Malware Analysis Report

2025-06-15 23:42

Sample ID 241111-3p2bjazcmp
Target 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe
SHA256 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86

Threat Level: Shows suspicious behavior

The file 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 23:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 23:42

Reported

2024-11-11 23:44

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6a0c86ce37fbef4a.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA87F.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPABAA.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C72.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EEB.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\perfhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2552 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe

"C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 24c -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 258 -Pipe 238 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1dc -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1ec -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 1ec -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d4 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 25c -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 28c -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 294 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ac -NGENProcess 25c -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 2b0 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c0 -NGENProcess 2a0 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a0 -NGENProcess 1c0 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1cc -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 28c -NGENProcess 1c0 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2cc -NGENProcess 1c0 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 28c -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 1c0 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 1c0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2f0 -NGENProcess 28c -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 28c -NGENProcess 2e0 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2f8 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 300 -NGENProcess 2e0 -Pipe 1c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e0 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f8 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 318 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 310 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 320 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 340 -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 328 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 348 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 340 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 350 -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 358 -NGENProcess 340 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 354 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 348 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 340 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 340 -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 35c -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 368 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 350 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 350 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 368 -NGENProcess 350 -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3a8 -NGENProcess 390 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3b0 -NGENProcess 36c -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 350 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 36c -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 350 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 390 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 350 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 390 -Pipe 3b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 36c -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 36c -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3dc -NGENProcess 390 -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3d4 -Pipe 3cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 390 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3dc -NGENProcess 3e0 -Pipe 3f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3f8 -NGENProcess 3c0 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3c0 -NGENProcess 3f0 -Pipe 3d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 404 -NGENProcess 3e0 -Pipe 3e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3c0 -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3ec -NGENProcess 3e0 -Pipe 3dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 404 -NGENProcess 414 -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 2cc -NGENProcess 3e0 -Pipe 3fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 418 -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3ec -NGENProcess 404 -Pipe 414 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 420 -NGENProcess 3e0 -Pipe 408 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 410 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 404 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 41c -Pipe 418 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 404 -Pipe 3ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3e0 -Pipe 420 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 41c -Pipe 424 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 404 -Pipe 428 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3e0 -Pipe 42c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 41c -Pipe 430 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 404 -Pipe 434 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 3e0 -Pipe 438 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 41c -Pipe 43c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 404 -Pipe 440 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 3e0 -Pipe 444 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 41c -Pipe 448 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 404 -Pipe 44c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 3e0 -Pipe 450 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 3e0 -NGENProcess 460 -Pipe 41c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 470 -NGENProcess 404 -Pipe 458 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 404 -NGENProcess 468 -Pipe 46c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 478 -NGENProcess 460 -Pipe 464 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 47c -NGENProcess 474 -Pipe 454 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 468 -Pipe 3e0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.138:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 18.246.231.120:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 18.246.231.120:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 18.246.231.120:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
SG 47.129.31.212:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 udp

Files

memory/2100-0-0x0000000010000000-0x0000000010170000-memory.dmp

memory/2100-1-0x00000000002D0000-0x0000000000337000-memory.dmp

memory/2100-8-0x00000000002D0000-0x0000000000337000-memory.dmp

\Windows\System32\alg.exe

MD5 56d6819137ed029d05ed4276e87fa6cf
SHA1 6166f7b82f044491c466c1b7f9c4baf45dbd6d2f
SHA256 e8afad68418a3111bcf570860ba62909c337f20303d86561d9ed0277e6d54cc6
SHA512 4c19b77c9630130bb00db79eb8bf5a6780df3a9e826a40685dffabb53901e3f5345670db66b463ab2c92353bc0a147d38c5b6f3844f176da9d103db6e5494df3

memory/1608-19-0x0000000100000000-0x0000000100175000-memory.dmp

memory/1608-20-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/1608-13-0x0000000000190000-0x00000000001F0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 3ed4e1c382b6e3aea6d31538a567e5cb
SHA1 8af2a0e98abc37d63ff8a25373ebe22e2e28da65
SHA256 9a20b4e1881f1b0a3f636b3e8033228ac7bf94a138ae1465b41164c08ccd2c49
SHA512 7c2f98b6bebfb811b386a66b98d3086e455e68735c2f881d997c5557eb9542827291a18c76af52a73e77bbf495094cad146d3bf5182d5d35551934687fffad24

memory/2672-26-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 ad6d36fabf0b56f1b3ef70bfe3857973
SHA1 3be3076ad4583c2522f70150e379db671c73061c
SHA256 a77fe5814ab3cf422248bbf092b9a8d12b8069fe2b0b87d8709881d7e8ff2b59
SHA512 78d8a50a3fd3a96264a7d116efe426c88b54e4a2cf38cc8ec5c35c518e078416f470c35b9ca47d98039a642d87268fabb27af2da439faa79bb97998398355d52

memory/2856-29-0x0000000010000000-0x0000000010170000-memory.dmp

memory/2856-30-0x0000000000270000-0x00000000002D7000-memory.dmp

memory/2856-35-0x0000000000270000-0x00000000002D7000-memory.dmp

memory/2856-36-0x0000000000270000-0x00000000002D7000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 6c489ef0e0c613b3aec9aa97bd598ce5
SHA1 3af16335dcf14b72531f847ac099e0228bb32f0f
SHA256 3cf7f97635f1e38004fe88851d803253dbc8134bc26af5557878a261c6b422d3
SHA512 0f86c4f949c333e30bfefac1fecb82d6eb877629afb8bc5e2689d9e14c52101967bfd3cfd6830834876745aa14298d3d5659759853d3192dbd740885d06d7040

memory/2860-44-0x0000000010000000-0x0000000010178000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a1aefe049eed0b1e0ab2e43c90d13f91
SHA1 c0840d6ac74e8dba6b94ff428601cb0ff8e052fe
SHA256 5a78d13d96613d36ae3073e70ff5f55542f46f391fb55113b301c426a254ba3f
SHA512 2db5dd6f2a9a5770a382f517a6a66d26866e2476500f6936a6c62950527e59f4771917762f4a18b8533e87bd3b9286e6a2bf1a79cec58d093a5b5a31133c4556

memory/2552-54-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2552-60-0x0000000000260000-0x00000000002C7000-memory.dmp

memory/2552-55-0x0000000000260000-0x00000000002C7000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 87ded53ad86959ac6f33f03abed177ce
SHA1 5d1f9dd666cf5695fabce177be8d835a26ff6810
SHA256 4a206400c3814cdf097744163b281732a4677ccb690bb5043d34f5f4af9aa00b
SHA512 6015044093410907b169c040be0522cab625b34ea97e861515e9f2f62362a57ecdb5ab8d37e793a5160ba52bdda63101e5b3a5d23af20116b4b6f8a401bb5911

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 f008119eff79d9881cb61659075a61b8
SHA1 108a55f43c26fde172ef3cf717cca8c633b857f9
SHA256 7d8debe33637aa5c9427071493e54c5c9da9aec147fdcb2f62453d49690ed43d
SHA512 75e286dc522018afe20ae029c164c79cfc3e4e98434594e5497896dac86010958591f4e8fd5dd2f884a0ed9cf0a80b1a88c56b976ce9c84990a0c7e3ac20d84c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 04be5424fad71c5f705930472e1a7b38
SHA1 e936bd60c4f18a33a393674cc03b789542ac6a1b
SHA256 cd73a91de729b91ff048c478e2528346bcd309d9b9e9d71854b2228a3dcb0185
SHA512 3679003fb6d3736b065d3353d4b95317f29a3eec1d530cf489e7b962784f439994effbca61e1bf6e4fc71254346dd342ed4dfad65313969872600d5b41011ec4

memory/1384-69-0x0000000000420000-0x0000000000480000-memory.dmp

memory/1384-77-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1384-75-0x0000000000420000-0x0000000000480000-memory.dmp

memory/2860-83-0x0000000010000000-0x0000000010178000-memory.dmp

memory/2856-80-0x0000000010000000-0x0000000010170000-memory.dmp

C:\Windows\ehome\ehrecvr.exe

MD5 e39faf5a345ff022bad3b5ed822ce9c3
SHA1 344bf2d3226ce82c20510b8c29ef77fac13b1a30
SHA256 909b519cd1836eb32396c378ae0cc7451daa75e6ba9996eaab45b5d74c39c4c9
SHA512 9e7c14d582af3cdbb76f1357617bf61ce49534e85e7cd207aecb2f1f3854f72cee5b0ab97885ff3630dc1edd362886e073b0b358cfb246f1b3db50de19fd7d73

memory/2504-90-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2100-89-0x0000000010000000-0x0000000010170000-memory.dmp

memory/2504-91-0x0000000000A60000-0x0000000000AC0000-memory.dmp

memory/2504-97-0x0000000000A60000-0x0000000000AC0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 e9bf43b8a4f05f88de713e6c94e9a790
SHA1 052e73eecf1394bbf9fea052b1d2cbcf1b41a531
SHA256 9f0ab7a1d1ebee80ac623be380dabb7022610647bc50f23a88beed3ccd52cecc
SHA512 83ff385399ebc1718512be9a16495ceb52c25db563683ed32d281f8bddf356758dade557ba45a2346adf48f67d38e4c2e15cd7eb94a1671065de3b617ebd8b96

memory/1612-104-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1608-103-0x0000000100000000-0x0000000100175000-memory.dmp

memory/1612-105-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/1612-111-0x0000000000B80000-0x0000000000BE0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 decf053dfedb8971b5a3dfa1ecd5e1fe
SHA1 a1303a652e146f297eb9a008a1efdfd3f41e736a
SHA256 411ce10756fce71e971000d3f5f48773934a512e0930735a1ba0899a16e587e9
SHA512 029c34ee29762e45dbc28476cb83d959c53f2e065a27fd73c4d48aadf025ccd6816d54bed1642cf0128a98f8c502b9fae416f4d0df297aeb1a8420f9342fd09e

memory/2504-116-0x0000000001980000-0x0000000001990000-memory.dmp

memory/2888-118-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2888-125-0x0000000000240000-0x00000000002A0000-memory.dmp

memory/2888-119-0x0000000000240000-0x00000000002A0000-memory.dmp

memory/2504-117-0x0000000001990000-0x00000000019A0000-memory.dmp

C:\Windows\System32\ieetwcollector.exe

MD5 a80763baeb3dec7652482fe213560cef
SHA1 374dfa6fd9077e5df2c026d9c3223593a8ed9ea5
SHA256 f0a40fca1ecc11bac277f737083c7a117db19a37f47c7211d2c4d25bb61a0b4e
SHA512 6e18df2ff2714994f4ed8b1c39a3d09ac3258c86540416dbdd0e5a057f43872f812968b6a07364a48b4b0786ec426b79c003d11c8bab9254eedfd201bc904486

memory/552-138-0x0000000140000000-0x000000014017F000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 9fd8f694b0bfea9d0f4f0fad4e284768
SHA1 00dd238464b314582b58f171d65107bea1aa2875
SHA256 887b655fcce8f73d0e360e4a84ce76dc3574459e702ee0d3edc43a46de8634c0
SHA512 0b052bf420a62f48fe31698050488f851c30b298a53d00caf1392893656ffbcb297d902bbc5fb6c8d1b8542ff10fdb3716c14db914e7d6f4b3b278eeccb96f4f

memory/2672-148-0x0000000140000000-0x000000014016E000-memory.dmp

memory/1292-150-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 9b144d6e0288ea7332310d290c90750b
SHA1 abefc752d161b9b83c52a58af795ddcc35dd60cf
SHA256 f71a92a38af72ce8200288f0ed6e3dd8ba8b0a48f53e5961f6709439d098255d
SHA512 2b9c61475a8a4ac2bb52768f270b5dda91cea4ddcd45c682f464872258fdd4baa33eb5e47b310706fe1cd9c932be383181e180370e46cbbc447853727c25dd86

memory/2620-161-0x0000000140000000-0x000000014019B000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 c9cc777d046277004bbf52d5bd55c9d7
SHA1 39235acd33bbd054e2f65a543f8167cac8bb67ae
SHA256 310a09b24f744f3267c7ce08cf8b09a967d082a6eaee1618b3848e803194bc5a
SHA512 012f3b502e6d13888c90de1258d913383c311023de9a7df03498a742762ed33b34d0484e6510311a8d2abacbb021b76c2cdace487cd23314fdf36a2160e58480

memory/3048-165-0x0000000140000000-0x0000000140187000-memory.dmp

memory/2620-177-0x0000000140000000-0x000000014019B000-memory.dmp

C:\Windows\System32\msiexec.exe

MD5 8b59fd17272e9003c02121a30b0c606a
SHA1 e3426e6ed9fa2ac3509bc60448bbe41169991450
SHA256 00b4633a0d182c9ea413d2f564316fb480d217462c18c8214e0ce1926f45aa12
SHA512 2c48decc7325e928fee5f735a48edce49b5d79c4ed917cd73b50cb4636d1ce780b9d1cde6e865e2e96d6dc4d937ac2d81bdf4019f779192d93a34092917d6d3f

memory/1072-182-0x0000000100000000-0x0000000100183000-memory.dmp

memory/1072-185-0x0000000000620000-0x00000000007A3000-memory.dmp

memory/2552-184-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 fd05e62ede12aa46007aa5278ce3e5c5
SHA1 fdd5e4bbaa47a85a19d27e0299c6074dd67e19d4
SHA256 43221186a4c9f63643a7ab5ccb0ab0ec2cbd3fb1348ab6017b2838d91bbf5ef2
SHA512 82a57c868c1b76d6b205943926748502c8912d68b26e59dbbb3674e8694b5087f4a6b9d3ca7d481ce5756e753dd9e7f0274be0e7c40a4f2ca13a051b2673fb9a

memory/1384-199-0x0000000140000000-0x000000014017F000-memory.dmp

memory/2500-206-0x000000002E000000-0x000000002E186000-memory.dmp

memory/2504-211-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2100-214-0x0000000010000000-0x0000000010170000-memory.dmp

C:\Windows\system32\fxssvc.exe

MD5 2a1546f3909b567185f9bca1e1076e46
SHA1 e26df3db5f517828bcb22d9e4420d70f42b30b55
SHA256 3d71dbf90f7d3b0b69ebfab3fe360e36efa0dfa376da4a13d90ebc29d44fe849
SHA512 1f747c17f605bba871ddffbfd57db02adcb40e2abe775b440eed77af6546dd3af9a6ffbb46543b90a31d5b11f714697d2e5cc73a133aa9eb64d2688cf6135019

C:\Windows\SysWOW64\perfhost.exe

MD5 1b57cf5a6f5b41e6ae283afda28b7164
SHA1 0d2bed9930afe2c3809e02bead53f158e90708f1
SHA256 c7647146608d4c238c4d385ea7ebddc2c2a56215055fa363b92f98eb9c94d233
SHA512 97fd9d063d42b15a5110e165084c268477cab3d777c41f802a27b43f31fb13c4372aa74ccb52aa71b069781526154dbebe4a92f2a32afbbdf17d11b69f758330

memory/1612-220-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2580-219-0x0000000001000000-0x0000000001167000-memory.dmp

memory/2888-251-0x0000000140000000-0x0000000140237000-memory.dmp

memory/552-274-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1500-284-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/1984-321-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1292-319-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1500-324-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1424-335-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1984-339-0x0000000000400000-0x0000000000579000-memory.dmp

memory/3048-356-0x0000000140000000-0x0000000140187000-memory.dmp

memory/1072-360-0x0000000100000000-0x0000000100183000-memory.dmp

memory/2796-368-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1424-371-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2508-379-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1072-373-0x0000000000620000-0x00000000007A3000-memory.dmp

memory/2796-384-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2500-402-0x000000002E000000-0x000000002E186000-memory.dmp

memory/2508-415-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1868-436-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2580-442-0x0000000001000000-0x0000000001167000-memory.dmp

memory/784-450-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2516-455-0x0000000000400000-0x0000000000579000-memory.dmp

memory/784-477-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1948-479-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1948-496-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2092-517-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1896-515-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1896-523-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1236-543-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1392-544-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1236-556-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1124-567-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1956-568-0x0000000003CB0000-0x0000000003D6A000-memory.dmp

memory/1956-572-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2944-591-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1904-600-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2724-603-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1904-607-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2092-619-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1628-629-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2168-648-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2656-651-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2208-662-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1376-666-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1376-686-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1204-689-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1612-694-0x0000000140000000-0x0000000140183000-memory.dmp

memory/552-697-0x0000000140000000-0x000000014017F000-memory.dmp

memory/2504-702-0x0000000140000000-0x000000014013C000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 0b0006cf35447f8fa4e0e0c8225b5f76
SHA1 f262d9cdfc91b99c672abcc0c75c92d2f7969850
SHA256 3c8654dd2dc957915be77cefd2a2ed3d3982df26366c9389c915ef08f529f5f4
SHA512 2020c88e7a46d38d37a1ca14310a010c687fd5bba6f106c4eaf7b915e16d8773e25ad2d5fee878df3579d4332678230b225b7d659f0ec9fd32c38a0c135d8ecb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 49e5b34f95d6d28df4cf9fa2e6050b90
SHA1 4bfe70c18050b636586651a8b76af70826985348
SHA256 86eb4573df1f51cd4afe159dcac614220cfdd730a81ba4f34d8833851f4df570
SHA512 224e985e4f049ea99f48bf219cf2b571e2e7040d663f708e41efbbb576973ac0e0ace8e6c9a0c27ac361ae5c9d2d5cabf28f410eec4e46f3c3e75d71cb7f5aea

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 28721e4172b5ddc29beb7bdcb0a1e2b5
SHA1 0e8a3785344ca0d17e905d396ac11024b7dc76a7
SHA256 3aa6d11c67e63dcd852bed6e698b2bcd0b1ff5008d8091a9f7921743c387fc95
SHA512 f8c47ad107eeef3cc76f22c8bef4a2551afeaa53bff0bf2d0e3996a0a93757662d851aa78c99879b74b6176b8ccb48301cdb3ebba08035df7799337268b84235

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 6b0107f3415026708ab0addaf7fec986
SHA1 fa264a145609fc27022363038ddc8b77498f3f78
SHA256 480e05667123d4488cc34af658642bf9394eda8f9de263a485f9440d9682403a
SHA512 ec4abe66048dc1dadd86f3e0a51c97c4764b8daff8d7df3a94dbb974ed214470c4d2800ece3e8a931859817c0132fe8aa83779881930cbde3f7a230e30aba99d

memory/2552-714-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

memory/2552-715-0x0000000000CC0000-0x0000000000CDE000-memory.dmp

memory/2552-716-0x0000000000CC0000-0x0000000000CDA000-memory.dmp

memory/2552-717-0x0000000001370000-0x00000000013FC000-memory.dmp

memory/2552-718-0x0000000001370000-0x0000000001414000-memory.dmp

memory/2552-719-0x0000000002350000-0x00000000024EE000-memory.dmp

memory/2552-720-0x0000000001370000-0x000000000145C000-memory.dmp

memory/2552-721-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/2552-722-0x0000000001370000-0x00000000013F8000-memory.dmp

memory/2552-723-0x0000000000CC0000-0x0000000000CE4000-memory.dmp

memory/2552-724-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

memory/2552-725-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

memory/2552-726-0x0000000001370000-0x00000000013D6000-memory.dmp

memory/564-741-0x0000000000400000-0x0000000000579000-memory.dmp

memory/2420-744-0x0000000000400000-0x0000000000579000-memory.dmp

memory/564-747-0x0000000000400000-0x0000000000579000-memory.dmp

memory/1956-755-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 8c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1 b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256 a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 4f40997b51420653706cb0958086cd2d
SHA1 0069b956d17ce7d782a0e054995317f2f621b502
SHA256 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512 e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

MD5 a26acc4c7bbfa64cc0c3368c1b1fb0c0
SHA1 55970e941d92e1ae7c262f57f6d3bd1701167eaa
SHA256 91b0397b7affa85c7af6288fd13ea5f267b3e4597868ed40b543f8aca5e4d958
SHA512 df469bf164330eb22cbca20f92d88004408e047ec265db11e939846e4c096b7100ba3bbfaa3cad3c51a5c00b07e6f1702a96d360ea8bb145f7fdcf598bcb827c

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 71d4273e5b77cf01239a5d4f29e064fc
SHA1 e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256 f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA512 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 3c269caf88ccaf71660d8dc6c56f4873
SHA1 f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256 de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512 bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

MD5 ac901cf97363425059a50d1398e3454b
SHA1 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256 f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA512 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 e3a7a2b65afd8ab8b154fdc7897595c3
SHA1 b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256 e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA512 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 2735d2ab103beb0f7c1fbd6971838274
SHA1 6063646bc072546798bf8bf347425834f2bfad71
SHA256 f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512 fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 9c60454398ce4bce7a52cbda4a45d364
SHA1 da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256 edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 c26b034a8d6ab845b41ed6e8a8d6001d
SHA1 3a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 aefc3f3c8e7499bad4d05284e8abd16c
SHA1 7ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA256 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA512 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0fd0f978e977a4122b64ae8f8541de54
SHA1 153d3390416fdeba1b150816cbbf968e355dc64f
SHA256 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512 ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 6eaaa1f987d6e1d81badf8665c55a341
SHA1 e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA256 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512 dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\73ab166f0ccfa8df85e53c8fd28a93f4\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 0e869b3bb5de5d9ab94b09fc85203217
SHA1 d016e9a76503085126453e11019ac458ab10dc6c
SHA256 33ee0ae60cc5d46b61027723ebd45e91e95ac85e3829a7a9466f6ea540812171
SHA512 00c209f6e9ba108e0ce9e07238aeb3e696b80d649d9fd7a6cc7902e43ce6e612f4bfce453b2f8c953b025d941f86f16020dc9ba5cf93c6d1403209ca546714ae

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 1eff63517430e183b5389ba579ed93e2
SHA1 5891927b05adc6db5464fb02469c113a975ebbf0
SHA256 b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856
SHA512 2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a94b3ae8190566ba39cfae5d347efaef\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 748850c1e3920d9fa5afa212be8a0866
SHA1 dbec64d0cee4a308e059e6e8c5f7617e1d8d6249
SHA256 4bac3aed54c598be64894df38406f1e3f200be3b3310e43787ad4a0ec9c8e624
SHA512 1dd17be98a47671f2fd8e4a68e7ea447242af8fc1180627908190e45dc3b3134aa82e01d16ad20f713db9aad9b9981976c069cf4119c72bef395e765144bbc05

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2250002a7e02c5278f8c6a84bad8937d\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 ddd98ba58d9d7a5ef303c94779601467
SHA1 d61d59cf21ae21c7e80699fc571ed1530b8ed750
SHA256 5f48a518da7c946615e2ef89be2b3d38539be8f554b629524ced4f7bab094ad7
SHA512 24088fa4a5b5be255e1455420a7bf155570731f57042bfb447f3b9e0247a17bb1e51d9c1ed8c85d86d2f0282e962fc5f4e1e4999f1e7147a8d23e471888b0aa6

C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

MD5 7812b0a90d92b4812d4063b89a970c58
SHA1 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

MD5 3e72bdd0663c5b2bcd530f74139c83e3
SHA1 66069bcac0207512b9e07320f4fa5934650677d2
SHA256 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512 b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 aeb0b6e6c5d32d1ada231285ff2ae881
SHA1 1f04a1c059503896336406aed1dc93340e90b742
SHA256 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512 e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 006498313e139299a5383f0892c954b9
SHA1 7b3aa10930da9f29272154e2674b86876957ce3a
SHA256 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA512 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 e88828b5a35063aa16c68ffb8322215d
SHA1 8225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA256 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512 e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

MD5 c76656b09bb7df6bd2ac1a6177a0027c
SHA1 0c296994a249e8649b19be84dce27c9ddafef3e0
SHA256 a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA512 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

MD5 0637ad2bf6fc5ac1d29e547155bc818c
SHA1 a502879466b6dd37eae5881bbb18353f97623852
SHA256 868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f
SHA512 1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

MD5 da9f9a01a99bd98104b19a95eeef256c
SHA1 272071d5bbc0c234bc2f63dfcd5a90f83079bbab
SHA256 b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d
SHA512 dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 23:42

Reported

2024-11-11 23:44

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2750b44ac1221773.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060f5ab5a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000969f385b9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7588f5a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3449b5a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005dfd65a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025467c5a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000201af15a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da04fd5a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d43ba5a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000978fe75a9334db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe

"C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 172.234.222.138:80 przvgke.biz tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 vcddkls.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 8.8.8.8:53 fwiwk.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 vcddkls.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 8.8.8.8:53 gytujflc.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 wllvnzb.biz udp
US 34.211.97.45:80 jpskm.biz tcp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 18.246.231.120:80 vyome.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 18.246.231.120:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 120.231.246.18.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 8.8.8.8:53 vrrazpdh.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 18.246.231.120:80 qpnczch.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 8.8.8.8:53 brsua.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
US 8.8.8.8:53 qpnczch.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 18.246.231.120:80 qpnczch.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 8.8.8.8:53 mgmsclkyu.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 udp
US 18.208.156.248:80 tcp
US 8.8.8.8:53 udp
SG 18.141.10.107:80 tcp
US 8.8.8.8:53 udp
US 18.246.231.120:80 tcp

Files

memory/1620-0-0x0000000010000000-0x0000000010170000-memory.dmp

memory/1620-1-0x00000000009B0000-0x0000000000A17000-memory.dmp

memory/1620-8-0x00000000009B0000-0x0000000000A17000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a9d4c7816853786dfc4af210ece75f17
SHA1 f8ac0ceb9eaaf41d97586dc5c09a177411b8edba
SHA256 8b401e3b3244a526c8ea2afaade13c19964e91dc100fb9bebb386f917c41ed76
SHA512 cda2b4c9d2c5b3cdc3b7e0e7dfb56121f1388c2f9cf0baa5785cab37bba5162932e69e0e8becc5714565486dc10a660df00773283ed4a5291963ab2f2ac03d08

memory/4152-12-0x0000000140000000-0x000000014017B000-memory.dmp

memory/4152-13-0x0000000000730000-0x0000000000790000-memory.dmp

memory/4152-21-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 e8da1d66903b6e71be97ede72a6c440b
SHA1 32179701bc3862582089d6355e3fa369d74bcecc
SHA256 e00e3eca937d59ff151981d13c77d6f0b4bc7a98debcb844413ecd7149463b5b
SHA512 2f78f4f71a5a14cabc936f8944909689562af414e5d235c77088faea42fa6000898d69749be4be5b7eb23da15a032f552a74c78810b585d000aea6b1a90bd378

memory/4112-26-0x0000000140000000-0x000000014017A000-memory.dmp

memory/4112-27-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/4112-35-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 d18f5d36e22252ad9859936251b133ee
SHA1 0a6e3118e7d2b4035d790d27852c272c6a43dd92
SHA256 aec259631f6f44821e627083f1f3cdea1f416d6b65f0595eae28c44be818d2b2
SHA512 9da9c80b028b4e409782a6b4bbfea0ff563e3a52ca3c536fe2bdf559aed61a692a98742b371c247c0f8dd8c74be31b1676dcfdd9428fc74c480f25d789f12384

memory/1876-38-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1876-39-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/1876-47-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/1876-49-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/1876-51-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 6dbc025ecf4d88980d35c4ca7e81bf28
SHA1 9524fe4b984dbc48ba0af602276a6919f7eb4903
SHA256 b839aa324a450e924c667483379745953c6ceeb929dba237294b9ea14b5b9fbc
SHA512 da961e394dc69fd026f276302e264fda036ded37d02ad8ed14a008634b45c1fd69844111e1492d1110fdf4c646b7027db25130bbbe8d6f90a91fe7967ece18b4

memory/1700-60-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/1700-59-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1700-53-0x0000000000C40000-0x0000000000CA0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 7ee3b94f8f857c1a8d0ab1e1e75982f3
SHA1 0f4dc25170b908367d40f38ece4548d5af65e0a3
SHA256 1fd9a389ea8ee2ecacb436ad14b94dc18d7cb9df63992c5e69433b73966f7d3c
SHA512 f7fbaa2279d9c363cd1b0bd96f208cd8906d815c1182191ed36ab41c861fab538c760182ea880b3bcf04bc3ffad049f594a35854f3320031da5cc4fd8430f22b

memory/2844-64-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2844-71-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2844-65-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a661470634ee17f95d0d313c80de781f
SHA1 b3139874b8463fe6bd76b34dab2a45461a05d3ff
SHA256 a89937fce57bc8b266f0a87eb6f7c2d896ee297b8b51eed900467c8fb482ded3
SHA512 ae675c6af8b179fa701e3303e4818df66dd86a3399a45f6c6e27d445bec653f0f643014c4265f0d54b0ef37243912f55b617c52589c00a1f03707dc940bc7efe

memory/2024-85-0x0000000140000000-0x00000001401A0000-memory.dmp

memory/1620-83-0x0000000010000000-0x0000000010170000-memory.dmp

memory/2024-81-0x0000000000C10000-0x0000000000C70000-memory.dmp

memory/2024-75-0x0000000000C10000-0x0000000000C70000-memory.dmp

memory/2024-89-0x0000000000C10000-0x0000000000C70000-memory.dmp

memory/2024-91-0x0000000140000000-0x00000001401A0000-memory.dmp

memory/980-92-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/980-88-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 34338bb398d6f622e414fd52626555ef
SHA1 a4d3ea57be8bbdbb94cf09d5aefeb2911fb4ee08
SHA256 cf28bb9a84d8b608a486610761243b80d12a8dabae81e2b5a9faad741f21ba91
SHA512 aa75df2c0040e47773edfc04a47c72543699f70a57fcd980e24a35af402ec7f940014e249cb88af40e85fa95374dad3d1cebab4d769deb086e37edd61239570b

memory/4088-113-0x0000000140000000-0x00000001401A0000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 21296acecd771ba089d07d8df60a634e
SHA1 3ac267774ca266db5111f8c4b49dbd7fb931340b
SHA256 6115b3bdf27f1eb0690138f250447c779c0607b19055a4e251d845b4b81d31ff
SHA512 5ccf119c90fd0116c69b6759ca506b61cc60583b7b03c65d8080521831c7460d430631ec7040e4916731cd28fd14f1bafca14cfce6025401efc5315b97a79cde

memory/5012-115-0x0000000140000000-0x000000014017C000-memory.dmp

memory/4152-111-0x0000000140000000-0x000000014017B000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 18df0ee65d8e013b367e7386b7288453
SHA1 b0066722d1c2e0b2b9f05e23a1f5473bab9533b2
SHA256 e71d8d22788e5e13369ba580008ca29bff3eb12c29bbe794b1f8bb18ce78c4c3
SHA512 36e67b5d57e97ae2b24072b580bdb10a60a4d3be83f06b53d423534a740fa8b9a568c0973ac5e1c57e1ad635997b936249c22439811ee48664ff63c8911c155e

C:\Windows\SysWOW64\perfhost.exe

MD5 c43ec19a37bc649e677be91e936ef537
SHA1 b8cc6a21c2016f5abbb2959586f7b68e051bb5b5
SHA256 9296c6fb6a0fb4d9c3230c877c73f2d0f1b7b5721a9c4ec1f236fdd23a3884a6
SHA512 a71b7a1ea41b767fb57d82998f9c0565198ecfb5ba53ef8d96c48f47e1b1d361a4330cd4a49988ca4cb097a40b666d69f2496a5ca738a876d0a90b0429bc53f6

memory/4112-129-0x0000000140000000-0x000000014017A000-memory.dmp

memory/5104-131-0x0000000000400000-0x0000000000568000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 ac232ad93cd4debbe661a0d64fc8f981
SHA1 cb7b609674b6d8c3db6997ec3d4dfd5b1a46a539
SHA256 95b05461b38eb8cae2f2c74d538d3e2b0891ae2d5d3ff246efbe2693f4fb7789
SHA512 4243625ca034b2ce6b6b6b16cf15968df6a5d646401ef260097a53da68ac2dfedee8448dab397c486437e5b833e8a19d90973ba4cccb039918ea9168bdf75810

memory/2444-133-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 5d793e2964b879523895ea79d79db5b0
SHA1 1d532eab58af6336fe4114f94cbe16182cb1bd57
SHA256 cb404a61689b31949bd68dac13b1e57a6203af1b460cfcff8865da08404a4d3b
SHA512 d1eb13fa0481872dcb34932dcbdde3dcb8c7a68941da63b1fb26badda2faea4ae5002c789a6a80c4fe5ef3540aa8c05fc42be41c0513331e235ce5ce028ca9a8

memory/820-152-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 25b9c5503be81453512017870a3dde7e
SHA1 043ae49fa60e1b4bef55d512310bf94ce19710c4
SHA256 533ddb8dfdb6f9f5c84a040d7198b0672aca616e98d7d0a6e469a03647c31dd8
SHA512 8c0238036bff862ca79030a3743a74e4126dbcbe65179021b321f2a48eefacc00653226829f955b729c4586f187cb2e9e906f462dee121068a240f8135e07e5d

memory/1172-156-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 08197cb6d836bfc1b391fdf4d020bdc1
SHA1 d013488e1958d9e1ca45053e0eb618f9cbe91cc7
SHA256 99b147db85628dfed15cf1ca34bd18d94b3754b1919c8f35f6f701c9b9a45cde
SHA512 83f376fbd54ca3d69c519e00bb1e6f059ae856213077e1a4b94fd3054e758f81354dbc29e8b13d75268444fde4d779df201b1ee686ea9bf1417b1b017da7ce59

memory/408-168-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1700-167-0x0000000140000000-0x0000000140234000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 d143540b35e705593d31c8ef01a1354d
SHA1 9007e0a426954fcf299e35e49d087e1360a9f085
SHA256 534032b3edffb1cdc2810af6fec21ecfb148ff6e98e9be78266c1359cefc2446
SHA512 1492a3e73ef1b9aad77fea527950f6a3b1032756710f6b880fbe933e274920aff3f26cd94420df97101804dcf2a74339fd2b7c570798ee39f0c51082b809631f

memory/2844-179-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4544-182-0x0000000140000000-0x00000001401D3000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 e52998a6baabc46a42e25f86a2344bdb
SHA1 52c3c9c9feacc0540d8be85cc7fced016de0c620
SHA256 6c67ad8a17f2a2d0dd00c242962556bdeeecafcad227584d775d5905dc666df5
SHA512 4068cdb7e9ce6bcaef228adf87180375ad6d0f3094c98d60783a0c83b74ad0197ddbe77b57ae8f9bd4e0605f6548fd89e76cedcfc181d92b516c45457f357fb4

memory/2084-185-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 1c516bfee7115feb19105b9816000328
SHA1 8008f87879fcf307405485a5169c2da64c1279b7
SHA256 048a6e6de1188bcbc7edd79ed81295e40f711a69e5a892156f0aa73adc888735
SHA512 2ebfb0f32029c67c5a5199e9def390855047650400318409c04fde1703b827ca5dd90b1e300dea311326c837894104538e96761ac5be419b0ea2d13ec70edf16

memory/2236-203-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/980-196-0x0000000140000000-0x000000014018A000-memory.dmp

memory/2236-209-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 629c69e87402ab2f0ba754780d36f880
SHA1 d7bc964dc27a27d84d6dcc7a5dc91d42d67b716c
SHA256 709de65747278c035ccbc246aca1226280506cfecb7c62d34855d889f936e0d1
SHA512 9ae39b073c7de4a781e41e0c1b43ef5052dd813cca88eb975b1662563177b2b8025aa6a36138288892f576991dbfa109e841fbd172e861771fd1a477b4877550

memory/3208-220-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4088-219-0x0000000140000000-0x00000001401A0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 cc0d27040e35d825ef1f9801b26995f9
SHA1 7c96506ee114830cf131bed914ab75c6dbf62487
SHA256 19319049d833487e10766d88f78a9fe763394cbff24f8683ace901d9d5801901
SHA512 a98d06ee85442c0f5870ce200090153846a4ff0ea329e9e041b6338718045b91b4c4dd723cd0ec535a35fcc4b5bd5cfebd97a0f229e5e5d652f40cffa703d3ed

memory/3716-232-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5012-223-0x0000000140000000-0x000000014017C000-memory.dmp

memory/5104-243-0x0000000000400000-0x0000000000568000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 e862543cfd5238ebd354666cf6e94af4
SHA1 d4e55d47e18d2fb99dda4fbaa0f8aeb53a5e3f61
SHA256 70c568ecfbc93c58c86297e7096fc3a7025322412deb2506feacd1b958505e47
SHA512 7d018d5c5605a3cd7ea47c3da39dab315ef0e86b55a9a93920dc699befd4b45b04a34c5c554abc57d7344d5242d23eb401449e866b33f6b69ca3465c20d48ff6

memory/4048-244-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 6de702e11bb0b2228c9368d37a230da2
SHA1 72b7e879411f2e6b45a18e77946fc42adfdbe423
SHA256 66cf448bafab8aa9f2cd3ff99f53a84f7583020f01a73bcbf40d97aa3472b0c8
SHA512 85b502bda4b4ccc114fc9e7c12c07f6ff0ad3830a1389535529385a2384de9d7557e700f514197d442cfbe6c46254c599cc71b5173d71c60c79c25299b0ce692

memory/2336-258-0x0000000140000000-0x0000000140197000-memory.dmp

memory/2444-257-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 5eb0b3db2d3a691cc662029be4f50aa2
SHA1 fb7d241cab6636fb82ac395fd0649c592b3bfd63
SHA256 b5f250306e26db0a1b47860115d47bb3031260382fbba80824300ffc6754636a
SHA512 02da1e9809635341ff58c57c823e1b29f5805b8da96046d09e3bb4d4912965e8198224051086515dbf0c9acf64af42309d5859098f72a93e01708636e0715b8e

memory/2064-261-0x0000000140000000-0x0000000140179000-memory.dmp

memory/820-260-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1172-328-0x0000000140000000-0x0000000140167000-memory.dmp

memory/408-347-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1620-354-0x0000000010000000-0x0000000010170000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 e1c3fcd6f7030f1e1f3c0ab3d66b6e85
SHA1 3fcb1058015188da82fa0aa180a716a33c48fd87
SHA256 9fd13dce026c7b244bce534072202098a623d42031bdb663da716de34f22d2b3
SHA512 9e4a014019b9c1a8b72e93fdb7a587c59286478cf645b122fd810bc9c8c0ded9c2465410e0c26aeec9ee8a9dc5e09e11ad64c5ae93cd3f01e02b75b76bcddfcd

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 9f349229b258ac9e07e27158971dfa30
SHA1 ff8886022dd649ac0f88eed5f9b497d73f4a1e60
SHA256 2fe18c97a0c4a1dfad138518498df8d21ae373aa212c0577420b0e7e6f4d5a96
SHA512 8653322915853900f1f13608da130f9314a77691485c197379a22f85f21f1a7ddbf98c1a317f26c49145979285b7a563ddfa072c98fa130ec0f6947ed0df60a5

C:\Windows\system32\SgrmBroker.exe

MD5 3334f695d6d591bf336a3781649be07b
SHA1 7adffdba8c97702422ee6347f036814a2c16dba0
SHA256 01fe457dbd36c1b1d988e19ef355602d1e82528eb9d2cc6bd8ab8c8286d765e6
SHA512 c0ddda6f7424b41b84ea48285fd2b13dfd3edabb6645f7bec78102e816697523b9edf0b0c9ea4c8e17ad67c764e5021aae12b9b818967c8bba4195511463c5a7

C:\Windows\system32\AppVClient.exe

MD5 7857f68b5f0611462c4d01e415e63fa6
SHA1 5a1d9a0849c92c631dd953e1bdcd10ca70e916aa
SHA256 d6dc3675d50d87b055140969938f781657435204f122e063e7cd4ac5e389acba
SHA512 0c1b48869fe2cb9e8b0d2624e5bea8239d00c8529e28e715adfa4e94f75c9f87734a9fbdae2277a34a0ea9aef78fa4bd8682da89df17e0b4ef78de02131bb1b2

C:\Program Files\Mozilla Firefox\updater.exe

MD5 e67d6f4e3597a17b50eb5acb0bdedb4d
SHA1 a155ed5e8846dac0a390a8c14e7154db6eac32e6
SHA256 e337b149e7d82a5d257d48857a70960bebd4a653ca20c4c6a8be026888265999
SHA512 9737eb81ecc81e5d86f81a7e8e28bf584a0a17b6483d66622ad8b26a2fe70587641e33d5aee9af812d550c72859467fa88a03b1dfffc1bef9d3c5b6874e78086

C:\Program Files\Mozilla Firefox\private_browsing.exe

MD5 f49c5a7baad12fce142230d71e3d374d
SHA1 5e9120d9a2bb19370d76d5264dac7db1277df59c
SHA256 5fa74b5ff2c7629e60587341d3fd27c701f11d2dc72e5a707c9edcc09649c30e
SHA512 83984f613061cdf69e24d7be474ec9ad78b83983e79484874321bd6219997584a16117239d96497425e1bb3bad59eb1191bda16540011aa62e24a9e6713b1bf9

C:\Program Files\Mozilla Firefox\pingsender.exe

MD5 53139672a0cd62c96bf0b9e7843f6b96
SHA1 e5c70c894128b50881ae0fe9dfbac488c56ebf89
SHA256 e7c615b5bb74f9b2495627b422b98fa207d6ff689e7e8688d6e09606ae0f6789
SHA512 b14ac49aba553e4ff93daa6ac5a73f820d6f7ac94a6067cc21f8b00ad347adf6f61092b589a50d390185ab4a5424876439e9f4cc3d3119925b2aabdff6cea9f1

memory/4544-384-0x0000000140000000-0x00000001401D3000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 76b65a3ad1cff143f7026b4bcf7b2e07
SHA1 709cdc360bb7da2c2881a1de845e37e0936c6947
SHA256 a067fbf39cf75d19dd753b77dbb51da085ec5a85cdba986d97fb18aa68106b84
SHA512 6bbf82b51150b175a8bfec897f8442488889424f1587564b8e7696be82627581df2cb8fc08a80b7fe4194f66e162c89ba7fb54bde0b5654db22c8548a6b5f98b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5 d48cf7141bce82c436f73450b7ee22de
SHA1 a51753be88ae17d836887e98c500fe445009e04f
SHA256 f0ddb94f8e48972f5d03342ce08f3079d7a7311930139c1441bb6c0bc103d18d
SHA512 f8126373412b4f572dc3dce3c20e00c7015d765bec9df9dbe4ee63f29e7af27b0cc37552e66ff5087f145231ec6ace034efcf386c970543fe903535cb6c3a8bf

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

MD5 400f8e9d874cc6c08d9fb24aba2c97ca
SHA1 7e37083344065a2cd9502cc19fe81ef2345239ed
SHA256 b7b9eeb2455dc413c988c8a2e49e90fc661a2906c1c53a6e80bf68a59366d584
SHA512 4530a9d826264b1113ed8ab49bc81a5b46c7fff9989ab3cb1dd20232120c7f96c5d97786e28ffd2e3e1f169ed8262d22e03dfa35093e42175183d6842676ba97

C:\Program Files\Java\jre-1.8\bin\unpack200.exe

MD5 55986cdae998d39005ca9b8177ebef9a
SHA1 d31a090a04e02149bbbbe57e22392dfbd3c74fef
SHA256 4f63200fafee133783e68bc06c2637af640e03c90bd016b7dcc08859e418f46d
SHA512 b1e50a99a801533a304c7b20b1a0f367b67b2eb94f2336e6ed8093604911a7190a3e579697426275d64a6a0f1be0719b989a9229fc17e52990ff7b489262a73d

C:\Program Files\Java\jre-1.8\bin\tnameserv.exe

MD5 aa0d4efdaea83584624bc6272a941eb4
SHA1 ebe950b48b1e977b01bbf902b6cff4b9054ac4a7
SHA256 309a7fd11f4cfa7dbc965c17cfe5efb959820cd430e71cea9d7937b85d612c56
SHA512 b9cf832fc1db4b8b7e0955af2daa6d787311d73c10948a8f6016dd389b65a52505e25353f032ab962395ca1be6fa76de5eb5fddf0caf4291b5668568a3f13d2c

C:\Program Files\Java\jre-1.8\bin\rmid.exe

MD5 633f118d14c1a7bd461038e511efa9c4
SHA1 573883fed41ac5e2ce4dd6eb18a7216663606b70
SHA256 bc090ca2575c14d8cb721f405422a940ae3ded1c473ea927e1052273332e1e06
SHA512 84de6af849379760095fd21cf3d2ad6860677a0dffcc20218c1a5294cfe714ed6c9adf75682ad0c2bf5694991b8c4381b0061fe1ca5af63dd551d2e613018b85

C:\Program Files\Java\jre-1.8\bin\ktab.exe

MD5 cbefde7f884cb2a14f3f05baf2306f7e
SHA1 a8c94971eedd0cef51695ac661e3cb0d7d583ba4
SHA256 00d177582a50e26bf7a5c2f72aca05eea097e1114f39ce32ce69d27988e1364e
SHA512 935facfa975eb35dc37a281b9caf3eba10b49711b1ab0712c5236d17374424fc8d68b3d4d26982dbeab03a494ee0d959212e527336e90d600b93214fc6334367

C:\Program Files\Java\jre-1.8\bin\javaws.exe

MD5 40148b38fc9cf3ae0dabf90f8aaa0dfd
SHA1 6d2b7cc247e88a08640f2cebc48081d382a6d8bb
SHA256 5b1771e0475542eb353e15cb1df0e6d26618bbfb8922e4b1398a499603ce2ab0
SHA512 ea3b8916d01cfe2a4d4fe4f7a455fa71891520f3abebe8b4458752b2cc1aae3b704e2d6f1ec71e30336b0c71dea9c4a29ee4a3995199ca37db654d0fed635e9d

C:\Program Files\Java\jre-1.8\bin\java-rmi.exe

MD5 9d8fbe6107958f573a5e764b17fba145
SHA1 4e1a271df6dbfac235351bffdcba691f11c1a708
SHA256 85222f0944e1786c3f9327b97c7412ff9dd739554bca52cf01137f66908979a5
SHA512 3ce45196f69d5a17452a1850f44f03b27a90a30fedfe3bfc10f142b41eb81914ded1a618a54ca0ca0df76f65069a2170334971276a139ffa4b45e95396afe0f6

C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe

MD5 702d828725097ecee0655a91a653b9f0
SHA1 5ef8777920986e1b14e3d2cbea9d6d98df1862db
SHA256 88de71a22e1ee012fa1a737f4cb1acbedeee0451831a4070d0f306a55ec5fb7f
SHA512 4ac8e0bd3bea892777d8324f37f18ab6360748393585670dcf42e00df51a0700df1512c5206f95dc803661f640a77a55e2d80761c5858a650032f51a9701d1a8

C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

MD5 647b32dd9d33b8e073a85d3c48a3a0d6
SHA1 039b31f6bf4bbba944c24239abf1515ce1e72709
SHA256 47a319b28b9653bbbc5483d4c46973d9b28bc9c7a4232778376bc4c893bfb30a
SHA512 9cc1408ba28a3583a705d3a6d5fecf65f8a7174ef158fc61adca28988cd37b09dbb955e95edbb6eae588c42999b7f5937e7766e4ddcd259b2bfae138fbb328e5

C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

MD5 c6d24e27e0e2ae8e185ca8e670c3ec37
SHA1 1975c6edd70840377ae3b1472f2ee6ce3797f320
SHA256 76c6b8e2d9acd2f73171312dc918b1f52431ea5f11e1d2914ad36c9852fcaac8
SHA512 fe941ec78d4fafee23bd129e403555ff2fa1b5a3d6c57eabbf11c3ba6e2970205dd1aa48c8c460c436d2232453a061d80b13e9f0caa2954dd33db912923bc606

C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

MD5 bdb08421a5d1dba047c06f1aa73fdc95
SHA1 55103c4ae88828f23c96eca2a401907ca9994a64
SHA256 d654e617a13107b0a11714fa3b09edf4f574d009ccba851106781dd04aaac852
SHA512 09db2a578b0e10ad9ebc7cae232aa28ddd34bd8a8ecf192405beffe885cfecf53a81a91297608b19f23b41dd9ce9cbaf6ed2a7b0069dea1ccf7c87ae0a2b9e27

C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe

MD5 49292cad84702c87af09106ae86c71ef
SHA1 1597eb7ec7c87397fac6ca36561b4ff9de26d071
SHA256 09447bcb44e81d93320cacfb5590bc3b49f331a41ecc9df5067e19eaa559dab3
SHA512 60179eaf1f924341e37c41b1bf86948e8d0f0089eee0f6e57c6c7db6e08128946c54ef6895c356478eb112a78121969f2072c36a52190106b8b6db5ee17a5304

C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe

MD5 10ee17709b2f419ce461a7c27a673e0a
SHA1 469d00efd3a5e7147b57b447e751cfb9ee57e5b4
SHA256 b7885af3f244b54329cb1a9618b73fd67cd658dac907e68f41ed1b00d540a49b
SHA512 747db856aa5cf9283384fef02a737326faab91dc40badb99a4c41cc9532afc204b81f73657fb4fdb6e2612c0ab8880a8091558b19e56f61ccc5e451fd560d615

C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe

MD5 dd2ede1e8952ae4265ce7351432634cb
SHA1 a03bb9260876aea3c6b03958f9d414d0d66c1997
SHA256 ef2d232e0ea6da31615e9e85d465d253b203e9af4c34418bb1ce99443136a9eb
SHA512 ca6e28149fc4554423f0812c2469f510d79ee15f0aa3b14ae648929d4ef415b2db803efb958157d46f55d6b67ac0fe13912940dc4e8cbbb955f1af80f4ec7d9b

C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

MD5 481031660ce230e8f6a663dad9eecbb4
SHA1 9708c62d814c10b1def400de9491d5bbd6e41953
SHA256 4b6b3bbc0c47744b6921a5ae8d3efe8025b135cc0f613e3dd5baa87918de5a28
SHA512 f147189d87152e0dd035aab4bb8d8d31c207a15f55ec3536283f1154ede77c8fa4a96711c68c32f6d1df7ff716b1bc84d5b64882a9ca4ceb69a36b15459e97a4

C:\Program Files\Java\jdk-1.8\bin\serialver.exe

MD5 ff1aa0bc4a989123ab167eb3e7e22331
SHA1 abb84913408d34fedc06ce94554babe7c0480452
SHA256 965595fc861670aadc4cf64932e14da24e5a4ddb87ce38787ea0474d4cd77c01
SHA512 8fd4abfb409c039b288586f364705340afeff1655229a45a7486824a13691f4cafe0e222c97c1b2dca763927818ef8a9e701ea98c4db21d24ae626c20e233cda

C:\Program Files\Java\jdk-1.8\bin\rmid.exe

MD5 cd22b618ff392654dfb1d5f6bd379889
SHA1 af7095d8f5aabb12b4babe0029bbec24b12f63cf
SHA256 d3da93599c517d92fea549fb9bfbfcfef5b23010264e91e93f533d09766be6c8
SHA512 b3fb00da370ae833dad9ab5592840f7d7e4322dc83ce37e183a2e73e26c4230fd861fbd481010c792f32ac482cf413c237070603028397787814d6b459e73869

C:\Program Files\Java\jdk-1.8\bin\pack200.exe

MD5 b689f3cf7812f11f7bb1d1fc6c0016a7
SHA1 fbb0972bfdc4fe58585cefa9cef5b4cd31d30e7e
SHA256 c2b254b2fc44409cce5d1e4899cecb0bfb3e3fd25a9d634936a12ea3aec9929e
SHA512 8f2d658686793bc7de64838991e876193fca08b4eaa19d595b477860a9f563ae98b9390ce82eb78be2d6b94e148e3a48309dcaecc1cc8c2e9c70b017a4339a2e

C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

MD5 a18edfddd055914c01475de0922243d6
SHA1 70c958527c92f673f4a7eec1a6cc08905659d750
SHA256 6f01cfd7d13c0471314fbb37c75739f9f5b83ba5c11c6a9292af95d9283d3d7b
SHA512 c26677b4b89a0d99fc84ea89a020fec1e7def0b55ec71f805be34806dde8d65abd3837c55e28369599d27bbb4d3dd1c031310cd1bb7ca681487d87c1ef2d97c8

C:\Program Files\Java\jdk-1.8\bin\klist.exe

MD5 66298e194a094ee66d57811ad0f77522
SHA1 156716c0ce26bad0b8b2bb11834c2c160127c1be
SHA256 40bd30ef32e0ab87eebd0893e02fde80786ee3a9c5ed7e2b044c8e24aa48de3a
SHA512 e78e42c39903be101d93ff7ebca2b61e8de80dfe75295fc5e4b6184e078db5b3073476aa380eb21caafb3373d72e4ab88104436512128c514378361b6516f43f

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 5423649e2bb78e4af235fcf5399ab126
SHA1 2ef31201985d1218c3a60d67e9ded9804232beb9
SHA256 f8b022e6686bd04e4a944e4f2aee95d7195a756768c56cede8488f8e7c7f1331
SHA512 27fcf4d32b48cb58b7d0ab743fa27f8a4b6f56bc08500b3cefd1ac7f625d9bcfd38c453ded067bc568427583c25dca7b2c0ccce073cbe1923ef0ec5ae10c70fe

memory/2084-389-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5 cfc4f0cf492c94f4e6cf9f4b954c6e48
SHA1 8ba0197a345ce42889fa3cdcff889d652322eb28
SHA256 58d5373c647f3b3a82425b8899799d65b3425398e3099c430c8c7b3ff182a8c0
SHA512 196409cfb07aed04a8fd65e1f0599054a79dbf72737931eae7b6fbeee70f7551213a4a01768c314d3d908a63bb54ed532d38e8f538efaff16cbd75e21954bfd2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5 bb56dec4bb26d942fe83c79a1236205a
SHA1 9109aa701824e7491171e9645096d1fabcc4af2d
SHA256 9594a3cd38f9d057177d36a2f75e022756f2ac811284ad7a105f6f72278792a1
SHA512 9f6a71144eab73eec4dd16713d0e922c6a03744f7b584b48f0cbe9a2ffdf2b29338ce00b7c65b1b9590b9a455ae15c9ee50113ede27237f55a66f01dc2f288f9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5 b2a7b82a8ae72472da2c1d617c2da8f4
SHA1 c6a5a6ffd4b77570119bfc94c99b56d7f9017d5a
SHA256 e7fd3a98633b060042a71680f25a8be2869ee69fa554de8800dbb8336ba7c126
SHA512 044b5153fc60dfe46f39ef3eca8a5da10c90b0292bc2eeec53777da91a562158330200588a3d7e728fbcd43c48eca32f247447081e3d2a438b8343f05e7dd176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

MD5 cf101a404d03ac25a6a8003e6ccae6a0
SHA1 bf8f8b33ffcae95198659e45f9b5d750e050673c
SHA256 ac5aa71659dd64694e348ca2cd05505242f0b23d68943b3309a18905c134e0d5
SHA512 86a36f911d3e6626fd4012514105759fb70f543373ab86593c8ee1653f82608cb4a737db6687909dc48f667381fb463605e1cbcfc24ae5216d0bee868830139f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5 e3aa4ee56865be59a410292169415bfb
SHA1 43c1a04920d5d9d226c3a0b35700cb08fa734754
SHA256 f3ca3e019129977e72c03021cfb6c7e857a12fe66936a1a4bb832dae1fcd1e5c
SHA512 129378a6ffd8ed032ef0130826e5e460a549ef1ed2da404fd8d0a09266c0c97c71cbe97d5a6d5b0429cc43d6af9daaad5459937d489580d8c333841a4b967f9a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 02ef2aeb44cb849152b710c8648513f6
SHA1 e6596693d54e3856dc1d42555973b233323b76fc
SHA256 36f4eb89a332ecf61767b8b639c7de33acbb45087c0e298709427d1e29e5b347
SHA512 ca2dee89e1ed55d5089dcfa18d755a96c8078f70454ce2fd05a4960cfaf3a8d2ff21fdc12dc86fff2ee582e400c5fdfb38c843cd591ee9e1c9fe514f348e2881

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5 0617fc7fb8d41f42c2360ff098a3f03d
SHA1 12da57ca2bcf721f38591afef87896b9d4095c9f
SHA256 197693a9b4cdfc1aa76b41318646273b3d3321da2422a4c2062e4ec1d91148b5
SHA512 96c29b13f2320e36db01d53c141406beec3a2ca78a388d53c1641c4ec68a849e8b9ed5d9a062a75e4dd57c6ff552f0f98d758110375f351f9d7e3e9bf6c928dc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5 fcda25807b1084bfff39a77e976580f4
SHA1 2bae7502f5ec3ccbe0bb041425424003665e5bab
SHA256 4987e814d171bddfd6e4d7239616a368e1150a0749792e4ec37ca93e0c7e8129
SHA512 f829245b0d16d2806d0c1089be5e72aa61d419ef4a347284ed0544aa83740114602cdb18c782d8fd2e4448d4f1b4217a02d072abbbbe53db847eaef95cd1a480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

MD5 2106902d05de82c576c5ad5b8ffd720f
SHA1 70105f420ed7edf8c9e18bacc6cf6fc7864f1d54
SHA256 3c27d830752a35f58be7fce6a808b7b7d5c28b46de72d2ea2704949e98e4bd7b
SHA512 50a48bdf74dbd2bdc155c0502381f847c96997cf4dd89a63a10c85db412e31fe71fe6a80cecf0fb7c3d68474aea56936e24c79cb29788698d1896d9371ab7103

memory/3208-395-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3716-417-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/820-433-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4048-434-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2336-499-0x0000000140000000-0x0000000140197000-memory.dmp

memory/2064-500-0x0000000140000000-0x0000000140179000-memory.dmp