a |
C:\Program Files\7-Zip\7z.exe
| MD5 | 2792f2c52feec845a554adc960795c06 |
| SHA1 | e4d47ce6993e117bb9db4fb886ba2b92897148a6 |
| SHA256 | 3b3678c87d4cf6b6c4cc83319d11fe4e73c9a60fe0b47768e90e27177e7cc4ac |
| SHA512 | 996f5a7e5fb18a46851fdf309e7db84c965dc3718d97cb5520ff3092b849eb3cb7f1c9b1387fe7352e2e88f661f3ad6e22b91d0e4953f25eb0fb64c4f3121d00 |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 4a79f14876bb8d211102805c8f2fd09e |
| SHA1 | 88da1321a04293d8a5db1c348ffde0bf3e1353be |
| SHA256 | a513f3dcfda0b6b108dc183888ac5d4a2c63efb4de500adfbc60a5fb6b42d8aa |
| SHA512 | 7a0e6d5e784c524b8422f4ac0dc180d38a8572cb7094b5b39722cab21caf9772a4e95b30a620345b9b8cee700624765c95fcf1f835a34baad980b7d402fefa0f |
C:\Windows\system32\SgrmBroker.exe
| MD5 | bb20292dd7f5aed8f92e6d9f24261ad2 |
| SHA1 | 82cd1791d100a57cf41ed0bc769900dc74493ab6 |
| SHA256 | 33b79fc00fd67e5f21a61170a59eafd9d2ffb459b2531ec89e17f8b34bc97830 |
| SHA512 | 633478130c19157c015ee57d992b0d3cafac2d10f2214ee55e91dfc2f26585eb8c64e4a2d99c88c72de1cbef5d1f339dac20cf13dac32f0e6f777dfa9ed3f65b |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | dab6b4e344f3223ecb9a983fb2f5dfdb |
| SHA1 | 565678d1f99e3a24d3cfa42e45407d4467e59fcc |
| SHA256 | a7941b031bc417d5e251e2e18b2af052f7f176ef691e255276da854697ee305d |
| SHA512 | 886bf44a97fec091ac8451091d30f339800b94c9cc59238d786bc8a256b41a299128b7127f6ade65b2d0d065a43d19124f7a99c1fdd1392069f082077b169838 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | ce6e310f05f51a560b646ff78750cb2c |
| SHA1 | b839b2f1d95600a9f6f6e6b58156c393475a0db8 |
| SHA256 | 5fc3337d0908079641f10f5278843a26e00488ebafd2283b6f1b65fa1dedcaf1 |
| SHA512 | 07c0fd4929008aa6a63ebd1f1866223d7c7cbf2ed7efd89fff680dac9bc82863a7b7f590d894b0e1ee43abdcf62c3d7e2e2cbdd6f5c5b22abddb9f274fa70be5 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 4ba51f2086904cecd4682a50951008fe |
| SHA1 | 4639cbde9531dbbbd33dcfe24046990ba487e4cf |
| SHA256 | eb1e8d4f42d32df1a38059c1aaefddbfcc71c5bffdcfcd6f00b34159316aa06d |
| SHA512 | 8104ae74347f6bb4be469c76128ddcefd8119ccda7c64dd22837443a387f08b41ef7bce7e9b0c50fc3282b4b8fdee5344d3190b55aaa33fc921fee3a92255f3f |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | e5fdc77ff59e809698a491ae28e3063d |
| SHA1 | cb3b3da1d516e67474aa0b0bd6a1ef24309f0fd0 |
| SHA256 | 410e6eeb764721dd163526596896d5518e3cb1261c5ce50fd2af187bc86b75ef |
| SHA512 | 654fcedfdb2aa971c63e6a7b6f41c74764585ab02aff9356a8446b7c598b90af11f41b37b1077f95ca23dc6d3ce21853681b1968504b7fd317332d8b13b87d67 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 17f1202db257d2f374aca43b65ec993c |
| SHA1 | 3d9e518e8de5437c63cb10c043763a8dc1e60e01 |
| SHA256 | 87ae16799eec1be183ffe7fc25db76708b824d464a7a5e16896257c8e687c511 |
| SHA512 | 9693c86cf004a8231e956e21b7e5c7c92fc10ab0ff1262ed327af7451ffdcffd9e5e82ab2055e3bc5eca66303975113a38d112207ba967807e83b0f598b2a994 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 8424b2a620c5993484dd5101addb2a95 |
| SHA1 | 5d0d08ea79f32c76335d0920f5df714574c2cdfe |
| SHA256 | f1845d9014e85c5f848bc05e74ee1d60063b85e27fca471d1d30861f9d921c50 |
| SHA512 | 9a92d3703b70844e58203f8415d50f2a41a10e1148f03c7108f3912b57edd16ea2213b641a840a96425dad89a02c691a07e7d220ee922b3de9f20c322dbce0d2 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | d1d574f8a34b97a0dc0ea2dbc99c1467 |
| SHA1 | a405478ce2c7d27e079a7f23dd97be5464646e22 |
| SHA256 | 9ad92958be067fbb1ba660ec6709d2be4428f79fd92cfa35f61dfe87b4d6462e |
| SHA512 | 76257ac0e7cac7dad499b861f2e50ab44566e0ac20d6eac85f2ed56a992e3239b8539efde6b80f27b90663bd579b0ac61486ca0d909288afb2ca96b790b591c1 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 38d19e0269808c3ce62c56e9ac4511c3 |
| SHA1 | dbb0464419ed5821042f329c1dcc121a0fc84543 |
| SHA256 | 52083c91ad10a8cfbed1658a11fe54f7dc3b63501b142b18b5d7a154415bb038 |
| SHA512 | 73c8e50a11b0bfd2ed40f08f2a257c2b1809be7e941c36b1069f74e3bd913db6ca052cc46c1d3aaf3e3ecfc00e936ffd61278cd1ae4d1e50db69a9446b2f6699 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | d608efb98b91eee9417c850b37d090b1 |
| SHA1 | c99bb0c3098b4eb8906c159fc9f0da3c544ced4d |
| SHA256 | 5b91129e22a1bbd8e809e6e43d2cf1eb1756b8c8fe9428ddd9b8fe2a99d0edbd |
| SHA512 | b56c08bd83425f72b7ee30973a6c7833db4bb3d285ecf3f1847f38eb4c3e7af11bc105bc3c2137963fefc4119bd6743ac29a1186b8f8ddfefbfbc80389a4a3b6 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 5f0d7aacb9dfdba96289b9425f214d30 |
| SHA1 | b51161643907227da5e192835a604b051911f4a8 |
| SHA256 | 056701e15832e67aa01e42e12f0c5c80fa0df96692d27750033b5e0d769f1442 |
| SHA512 | 479af8142b3de9145f02b9f33a66aa5e71c750fab26b35eca32d50c2eb0c299bd93a3375be142ff6a37efd0a320959c77fa6f659604039edb7183257a4f09a47 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | ec3789cb13dc29774d4d0f76d7300ccd |
| SHA1 | bd204bbc7e3c8270accb889bf74dfc3a83b23e52 |
| SHA256 | eec6efcdd5c601d5af4d22a776ffce3c36774c1e3544eac88b6807e2e6335551 |
| SHA512 | 7d7be708d472e87a736a6a2fc3e6b88dbd34579b3e13129e52b369e67771c110d15242a72ec0f5afc0cf97b9029adbc16c5ee964af6b4d8cdd7009e964563b69 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 9421865ea599697267d50b4faf8d16ba |
| SHA1 | 7de944fbea8c73ee766c8a3f6ae303ab8519bd85 |
| SHA256 | b26b5a84b40f97465ca1cf01fb89b073c33f2650e34519437add61f51d7b25aa |
| SHA512 | 84b06cffd50adad042344a9efed94b93de5af502e18782e7f321a61c79e7c49607ff3dbd66d1def7864154d8f0d7415bc86fec35ffc5ae333ab95a1a77c243a9 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | b2376eede5e93890998ca4f80675f295 |
| SHA1 | 1c98df28f0ccc2c2751eab22493553aed00db202 |
| SHA256 | 092486f61a0a57b11eb81837d295a3cf6ba0aa8363d881df512c0aa2823b012a |
| SHA512 | 2f1ff520785cde7434b58974cbf63717ed161ff0799ee9fd1222541b89ea94516fb8acc24d2e9b1ab2ab57fd68166029e26d5fcb135f14d2a4d55a3c2e139e3d |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | d9c64db6f042405f2e462005043e8df1 |
| SHA1 | 40a4338f32dc2ab511e3b53bae473b646f4ff17d |
| SHA256 | ee4adbf7837654d0991a9eb6601fda20c58cfd9934555549fee4acfff6c0856e |
| SHA512 | 1959fedeb999689c73b27486e0f5219be774dfedb067198d51f2b781a03af817d802aade221984fef0c510f708f22729f68beaee2f3981fbde786d86725a4368 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 55181111a80f5d6fd943075015311cdd |
| SHA1 | 429eba7b1022eb461682d849be6a56a2327d6a3e |
| SHA256 | bb0ebd256b583446d3c887848d0be23f665ac2e5a095108bc55e8b4d86ec2153 |
| SHA512 | cee88a850ee59bfc918986257df7559816c0cc74de45c6c4a064e7c4fa6acbeb08a572fa917643d468b1a7249245524ad2622123ce47888df9126fc4c7b81c2b |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | a7465107aaf3aadd88615fe7f291e4ab |
| SHA1 | 2af25c5aafed56cfc3e2f5b2ad245c2e34dd983f |
| SHA256 | bf2c99bd80348c4e43f28977d71a07af2b461f3594ea372097dbdd2fd39b5813 |
| SHA512 | c4e999482e507cc8207e065447c66e649d81e87e77087859601fe36632fcb9e679d5f9a1e08ecd49d19bb462f9f8f1842436f1df91ba1f1503c9d598f178cf76 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 008489d1473508448b83e09ae0df9cd5 |
| SHA1 | 315c1eb66db9eff2c86049ddc593a14ebc21918b |
| SHA256 | 75bf3a28b282a5241e2fe9b6006e04704792815ac4a934c257f3afdf1be84904 |
| SHA512 | d5fec81797a9cac13c3e8c4485379cb46756bf23244c98c2e0547b6a9e5f5d9613a72106908384da0131d3478b79a67dc190aef305a66637909738b88908737f |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | aa0602350664d95c64c0c9a378a89acd |
| SHA1 | e07d2eee7a329d3099e66a4df45dd184b14ba522 |
| SHA256 | 8a9ee1bf89582550669d1a6c3bf99e2bff7a3192c8479bdbe9baa033133624eb |
| SHA512 | 62e3008e891fe310e7448db02af54c3974b8ef8eaf8ba4f062b7106d5ca97b0826012f94f887f31907389c7c50da5e5ebc41798b2ce1cdee50f862c639371500 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 58591c2c0d5a95082a442acaa9ed7131 |
| SHA1 | 916e5052b41bf61a06be000e4f887bf4bec73566 |
| SHA256 | 7df74e30815e71922799acbd88ef7e6ced7a1d655a454619cc6bccb5151f13cc |
| SHA512 | 011a555704c42bd82874ad25d5df50a92aa741e18069f1b2d2b83f225574974ae9ab4feddefd6c7e50eea4ec7a541a122769c8bf8f520c5bd87a0ae480073e1c |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 7aec05456f97749b12a638a6f678e051 |
| SHA1 | 6072c96ff39d60090370c6fa5c0b8371404977ce |
| SHA256 | a5f924832363b433ad0a7741d14d35ce09107fb3bba3f9b8f70863a37c687a28 |
| SHA512 | 8cb081ebe28b07875ed298538a3375c26c7eaaeeda30d345bbe24707b6add6cb8de43047263e8914a30d494fa8d751d2a109a2f77ed15808df2f90ad0b8a77d4 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | 06ee880ff95b1dca638cbefca09216f8 |
| SHA1 | 820bc86c490ca8329e80620b8cd1a39d1ef5921a |
| SHA256 | f9d0516746c51124eb170a4e5abdf29bd905b7d5dfef9ecdb249e06bf603f870 |
| SHA512 | dc6d257b6ff2836fa761d84d8c63e32f6a1bf172db7600f3073bd501401f0a97cb5e632e99c32a282aa206439686c5b7fe4b9167e22d3f4e591d6649b9befbb1 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 3221934fd1785af1e58ca068f72456ce |
| SHA1 | 385998017bb1fdc0ce07f88ef6c8b889d7113754 |
| SHA256 | f7bd321560fdd5bd49b01acfe02a9f63a66796412af9580d3a8a977285ae2757 |
| SHA512 | 33865d79ac6bef0bc8a51da7c391aaa0b02a86cd6246103c9fe7b68a740e48a448b3db24ef4856c92788f1236fc322c19dbd3a2b50a5d475500d583e06a846b3 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 936aaefbd0b1bc261f1d87cf6e63d731 |
| SHA1 | f5123a10cd53a6844b2740b7d1c30b9be384127a |
| SHA256 | 6db1416be02cec8bd671da438867f7e53ad7d68b9e6ede065fa05dc31b382d18 |
| SHA512 | e78e3d2eb329a36d1dabe5a80604024ba663e1429ee873d1e6c4b53ce08c1b9e6dd057891eae33e8a57478bfc395b897f204f3814dd72918776ea61373db5f01 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | f58b430ee301223c311e9a8a9e6dc830 |
| SHA1 | f64cb34121cf0e03fb5f11fec816d1957dd8f5ea |
| SHA256 | 59317c99ac126c6e37dae097de077cdd5992a91515296f3d4ca3ec9d31b1b732 |
| SHA512 | ac133e1022d03b2e4797c7dc4d7e768b8352c79c45cd5d24e538e46973b58dea79dfc463e186f8432480cf6bf6771449bb58dd341e0a794455707b07c42f6bd0 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 756bb6585050830ce1d4716fa569453a |
| SHA1 | dc2e3ec4520c0a819f11a184f1467de2730a1379 |
| SHA256 | 14b5f169f3380bc699c4d9ced022d7e06d864c8b7c8af5a8435aad08c72f45b7 |
| SHA512 | 8e20bbb091929a4260b0e4e020ff685a228558c6dd09ed537426fb594c1d9e0bda9255fa94620b42bb5747edfeb5f0e036edb2f3515b547639d23795592e1d63 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | e62f04c5d7a81ea590f7d052af1d90f2 |
| SHA1 | 4e34a58cc72b5cecee60929f5fb72197bf11463c |
| SHA256 | f2a727df7d817a5ebd87448d5d61a351839d5ff3a0461f67d205f78296f24458 |
| SHA512 | cac00d2fc3759c395e5881f4ee539bb8c3a4fd9218c496d6331a413ce6ab221f0d11e9ac265e7237cd803b0c19bc61abfa36de608f4f0b8abffa155e222169fa |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | 8d23bb6011ee8564653109c7479f07dc |
| SHA1 | f5659c1feaabe21b36f033314db8e29645510526 |
| SHA256 | 5af4bc0e07d566d4a5b056d77d38cad98a8f39a409b47e17413b322e9b5a0bac |
| SHA512 | c7d7ad419ba1ce6fa61f073c1fa1042063080f9df15b2ff9450b7e133e0d7625f4ab67d0f1a5186df31816f6f46648092f483715ed31d156eef4c2fda0f01562 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | 8be8924c6e79003d132e4f4d1eff4370 |
| SHA1 | 9700414d79bc982038729e86e65e76af16837f5d |
| SHA256 | 4eaef1362b0972eac786e733ad50e70f47df4a5824e04c26470922784c8203b4 |
| SHA512 | f2cee15d32803577fecf7364bbb634e5cb31e9e74df63c7f2b2d65109c07d8a9f642ff24636db4a5b1c2d65ead99762da370d58cf5166e6c397424d92be68291 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | afcb07fc9fdcde462d7cdf824b1309ed |
| SHA1 | 07f2cf268b86f7246bc34b9bf5f334b4275b0e83 |
| SHA256 | 1bef6e3f3ecbdfe260f97a06956dc7c6e362d62efb377f96f67359e68eb80f4c |
| SHA512 | f9c5deec642dee032eeb4144f14987bf08797353ae4df838283e77173017e55107d71edaa0e1ea0a2b8cd1e11a2b90dc8935654ceab700a0f3a827af3c6b6fa3 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 105f1836314e2b9af7d881420cb70599 |
| SHA1 | 5f1c6dbbd69e35143ffb5c322cc0a572573f3ec8 |
| SHA256 | d9dc1b27f6d3a0dd081f163fcb37da6ce8b657b4970ce1b59aa45ecd2ac61c36 |
| SHA512 | 667a9bc40709665d225c489807902e3aec07eca9a489d04aa38d84be12ce41de92034cbafe51b44eca13ffce16d5f111ecd19ad123f59c775efe12f544e15a38 |