Analysis Overview
SHA256
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002a
Threat Level: Shows suspicious behavior
The file f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 11:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 11:56
Reported
2025-01-19 11:58
Platform
win7-20240903-en
Max time kernel
120s
Max time network
116s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP79F.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBA0C.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCB6A.tmp\ehiVidCtl.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBEDC.tmp\Microsoft.Office.Tools.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC88.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2AF.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE8A.tmp\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC265.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB63.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54E.tmp\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe
"C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 24c -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1dc -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f4 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 254 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 1dc -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 1dc -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 284 -NGENProcess 238 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 28c -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 238 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 280 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 218 -NGENProcess 294 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1dc -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2a8 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c8 -NGENProcess 218 -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 260 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 218 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 218 -NGENProcess 260 -Pipe 2a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 288 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 298 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 288 -Pipe 1c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ac -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2bc -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2bc -NGENProcess 218 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 270 -NGENProcess 2b0 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2cc -NGENProcess 2b0 -Pipe 2bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2d0 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2d8 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 218 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2d8 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 218 -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 218 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 218 -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 218 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 31c -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 308 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 324 -NGENProcess 314 -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 300 -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 218 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 300 -Pipe 31c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 300 -Pipe 328 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 348 -NGENProcess 310 -Pipe 344 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 310 -Pipe 338 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 30c -Pipe 33c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 334 -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 348 -NGENProcess 120 -Pipe 354 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 300 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 32c -NGENProcess 35c -Pipe 334 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 360 -NGENProcess 120 -Pipe 358 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 350 -Pipe 11c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 35c -Pipe 310 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 120 -Pipe 348 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 120 -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 120 -NGENProcess 300 -Pipe 364 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 32c -NGENProcess 360 -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 32c -NGENProcess 120 -Pipe 36c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 350 -NGENProcess 120 -Pipe 368 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 388 -NGENProcess 32c -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 384 -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 120 -Pipe 360 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 32c -Pipe 35c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 378 -NGENProcess 32c -Pipe 350 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 32c -NGENProcess 398 -Pipe 394 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3a4 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 39c -NGENProcess 378 -Pipe 3a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3ac -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 370 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 32c -NGENProcess 3a8 -Pipe 384 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 3c0 -Pipe 3ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 120 -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 3b4 -NGENProcess 3c4 -Pipe 3c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 398 -NGENProcess 378 -Pipe 3b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3cc -NGENProcess 3b0 -Pipe 32c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 378 -Pipe 3a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b0 -Pipe 120 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b0 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3dc -Pipe 398 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e4 -NGENProcess 3d4 -Pipe 3bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3cc -Pipe 3c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f0 -NGENProcess 3ec -Pipe 3cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f8 -NGENProcess 3d4 -Pipe 3fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3b4 -NGENProcess 3b0 -Pipe 378 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 404 -NGENProcess 3ec -Pipe 3dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b4 -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e4 -NGENProcess 3ec -Pipe 3f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3ec -NGENProcess 3f0 -Pipe 408 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 414 -NGENProcess 40c -Pipe 3d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 404 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3f0 -Pipe 3b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 420 -NGENProcess 414 -Pipe 41c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 3e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3ec -Pipe 418 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 42c -NGENProcess 414 -Pipe 424 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 414 -NGENProcess 3e8 -Pipe 428 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 434 -NGENProcess 3ec -Pipe 420 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 430 -Pipe 3b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3e8 -Pipe 3f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 3e8 -NGENProcess 434 -Pipe 3ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 444 -NGENProcess 430 -Pipe 42c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 430 -NGENProcess 43c -Pipe 440 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 44c -NGENProcess 434 -Pipe 438 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 454 -NGENProcess 448 -Pipe 450 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 448 -NGENProcess 430 -Pipe 410 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 430 -NGENProcess 448 -Pipe 458 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 448 -NGENProcess 444 -Pipe 40c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 460 -NGENProcess 3e8 -Pipe 44c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 45c -Pipe 43c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 444 -Pipe 454 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 3e8 -Pipe 414 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 468 -NGENProcess 45c -Pipe 460 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 430 -NGENProcess 470 -Pipe 448 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 474 -NGENProcess 3e8 -Pipe 47c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 434 -NGENProcess 478 -Pipe 464 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 468 -NGENProcess 470 -Pipe 484 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 470 -NGENProcess 474 -Pipe 480 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 488 -NGENProcess 46c -Pipe 470 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 45c -NGENProcess 474 -Pipe 430 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 488 -NGENProcess 468 -Pipe 478 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 3e8 -NGENProcess 490 -Pipe 48c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 498 -NGENProcess 474 -Pipe 444 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 49c -NGENProcess 468 -Pipe 434 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 3e8 -NGENProcess 4a4 -Pipe 498 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 494 -NGENProcess 468 -Pipe 45c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 494 -NGENProcess 3e8 -Pipe 474 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 4b0 -NGENProcess 468 -Pipe 4ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 468 -NGENProcess 46c -Pipe 4b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 49c -NGENProcess 488 -Pipe 4a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4b0 -NGENProcess 4bc -Pipe 468 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4a0 -NGENProcess 488 -Pipe 4a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4b8 -NGENProcess 4c4 -Pipe 4b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 3e8 -NGENProcess 488 -Pipe 490 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4c0 -NGENProcess 4cc -Pipe 4b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 46c -NGENProcess 488 -Pipe 494 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 4d4 -NGENProcess 3e8 -Pipe 4d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4bc -NGENProcess 4c4 -Pipe 4cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4d8 -NGENProcess 4a0 -Pipe 49c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4d4 -NGENProcess 4e0 -Pipe 4bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4c8 -NGENProcess 4a0 -Pipe 4c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 4e4 -NGENProcess 4dc -Pipe 4c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4ec -NGENProcess 4a0 -Pipe 488 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 46c -NGENProcess 4e0 -Pipe 4d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 4f0 -NGENProcess 4e8 -Pipe 4c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f8 -NGENProcess 4a0 -Pipe 4f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 4f8 -NGENProcess 4f0 -Pipe 4dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4f8 -NGENProcess 4a0 -Pipe 4fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 3e8 -NGENProcess 4f0 -Pipe 4e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 504 -NGENProcess 4e4 -Pipe 46c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 4ec -Pipe 488 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 4f0 -Pipe 500 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 4e4 -Pipe 4e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 4ec -Pipe 4f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 4f0 -Pipe 3e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4e4 -Pipe 504 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 4ec -Pipe 508 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 4f0 -Pipe 50c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4e4 -Pipe 510 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 4ec -Pipe 514 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4f0 -Pipe 518 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 4e4 -Pipe 51c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 52c -NGENProcess 53c -Pipe 530 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 520 -NGENProcess 4e4 -Pipe 524 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 520 -NGENProcess 52c -Pipe 534 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 4a0 -NGENProcess 4e4 -Pipe 528 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 548 -NGENProcess 538 -Pipe 4f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 52c -Pipe 544 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 4e4 -Pipe 4ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 538 -Pipe 540 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 538 -NGENProcess 548 -Pipe 55c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 520 -NGENProcess 558 -Pipe 4a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 560 -NGENProcess 550 -Pipe 53c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 548 -Pipe 52c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 558 -Pipe 54c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 550 -Pipe 554 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 56c -NGENProcess 568 -Pipe 548 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 538 -NGENProcess 550 -Pipe 520 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 578 -NGENProcess 570 -Pipe 538 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 4e4 -NGENProcess 550 -Pipe 574 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 580 -NGENProcess 558 -Pipe 56c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 570 -Pipe 57c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 550 -Pipe 564 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 558 -Pipe 560 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww12.przvgke.biz | udp |
| US | 76.223.26.96:80 | ww12.przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww7.przvgke.biz | udp |
| US | 199.59.243.228:80 | ww7.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
Files
memory/2392-0-0x0000000140000000-0x000000014013F000-memory.dmp
memory/2392-9-0x0000000000170000-0x00000000001D0000-memory.dmp
memory/2392-1-0x0000000000170000-0x00000000001D0000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 4f3317b5d052699f009047cd06e5c636 |
| SHA1 | 304e84fc5c1749b674bb6d12e50a4e08f3441fb8 |
| SHA256 | 7302cab786a8215f824c4a593d7a54b71c158389e24a0717cfc614c5ddcf2e82 |
| SHA512 | c0ac3ba06b619491c885e9da277f4f5aa91e1bcfb970c4b52088fcc5c85d5f8029aba2bfdaa3b10d303bad0eabf3bd358106f1aad12d651199a082576582362e |
memory/2652-14-0x0000000100000000-0x0000000100142000-memory.dmp
memory/2652-15-0x0000000000190000-0x00000000001F0000-memory.dmp
memory/2652-22-0x0000000000190000-0x00000000001F0000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 0efd656ff21d272880f947523c755df0 |
| SHA1 | 84081f551d89ecb3798069f4cfa972b258849638 |
| SHA256 | 79f3dd7c7838c729b682a8beaa886a293d90c330a23d82e8ee7db3c072b3b682 |
| SHA512 | 14f653e933a270f3b4fd1e7828800fcf485da365a222fb6914b6f8e993ddd9bd24b17f6f40585cc0162879abfa7fb4cf7470e8898590149f27d8a6922ea5eca5 |
memory/2796-28-0x0000000140000000-0x000000014013B000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 4e3eace4bb3abd4f79c98708dfb8fee7 |
| SHA1 | d5d9b26568686b7ddeb36eb5126a9a7c2e2e89e8 |
| SHA256 | 3c152e754c3a7b4db285fd9b378f2abdecdf3665d1992e75aae01c0ff1ba5f5b |
| SHA512 | 7c65ee487f6d73dd3c8f7a7512e3f5879aea940e04f1015f5e607c942d2a89ac40e5f6b2e7fe7e7b6e93c476bb6c958332e2addc0456b48df0c60939f83a5e55 |
memory/2596-31-0x0000000010000000-0x000000001013E000-memory.dmp
memory/2596-32-0x0000000000440000-0x00000000004A7000-memory.dmp
memory/2596-39-0x0000000000440000-0x00000000004A7000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 891a678b7fbcc00b41acc15964a43580 |
| SHA1 | a4c8344b8272a957d7e90e4636a7c9da23118334 |
| SHA256 | b647d5e07085e54be701bbbb52fe837d3c50629fe986b48e561bcbb3e87f442b |
| SHA512 | bba9549320bdc8c8aa8a669c9be2369db526ff9c0855053f692f723c92ef13d7d2c25f4ad42f6a355e043805d74e2f3bda6cc27c4efed5f4f53a5d0f64a060e1 |
memory/2388-46-0x0000000010000000-0x0000000010146000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | bb41b52d1c153656a010ed4b79ee7a07 |
| SHA1 | d726e801557808112994651c5fb006626d4919ad |
| SHA256 | 7309ef37ce5c3cc2b4cc20e23d4d3f2f94f128fbae45a1dce17b7206d6c17fb6 |
| SHA512 | 315b5caa459ef44372d4a2fe290e784e5cc2292cb95074afcd7aad1f36a92cd88b5776c9e85109e8ca394030f5aebc73ac3efb8f41935167d52937ef495c4c8b |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | c0380280678a838b7d19c43b0255678f |
| SHA1 | c1e5517c95648576991f5c1fb9993ed911410e8d |
| SHA256 | 4b9c32709612d2c8a0b824b0a947575a81a50d161c661d60f6790798ad312652 |
| SHA512 | 1a73c17a58eefeee710bef83c320205bcabb586ca7f964a89948ded7e3523175da8eb520419bcb89ae8914dd5b442f614cb31066b2ae78221ac2e78489524a3e |
memory/3012-57-0x0000000000400000-0x0000000000547000-memory.dmp
memory/3012-59-0x0000000000550000-0x00000000005B7000-memory.dmp
memory/3012-63-0x0000000000550000-0x00000000005B7000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | af57c8a6b16c0dcfb7cb1bf823dfeef2 |
| SHA1 | ef305d7c0b608f82e354cdb2a0c481b28a8e846c |
| SHA256 | 7097a7225495875a10b6d065074716f1b94fff34bd79aafb74261dd5d6621412 |
| SHA512 | 40e4b3035ca17eb5d5fde703e8f8b8b23968793f057b6d0a88c5e65c08b3d33fdb681d3e1ec7b6f2713cb9278cbe27d81dc413e5caf4e60e24eed2e65a0f468d |
memory/2388-68-0x0000000010000000-0x0000000010146000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 42fe391a9241df91656c03c80ef1dc22 |
| SHA1 | f93919148000c5d083beefb3114718749111fc41 |
| SHA256 | c845109df6f916863ab20daad6063785e5fd6090fcfadf7fda82cbbeabdb47b9 |
| SHA512 | 6381a327c090c099a8c651a6aaf7efae2def14003f2996a0914011e86689b818e9ef854cbcde7c95e05e2165c6721b6fcdf43ad10b30b3faf7f5b68c61073dde |
memory/2856-80-0x0000000140000000-0x000000014014C000-memory.dmp
memory/2856-78-0x0000000000440000-0x00000000004A0000-memory.dmp
memory/2856-72-0x0000000000440000-0x00000000004A0000-memory.dmp
memory/2596-83-0x0000000010000000-0x000000001013E000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 6fed514671769c2fff4c35d104fca853 |
| SHA1 | b9323004451b4981220d42dad5b438b771915b38 |
| SHA256 | 20b6b6d18529ff11a231243aa82d254aee29ba65e8d2a49b4e996e42978539da |
| SHA512 | b881a60ac82c2e630a5e82e86d29e46057f37550741b68332c422332afd071caa472f3d6cdb4d20e9e0062311612feed5cf94541c2f633cfaa9e90b255a08ccf |
memory/2392-92-0x0000000140000000-0x000000014013F000-memory.dmp
memory/1844-93-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1844-94-0x0000000000A80000-0x0000000000AE0000-memory.dmp
memory/1844-100-0x0000000000A80000-0x0000000000AE0000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | a49df1a6104b2743092d3902ca34a7c6 |
| SHA1 | 63ab28ca91162f8b979a959a0552b11bc5fe9a9b |
| SHA256 | 33e04cc16885b5a453f49663a2bc680dc94a56ead3acb56f38900e0b18a80de8 |
| SHA512 | 4a593173c659496ddba057d47f894c7e1322fb90b8f6cd336911fb704d30b0dff09dbe75a33c135c9ed5e8c9280a56e1ac2e599fcc84caafefde2e5efab1b6cb |
memory/2368-115-0x0000000140000000-0x0000000140150000-memory.dmp
memory/2368-113-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/2368-107-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/1844-106-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/1844-105-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 4c18fbf435e3622a860be750b82caa34 |
| SHA1 | 7ca4924b7dc059eedcac2fcfabb444c0134c371d |
| SHA256 | 7edd44745fa3061e6196c94988f38bee2093f8c4f200c5b8f68bb7c0ac59e8ec |
| SHA512 | 14d250e2a445bbbcda527c7bbac6083bece98797c6c9861a5e44b7750f455e660f1537b84c6d2b8a26b0282dcfbaeb846b29a1db12bddd60557cbd6f46294be4 |
memory/2504-120-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2652-119-0x0000000100000000-0x0000000100142000-memory.dmp
memory/2504-121-0x00000000001E0000-0x0000000000240000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | 9a6611efd617843f24908c5896328cbd |
| SHA1 | b1b9fc01b302ad3bc7f368069c429629f41200cc |
| SHA256 | 20bbf903dc50a2e72aa9a621e1ba2152107122f7da58a3cabdcd4ca042a95737 |
| SHA512 | b582a79f47bc7e3191e4bb3820010d65bb54136699276e5d523c03c2a76a90d9deb551703ac6448b9b500a5ae3ebae54285371d8aa07e144caf7a2dc88c33996 |
memory/1840-138-0x0000000140000000-0x000000014014D000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | d0affe06b02b8ce700a3b19510c8d2fc |
| SHA1 | 62688140fd85951a727807787c6412911540498a |
| SHA256 | 46baf24885a7256d3bcfbd60d5c93ddb82c14a38e05114835de9931051da91ae |
| SHA512 | fe32c43af98b7196daa93084d9d78daa88cb62f207535db79b7c202b862f2a3eb13341ad6b241f769cfc49d6ec86eae212d75a8f6ce27feda2cc363d4bc95826 |
memory/2796-143-0x0000000140000000-0x000000014013B000-memory.dmp
memory/1732-151-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 298a04a8daad893aa7332a7f7fe0283a |
| SHA1 | 555cb863e48719d327813e31685b3ce19fbfb9db |
| SHA256 | 174548aaa9ac4e9a7280d579ba99ea402a1c99185de5f7bc2422e57fc9540997 |
| SHA512 | e74724c3c53f67b1f8dfd0d81db928e9e92c82a4f28f0450a234b4117a75575210307a9b18f7ce1138efe016a830489a767ff6d4804002b7b07c543edc27c917 |
memory/1704-163-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1704-167-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | c0b16a08bf5f5667cfe6dd42c14502c0 |
| SHA1 | da4020f5c207df240c91ea9f4c5534e528da78d1 |
| SHA256 | dc15d336fd1e00201be0d36c4003bf21a64075752251f8778b49179a9abac63f |
| SHA512 | 19f07a3c1dd8e55b01842cbc604f384d48cdc159163d10135035905b6138b07b716a12e92f2c09feb8ecdb146f9aaf90f95971cfaaeeeba9e22b1db27e2498b5 |
memory/3012-171-0x0000000000400000-0x0000000000547000-memory.dmp
memory/3000-172-0x0000000140000000-0x0000000140154000-memory.dmp
\Windows\System32\msiexec.exe
| MD5 | eb854a027f20d33f391cf835b236f74b |
| SHA1 | e287f4e74d193794eea193a54f1e1a280f9b7f99 |
| SHA256 | 5ad0b0ab5276c6ca01d4e9372fb62a655fe98ad6f1df5cd79ea396285b85f72b |
| SHA512 | 3a1ee8365d79f312e29ac3ec628f3ec08584f61699be1f7994bbdc0675d76ffe8d9389c65ded182c0efcbc89add8b92db90cd23a8144fc296a6b623b06a4d96a |
memory/2856-185-0x0000000140000000-0x000000014014C000-memory.dmp
memory/1844-201-0x0000000140000000-0x000000014013C000-memory.dmp
memory/872-200-0x0000000100000000-0x0000000100151000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | a1f45f0260c0001f967e62a3c05f1413 |
| SHA1 | fe701b6bd860464e36dfabe5716fd1594d9c3e55 |
| SHA256 | ff770b138e58cec0dccd63e8543fca4bedb579ec5041841c0ac441718801ac3f |
| SHA512 | 2565a682313b572a543046364e4b5f8a1e3f79f4a66388f68db24debdf33890facd905d0b90b81f09099168ef1533800ac22b525489dcb728f85e18f4767db81 |
memory/872-203-0x00000000005F0000-0x0000000000741000-memory.dmp
memory/2368-204-0x0000000140000000-0x0000000140150000-memory.dmp
memory/2648-205-0x000000002E000000-0x000000002E154000-memory.dmp
memory/3052-217-0x0000000001000000-0x0000000001134000-memory.dmp
memory/2504-216-0x0000000140000000-0x0000000140237000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 58682f458f2c842940e78438b2d18dcb |
| SHA1 | 3f6f16664cf992169f87ad90e665053bf5e5d5fa |
| SHA256 | 454b92419c15128d36a1a30ca348ecdedf8a5e273bc4e6776979d97d8b37878b |
| SHA512 | 24030158257832ad4fd708c1fe1724cb43fc1555cfc191bd7fcac8b6e103e6b1d3585f0601b2c5e9d4456fa3e5934f6c2d7a5183d0030cadd6e477f77294896e |
C:\Windows\System32\Locator.exe
| MD5 | f822cd12196cda1bbcef4d588b7232a0 |
| SHA1 | c5b312a6457629df38b31ed7a8afe9506128df93 |
| SHA256 | 32e6c5a9f22c70dc50bd4876a9076ad3bea7b8ad7054d2d3a71b109120c3a65c |
| SHA512 | 9a7261c33dc0093e4a08b9fc2b077b96eb3f8f1ff552a73b2814ffadadbd4c3de53a647ea5fe89f7666118fb835be1718175e9c0e18ecb3988dddd1e05886469 |
memory/1840-228-0x0000000140000000-0x000000014014D000-memory.dmp
memory/3060-239-0x0000000100000000-0x0000000100133000-memory.dmp
memory/1732-238-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 7956d98c00d3396bce433f43adf78557 |
| SHA1 | a449f99001086c70b11c0282043f71add4aeb83b |
| SHA256 | fe57e5afdd5bb64d87639f1ed06f0c497d542f5f22d783864b56b1c74e539368 |
| SHA512 | 5ca01bb49336491e9431233a4ca4eb572e88b3f3878b07ce8a83f0574a40bf0a39d20218bb9feb6bf4be126ed7b9549028c2bba5b2853db10c001279cfd0980d |
memory/2992-242-0x0000000100000000-0x0000000100134000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | fedfbfa8c957ddc11de97a6efdd1ffc8 |
| SHA1 | cbc2d6227b603a9a711b10047961fa2e7e5c4bab |
| SHA256 | 6c632aa48074137854bf1132b8d9be975704dc94e87c2d22a99429231cdd5f2d |
| SHA512 | 416c9ffebf65c39405451af98d023fe3d0150d9591bcb8630a71fee1b57e1f2a5f4e2712a5cd3960365ef5febc3cbde8cf149dab9ba64904326635a6c58bc216 |
memory/892-253-0x0000000100000000-0x00000001001B3000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 9b1f4a24af272e263256d2db68127171 |
| SHA1 | 6a94016f01fbd8bd9c123c53ddc1b025cfc760dc |
| SHA256 | 6c3a56d225b0a316445039355d3df1151150956b23db887d0cba08064105f53d |
| SHA512 | 76b541dcb4640e9bdecb38764ab71c0bf3d457404c2e4deae85f10ee976c3e8413c16e21bf470822c8e75c107ced55a829e5e4c7bebebd1f87beec38b1b627e8 |
memory/2108-273-0x0000000100000000-0x0000000100219000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
\Windows\System32\wbengine.exe
| MD5 | 652b9ea72d6bf4852d8df17dce4bd520 |
| SHA1 | 2843d1a961bfa32c4bdf28b606466868ffc41fd3 |
| SHA256 | 69ba51b198f32438d6c2490a634e224f5b606d2e2ae66e5aad65ed918bb664e2 |
| SHA512 | dd3909bea1f29d1362ccf6201999e2a1caf3538f53c3f012592197503d1829812df56319b771c387c4b4046a82eed961c247845b0bb54182438ace1edf2c4dd5 |
memory/1080-294-0x0000000100000000-0x0000000100202000-memory.dmp
\Windows\System32\wbem\WmiApSrv.exe
| MD5 | a10b5a6668326d089ae6732aa1e02c4e |
| SHA1 | 050fc2fe04dbc7713af698b0f82274ae8720d6a1 |
| SHA256 | 1580de4059746d0251f7436eaff3e95c786f8d00d7f9774d4331c15fff873d4d |
| SHA512 | 4b1aa811a6a176299165fc4eb499c9e27521e3627fbe933dda336ed093663edee206ebc2c6919d41025efdb10bab201a7e3917fcb24dde99bfa8c03c7ed5ee06 |
memory/2424-317-0x0000000000400000-0x0000000000547000-memory.dmp
memory/872-314-0x00000000005F0000-0x0000000000741000-memory.dmp
memory/2476-307-0x0000000100000000-0x0000000100163000-memory.dmp
memory/3000-306-0x0000000140000000-0x0000000140154000-memory.dmp
\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 3bf0c7baf602cb3fa7b2ca8e7257902c |
| SHA1 | 0eea4fd2d1dceeab86c6101512e4ef0f96027131 |
| SHA256 | 87c60ba44184098924d21ff52da529eb78a03123b4a062d044231fcf98ff9083 |
| SHA512 | a663e638e8e91f9beda77b441747919b17c32d3de57ae2f7f998be0342230dd319eab2e6ba3510fee1b7313140a0d44d9215f1baff139f12eb0cb07f7b396e88 |
memory/2032-329-0x0000000100000000-0x000000010020A000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 307590d2839ef854ed299f29184f6aae |
| SHA1 | 2a81aceb3ae9b3a91e672015493e26a8a54a95c1 |
| SHA256 | ecd9044a52e85dc0350e6c33c190b4b835149f6b6c5d2ec38e9e64a52b7d202a |
| SHA512 | 5eb334d24662a378f802f8dddbae0b362300b1830df092bcba2a98daed7a77fa51a2be60100e011ba79558df362f65408c6071be1aa18d16226bc76b3faf9299 |
memory/2648-333-0x000000002E000000-0x000000002E154000-memory.dmp
memory/3064-334-0x0000000100000000-0x0000000100123000-memory.dmp
memory/2016-347-0x0000000000400000-0x0000000000547000-memory.dmp
memory/3052-346-0x0000000001000000-0x0000000001134000-memory.dmp
memory/2424-337-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2208-369-0x0000000000400000-0x0000000000547000-memory.dmp
memory/3060-368-0x0000000100000000-0x0000000100133000-memory.dmp
memory/2016-373-0x0000000000400000-0x0000000000547000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 097241ee5e1c6a98fb6323d43494d9ea |
| SHA1 | a3aae41b9579a5f052b2e6804f1cef83ee6d93db |
| SHA256 | 0dcd9a24d28cd9f9c4c836af41323d3bc3376f56e1e855aed40454645f175f80 |
| SHA512 | 399b7e1765613cc3b2c4751059d15a2b3387ff6624723d1099b7b9cabb2a312c27560c1cab406d8e1cdf3609630059bde5d99b0370370de40c3cdf8073358e28 |
memory/2768-510-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2208-513-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2992-508-0x0000000100000000-0x0000000100134000-memory.dmp
memory/2028-528-0x0000000000400000-0x0000000000547000-memory.dmp
memory/892-527-0x0000000100000000-0x00000001001B3000-memory.dmp
memory/2768-532-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1952-557-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2108-555-0x0000000100000000-0x0000000100219000-memory.dmp
memory/2028-560-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2524-574-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2476-573-0x0000000100000000-0x0000000100163000-memory.dmp
memory/1080-572-0x0000000100000000-0x0000000100202000-memory.dmp
memory/1952-581-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2060-605-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2524-610-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2060-628-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2032-642-0x0000000100000000-0x000000010020A000-memory.dmp
memory/2568-646-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2328-663-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2888-669-0x0000000000400000-0x0000000000547000-memory.dmp
memory/3064-661-0x0000000100000000-0x0000000100123000-memory.dmp
memory/1556-683-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2328-687-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1556-706-0x0000000000400000-0x0000000000547000-memory.dmp
memory/824-720-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1484-723-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1776-726-0x0000000000400000-0x0000000000547000-memory.dmp
memory/824-735-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1776-736-0x0000000003CE0000-0x0000000003D9A000-memory.dmp
memory/1776-747-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1444-748-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1444-760-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2396-771-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2292-774-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1368-781-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2396-786-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1368-798-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1244-810-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2216-820-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2256-822-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2520-831-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2256-836-0x0000000000400000-0x0000000000547000-memory.dmp
memory/588-845-0x0000000140000000-0x000000014014C000-memory.dmp
memory/2792-846-0x0000000140000000-0x000000014014C000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 8c69bbdfbc8cc3fa3fa5edcd79901e94 |
| SHA1 | b8028f0f557692221d5c0160ec6ce414b2bdf19b |
| SHA256 | a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d |
| SHA512 | 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 4f40997b51420653706cb0958086cd2d |
| SHA1 | 0069b956d17ce7d782a0e054995317f2f621b502 |
| SHA256 | 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553 |
| SHA512 | e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
| MD5 | d828f9129d66961b17a93f8d715a6f6d |
| SHA1 | ca36d9328ad7fb4dda9f3d0892e42a3cd106cd83 |
| SHA256 | c560c2ce5c811a91da778e52dbd9b66efad1e3ce14c90d877fa026f844ac00cc |
| SHA512 | abf1aab5a883622753b5284f3abfe26390a5bd4a6f958acec0b8ade2f41b1691776dec7887014c2cae304074732ed4f5ae2bb2708b287ea1eb3bc4e22152635c |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 71d4273e5b77cf01239a5d4f29e064fc |
| SHA1 | e8876dea4e4c4c099e27234742016be3c80d8b62 |
| SHA256 | f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575 |
| SHA512 | 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | 3c269caf88ccaf71660d8dc6c56f4873 |
| SHA1 | f9481bf17e10fe1914644e1b590b82a0ecc2c5c4 |
| SHA256 | de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48 |
| SHA512 | bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | ac901cf97363425059a50d1398e3454b |
| SHA1 | 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7 |
| SHA256 | f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58 |
| SHA512 | 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | e3a7a2b65afd8ab8b154fdc7897595c3 |
| SHA1 | b21eefd6e23231470b5cf0bd0d7363879a2ed228 |
| SHA256 | e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845 |
| SHA512 | 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC043.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll
| MD5 | 2735d2ab103beb0f7c1fbd6971838274 |
| SHA1 | 6063646bc072546798bf8bf347425834f2bfad71 |
| SHA256 | f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3 |
| SHA512 | fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | 9c60454398ce4bce7a52cbda4a45d364 |
| SHA1 | da1e5de264a6f6051b332f8f32fa876d297bf620 |
| SHA256 | edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1 |
| SHA512 | 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | c26b034a8d6ab845b41ed6e8a8d6001d |
| SHA1 | 3a55774cf22d3244d30f9eb5e26c0a6792a3e493 |
| SHA256 | 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3 |
| SHA512 | 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC265.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll
| MD5 | aefc3f3c8e7499bad4d05284e8abd16c |
| SHA1 | 7ab718bde7fdb2d878d8725dc843cfeba44a71f7 |
| SHA256 | 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d |
| SHA512 | 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0fd0f978e977a4122b64ae8f8541de54 |
| SHA1 | 153d3390416fdeba1b150816cbbf968e355dc64f |
| SHA256 | 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60 |
| SHA512 | ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 6eaaa1f987d6e1d81badf8665c55a341 |
| SHA1 | e52db4ad92903ca03a5a54fdb66e2e6fad59efd5 |
| SHA256 | 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e |
| SHA512 | dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d65a332484d5e6f9dfc625b3a3a6d668\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | cd08f54589a07dd3cd306db76921597e |
| SHA1 | 0abf0a8b182df3a54ee9d96fb8d84ee06131b0c2 |
| SHA256 | 48ff64cc35648593eccc7d220a47102941d2607175bece03f260783a843d0e23 |
| SHA512 | 11511508441098b5c982f47cec39e06f10c65fb17b606559bd358e6dc4ed401481c07afd09c92b57172a5a6754be60b7298ad79d6dcb44ea6e67bf3564e28398 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | f786ebe6116b55d4dc62a63dfede2ca6 |
| SHA1 | ab82f3b24229cf9ad31484b3811cdb84d5e916e9 |
| SHA256 | 9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12 |
| SHA512 | 80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b2d12387f4833169042f40ed5a91cb37\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | 1c75d53f2989e439a1385d9ced73a5f6 |
| SHA1 | 7c466cafabb2f3d2298d0e3815ba77dd0e8457f1 |
| SHA256 | dd457a794693874b909cefa69c9be2e091e37ee9fbce8a0a803b76f71c5e3230 |
| SHA512 | 0ec386d38b33719115c04d164d321b6da7378ed6a35bb09e269ccdf29c6dd8adc38fc1cd5722a538b7358913cb8e85420aa0dd6c0bf95edc8dbb4268fc733cc4 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6100bface70986bb5a5df86fa77dfb86\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
| MD5 | 718fbb214ac62fc4d8ff507f19ae0463 |
| SHA1 | c304def2058ee3963b3dcc45eaa28f9f987fb0eb |
| SHA256 | 5a78b8151967cbbf0cb4468adf246cd07db30947fea5cb1f9ec50e2a922be95c |
| SHA512 | 71f2c4d0cacdeca5c13b93382ca8bf95ba34f359ad0a0c755b643a7ece33bbb66faeb34137b34ac0b0abd18e6eb4dbaa6a40536d42c0d17184a68fbd882bd0b0 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
| MD5 | 7812b0a90d92b4812d4063b89a970c58 |
| SHA1 | 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea |
| SHA256 | 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543 |
| SHA512 | 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed |
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
| MD5 | 3e72bdd0663c5b2bcd530f74139c83e3 |
| SHA1 | 66069bcac0207512b9e07320f4fa5934650677d2 |
| SHA256 | 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357 |
| SHA512 | b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
| MD5 | aeb0b6e6c5d32d1ada231285ff2ae881 |
| SHA1 | 1f04a1c059503896336406aed1dc93340e90b742 |
| SHA256 | 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263 |
| SHA512 | e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
| MD5 | 006498313e139299a5383f0892c954b9 |
| SHA1 | 7b3aa10930da9f29272154e2674b86876957ce3a |
| SHA256 | 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c |
| SHA512 | 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
| MD5 | e88828b5a35063aa16c68ffb8322215d |
| SHA1 | 8225660ba3a9f528cf6ac32038ae3e0ec98d2331 |
| SHA256 | 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142 |
| SHA512 | e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
| MD5 | c76656b09bb7df6bd2ac1a6177a0027c |
| SHA1 | 0c296994a249e8649b19be84dce27c9ddafef3e0 |
| SHA256 | a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0 |
| SHA512 | 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
| MD5 | 0637ad2bf6fc5ac1d29e547155bc818c |
| SHA1 | a502879466b6dd37eae5881bbb18353f97623852 |
| SHA256 | 868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f |
| SHA512 | 1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
| MD5 | da9f9a01a99bd98104b19a95eeef256c |
| SHA1 | 272071d5bbc0c234bc2f63dfcd5a90f83079bbab |
| SHA256 | b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d |
| SHA512 | dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
| MD5 | 87111e9d98dc79165dfc98a1fb93100b |
| SHA1 | 4f5182e5ce810f6ba3bdb3418ad33c916b6013c8 |
| SHA256 | 971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42 |
| SHA512 | abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
| MD5 | d74d434aa70ce827715b5e0ac7eda5be |
| SHA1 | b53f3374be4c96af51c78fd873de1360f17c200f |
| SHA256 | 54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496 |
| SHA512 | 631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
| MD5 | 7ebbba07bc6d54efd912bcd78b560b7b |
| SHA1 | a6aee1a80ddcdf201301ac29293c62d58bcc941d |
| SHA256 | 637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a |
| SHA512 | 2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
| MD5 | eb09a7062a66a50fe2cb16c4a80561a7 |
| SHA1 | 33b4c71ced7644be9802374a4f04c866394daaca |
| SHA256 | e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256 |
| SHA512 | c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
| MD5 | 7687295a6e19cc656b077e6a61629d4e |
| SHA1 | fa1025de5cffb56a3d1f8cae9d09b7171b33326e |
| SHA256 | ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86 |
| SHA512 | 19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
| MD5 | 58cacef7cbc000bb5ddeedc08a598f36 |
| SHA1 | f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7 |
| SHA256 | 124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270 |
| SHA512 | 9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll
| MD5 | a763a9348ab4ee3bd593bb17d854e51b |
| SHA1 | 4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9 |
| SHA256 | b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b |
| SHA512 | e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
| MD5 | e9ca062e4958cc25400c804029a5bf62 |
| SHA1 | 1ed4374d0d0f568936fdebe17d9110481d6b3344 |
| SHA256 | a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0 |
| SHA512 | 43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
| MD5 | 7bdf8e0c9aa04b71a52dd964005f4363 |
| SHA1 | a87e809146d3c70093a189c37f0a96b8bd0ce525 |
| SHA256 | 0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b |
| SHA512 | 4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 11:56
Reported
2025-01-19 11:58
Platform
win10v2004-20241007-en
Max time kernel
113s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000826afb28696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000951ced28696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddf98828696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a31e128696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039d1a028696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0dc4e29696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003080762a696adb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 648 wrote to memory of 2312 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 648 wrote to memory of 2312 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 648 wrote to memory of 3356 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 648 wrote to memory of 3356 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe
"C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww7.przvgke.biz | udp |
| US | 199.59.243.228:80 | ww7.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 199.59.243.228:80 | ww7.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
Files
memory/4400-9-0x0000000000790000-0x00000000007F0000-memory.dmp
memory/4400-6-0x0000000140000000-0x000000014013F000-memory.dmp
memory/4400-0-0x0000000000790000-0x00000000007F0000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 40191d239905939054622c416faea84d |
| SHA1 | d37d802f8a97109443b39631df818d894de77868 |
| SHA256 | d904223c93409f584f602306703a003ee7aa02075fc13546924ca05d6fea9c05 |
| SHA512 | 10d2e92b9121fee38e0a7d601607da054bf79dfe88db0cb2655273855cc0d0465d9baffd2481fcdc952fc5785734543994053908cb7fa24e9a75fa3cd4677fe1 |
memory/2332-13-0x0000000000530000-0x0000000000590000-memory.dmp
memory/2332-22-0x0000000000530000-0x0000000000590000-memory.dmp
memory/2332-21-0x0000000140000000-0x0000000140148000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | f2bd99302aa7f05b556b8a1784b10a3d |
| SHA1 | 9913da60f392b2e8fe5bab3a8b4c798229ebe230 |
| SHA256 | 3b72b6ccb75740caf00a2b87e2967cc6f7961338434a61d61256139252187362 |
| SHA512 | 1cbf4a584703a18535b94cead00bfe3968c052cb3b5e106bc7199a90895b1038ee9582ab09f75c7e04b4d216bfb918c4d3b15084dd1c2dbe1922046028e7951c |
memory/3500-36-0x00000000004C0000-0x0000000000520000-memory.dmp
memory/3500-35-0x0000000140000000-0x0000000140147000-memory.dmp
memory/3500-27-0x00000000004C0000-0x0000000000520000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | b92ba0fb0ec601ba586d37d29a7f1e1b |
| SHA1 | e80ee58ceaa52d54d3b301e8e502ae3902d61329 |
| SHA256 | 112b28edb43b7ef9864abe22337d7edcd97a9f0a8d9e700b75d566aa7d42ff45 |
| SHA512 | ea84f95d30789afd2d8e3243aa4905ef1875ae73d6e8f41d12ecfb83b6e433c61e6440b246e0e505c753c0ab6c77e5129c4e12fbffb08773f4e1ac1ae3d547a0 |
memory/1672-39-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1672-40-0x0000000000D70000-0x0000000000DD0000-memory.dmp
memory/1672-48-0x0000000000D70000-0x0000000000DD0000-memory.dmp
memory/4260-51-0x0000000000440000-0x00000000004A0000-memory.dmp
memory/4260-57-0x0000000140000000-0x0000000140234000-memory.dmp
memory/4260-58-0x0000000000440000-0x00000000004A0000-memory.dmp
memory/1672-61-0x0000000000D70000-0x0000000000DD0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | a4c0ec79add8162a983137265385ace4 |
| SHA1 | 6a51a908e21fabc2c1932a6b8c59d13be207c138 |
| SHA256 | 9cda4cd579a9ca335cd6ef1cbab448e27fec96d3bfe8d3bb6bfd777c3f01a7eb |
| SHA512 | 260e361914699022d51231e2b19dec4f5a96cbbc522f7909c0dac7f7bcd7a878073a5ea464b3ba7567de40dde36a73bfae460310e4ab74986a54ac48555ef624 |
memory/2128-71-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2128-65-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/1048-75-0x0000000001A30000-0x0000000001A90000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 042481d23da432e2518750df331a5554 |
| SHA1 | 4f5c5b6731eeb78536c2c7512b8f83e9d97b382a |
| SHA256 | aef1aec0825c08d4c17b7b03c7b1af900a5bf35cfad19bc431c84c32b20f0408 |
| SHA512 | db5b15ffd4c40839b5c74ec15f7a918531fb541d52a15485a586774294350d3d9fe73822e814a23d246f168f7c4845afe9cca2895825da5d77d80021b410a0aa |
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 69cdb702245e01ee8a3b43bee44daa9f |
| SHA1 | 908e34a404470d400e59fe46c40c86f833656d21 |
| SHA256 | 79d1b5da986c496f0a497f8323738a615acc0dfdbc4ee8a919b307866c90de60 |
| SHA512 | 6b34810f1438d7216a1160727a4a6825478dbee0dfd9d93c7c03f73ed0f87ba13a7f554be68e439353232d12e57952a1bc9f2d5b43a90ff0a13c35abd8110ead |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | a81f152186d778ea2b8ff909b1e57215 |
| SHA1 | 02a2529afcb2d95299cac3e7944fe69fbfab80a4 |
| SHA256 | b69bee338bbc06d9ce30a152855acff34266b74bdd1f66837b42b2bfd306d18d |
| SHA512 | 00ea75f9d12a1a077d9a4c0dce050f3f16b60b45cfddb5448a834b4209c3affc5f3d87241babffebc85f9678102fd7e5266401b7419c48b786b73efb211dc327 |
C:\Windows\System32\SensorDataService.exe
| MD5 | e359243727b0d2611ec44ecf85bb1b99 |
| SHA1 | 332f0a802100ea29422e1648ae4a9d0e65abd139 |
| SHA256 | 7f6220962a7b1b176618a689484f454e4bbef38b120735fa530b3999c77cc205 |
| SHA512 | 7ac5ccf4d8e3a761005633dbc4afbeb63a1c344ba966035d8a1640d2b7ea040f425105d49f967755a3a6d7ccc4a5095c27b584dd43cf35c75b067e23f606e690 |
C:\Windows\System32\snmptrap.exe
| MD5 | 082354bd49152cd3ff8109cad35bc65c |
| SHA1 | 01297ece71b82b55341fdbd07ea001eeea5fd799 |
| SHA256 | 3ee4451b00fa8a7bda56cdde58ece3af866470a72fe31173d977cb0bc3d26817 |
| SHA512 | 498f9570a3ff823ce1f6277bf248eb72b7a9e94cc635ee9a359e14a19a86b6823435b5296ca19244f93cf7fee4efc32d2b71067f54c12fb629bfcc68815449d8 |
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 65b59d1f9eb39beabf419c27a081a0cd |
| SHA1 | cf3042cd40241161063ec1c048ac1e4cb4648428 |
| SHA256 | 6b4568e206695793edb28c2251865b53684bda6569444eec5fb11c912f5744f8 |
| SHA512 | 5d8a05b02a5dd0153c1155e2f9b74af9bcb9e484189bfeb2765fde74b9b18c4ead3c7e3254ecfc3e509c31fed501c8dd9068a032eac6e03355b5008485c89893 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 6ca51def2080abf6e773a2335288dec5 |
| SHA1 | 5beb25f726004139d7c20bb66a6a10cbdc5175ee |
| SHA256 | 23af350eeaba17db05ebd72cd76daffb734ddeb163fdeae7d0b9b110917b0831 |
| SHA512 | fe94ba07e43c0a56efbdd38b6944d59fa4ca935be8f0bb7fdb10d3f875f467262035d7f4a3d2ed5eddd8b10e17274dd8e1258558b65d3c4a12658bc41ff7aa89 |
C:\Windows\System32\VSSVC.exe
| MD5 | 997a0826794c5249f4662b80974ab100 |
| SHA1 | 20fbcc978b57aa3e82df12cf1576dde55f093748 |
| SHA256 | 39f60dab970a642cfb4cd24a6fad1a2f0427b9cc9be13451a5039b5171736b97 |
| SHA512 | 7e5e356604ca831c077f7831376a55f859f73e14ea4e499d769dbc40a560fe2477edd8e3e54463d80e1482881060e8605309dc72b445081036c8dcd4f9823317 |
C:\Windows\System32\wbengine.exe
| MD5 | c04b15614b4044463519dc68deb33cf8 |
| SHA1 | 46aa723c0c2adfcbd47b4ef652e2f2c67be7e78f |
| SHA256 | 14c5abb342d9a1c33b74d057ce0d3bfded5c138321360204fef3558a970c68c2 |
| SHA512 | f756a47262eb2fbbd7fe042d18be9e5290360d85c8717d3005fd73f7d495555494da7a561e8b1025c640c11ef7bdef1a50c951b336001e3ccc3924b0a7755bdb |
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 8867f93a61d0944bf91264213e4b259e |
| SHA1 | 3663fb812a3c25bc175decb84baaedf642c77ea9 |
| SHA256 | 0284ea3841f9138e640822413a5e34e125da0e298fc38233a2b4cd4de1b22331 |
| SHA512 | 9d708fb4ff4308c52d3c47646098ef19557f4fc01336dfe2d819ca843f0287bbe55d8c530495f55607e05b102b5296685503f4585830ba19a47ebd4a96ebb3a4 |
C:\Windows\System32\SearchIndexer.exe
| MD5 | 351d92dddb7ee8192487802b3c1972b3 |
| SHA1 | 03a38eaccc254c5aa16fb2054e1373bb01f73176 |
| SHA256 | d2ad37b5f5a7c33b73e17a9c1be454e9c16d7d702ccc7db322846976ada74c76 |
| SHA512 | 57defdf669ffc51ae7f49f01459ecd16c421ee74c9a06f12151b74a6efd4ec9d449a971e420bb2dd63e6d5f0159381acb88f3c96d1724ceaf0318aba866aefb8 |
memory/2648-256-0x0000000140000000-0x0000000140149000-memory.dmp
memory/2744-255-0x0000000140000000-0x000000014016E000-memory.dmp
memory/2128-254-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4400-252-0x0000000140000000-0x000000014013F000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 934a6a540f211c8d97b51aeafa1fcf09 |
| SHA1 | 9d472c08912fa40757e92bd54d98af7b6a9adca1 |
| SHA256 | c0b32a96305bba2018458fd798b304536e225e761a8c511a7ec53dc213ce97f4 |
| SHA512 | e2b8ec79f3bed773619a358991f5d332a476cfad308bebf90002bb4e7ee932bea882c0e272e8eae9f01f7dc3f60118f3653d96e70d07886bcc5d8fb00cd5fafe |
memory/3924-198-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | fc8ffe6d66883ce1d097b80d2e5472d1 |
| SHA1 | 0a7f8c105725a7c45116e8038840ccb000986894 |
| SHA256 | 7d7586cbfa7a50e2de3facce5ffa399a851854241ed409e42ff5dbd8e35cd671 |
| SHA512 | 9b91b13a784188af573a7fb5de6ffec54b712dde5c98e38ea0b0804c38a21458c1b5b78098c3854c957918847962b89d247b2f36f88225c2d95957d98e04a99f |
C:\Windows\System32\Spectrum.exe
| MD5 | 1300182e8af3be878ccd252c85ea5333 |
| SHA1 | 67a48cd1fbb6dd28309f8dfe19ce7ac0998fe0e0 |
| SHA256 | b9a58991686d8f4cbc21469b08f6b2cd34acda96770d91d5cae74208bcb1cb26 |
| SHA512 | ae555bd38b2b665da3cf83ceb8dc55d6e6cae252453bcbb5c0f211460e7472c450f1856995655e61d11d0d92e7c3ba0387e4bb3d1741d343c8cf074b65cd4cbc |
C:\Windows\System32\Locator.exe
| MD5 | ac2cb7cac05c17b5e810c1f0332aadfe |
| SHA1 | fbb4a42c6bfd164153fd04dd298b1eba3b1854a2 |
| SHA256 | b3b5c437ba933a09bd3562d761899fdd2e8874db592166fb91d6ad9d6cb610f9 |
| SHA512 | e1003a642b782c63e9f1cf838330cdfa2c2ab11996b16b4a405c3e3816eaa1f6983b7626250fe12f2d68499195a6835ab395b723d67ff46e61f7ec403a0cb340 |
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 1cbcdd37aea565bc8432a5767d7fc352 |
| SHA1 | 9d6921ec5297a3ea84e3194135fcbf36304f821d |
| SHA256 | f1d2c36f8511001bdfcb6c187fb67cd903207da9c5b949d3bab8bb17cd5ba128 |
| SHA512 | e6b54823c9163508c14d239368959b71ad637dd8bf79fce09fa2b3a24c67203085764a468c2bccdb35057c83f44df9114a7857efb28270fe503a623949ba972f |
memory/4752-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp
memory/1048-87-0x0000000140000000-0x000000014016E000-memory.dmp
memory/1048-85-0x0000000001A30000-0x0000000001A90000-memory.dmp
memory/1048-81-0x0000000001A30000-0x0000000001A90000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | b06765c2e5b732c9e1dff521def06dd8 |
| SHA1 | c457f8608eb71479cd43f03341d6bd10bc176baa |
| SHA256 | 21c51fc75b069d2d8718cbd64958fb4643ca558c17ed260f48e330c438c46b21 |
| SHA512 | fcdd1463e7d68584efa446633a2b4ed1e8e0d55de9d9e1e1c4846d87f8bde160456592298329b3022cbbcef62baa8053064b9c8e5b8b8bf0385d3b0ea9a6440c |
memory/1672-63-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | b76c7c9f456b5e0636c3e9191518c717 |
| SHA1 | f058a017a2dfa049247a1ab0d2c11dec35586c52 |
| SHA256 | b2fd546872e71e75833755d7fa0c5a37b44dc2d02a7de1a35f8da047bcfb6f71 |
| SHA512 | 70c22127ddf1c046240a60b6b6ee71673ac98233c3759207dc937e773f0644a0747d25505be80e98aed106acfa4d509422baedf17082cc104fc28804c50a1272 |
memory/2592-263-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3772-265-0x0000000140000000-0x0000000140180000-memory.dmp
memory/2188-268-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4752-271-0x0000000140000000-0x0000000140157000-memory.dmp
memory/648-270-0x0000000140000000-0x0000000140179000-memory.dmp
memory/4540-269-0x0000000140000000-0x0000000140164000-memory.dmp
memory/2868-267-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/4880-266-0x0000000140000000-0x0000000140147000-memory.dmp
memory/2356-264-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/4380-262-0x0000000140000000-0x0000000140134000-memory.dmp
memory/4988-261-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/2820-260-0x0000000140000000-0x0000000140133000-memory.dmp
memory/5080-259-0x0000000000400000-0x0000000000535000-memory.dmp
memory/2332-354-0x0000000140000000-0x0000000140148000-memory.dmp
memory/3500-446-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4260-560-0x0000000140000000-0x0000000140234000-memory.dmp
memory/4988-563-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/2128-564-0x0000000140000000-0x000000014022B000-memory.dmp
memory/648-566-0x0000000140000000-0x0000000140179000-memory.dmp
memory/4540-565-0x0000000140000000-0x0000000140164000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 3490f4beb231e3f47fa51d172fafa6ef |
| SHA1 | 49a29ece80d68cbd8bc12f21418f7f5e44ed0d25 |
| SHA256 | 1445b0e5a9f87dd75de39701dea3c25a4ecad2f66c560b7caa9d670a7125c35d |
| SHA512 | 357627c04b470b07b93a4b247b5c46fcf9e6c49d6fb1d9c8e858a1d787090d5fa776aa732d675a090b0e4f54a9387bee4c03b7eb0686dc8e1f8e927db3042e78 |
C:\Windows\system32\msiexec.exe
| MD5 | 6358bb86951c759aacbe99ac3c936d56 |
| SHA1 | 53e9d010c8aec986e433a5e9ad21f0eba09854b8 |
| SHA256 | d474da1caf8260e48afc1843a9da1326789619fb5f43f77ccea07e8766853165 |
| SHA512 | f21cb3e47cf3daae593b6de38ad411d907fde0fd94987bc5010449c9071e73a808bb1345de360d418b27d5432f42bb17e688ccbb9c37832b41ed0fa66a62b85f |
C:\Windows\system32\SgrmBroker.exe
| MD5 | 9e87ae85cd6ba1f2cd2be20e7b3473a6 |
| SHA1 | 17342f30905cc56c7704a469ef7d4a138cd38e5a |
| SHA256 | a2213c33f34ec7b3d5881d55b7a33cf18ab1c963514c964ba2507e18d49d8c5a |
| SHA512 | 8c052a74dba2ebf1117c1f45cc204f6a3566208e51716bb7c211b8ed0ab0699b3b10e36033574bf93333151bebc61c7ca0b2d9a4df842506e3c2bebcc7dc92be |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | fcc7ace09516419ad87970bbdfac08f0 |
| SHA1 | f49596d20d6106254298291977bd38bff6076b71 |
| SHA256 | 50b5c27eb11bbf9f7b37ad0b8b9139aad0ed382e78131436736e55551bd7c8d5 |
| SHA512 | d30dee7274a30c54d8bed8edad9ab13275bf6a10a809dca6bac0b293c672ce95759babdf643887b3c647c8cc6be0e44cef088bc8ef5c950585db0fea1160ae07 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 4931a0cad5ae87e96b1d71625752db95 |
| SHA1 | 82d223cd97d5926be5a5182562509c58540a8697 |
| SHA256 | a420b013e03312d003ab23d2b4c67b377223d8ec569de3c583122e155f011938 |
| SHA512 | a37bca030a2a8c08e89d2ce88a8ad006d334c8d5ce27ccfa507913e0db7dae70aa094b88ac33186aa2e55de68a18713b1c4ad4fbbbd338d1339d60b4d3d93e65 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 10d59ce39d16121cb12a9ff70038fded |
| SHA1 | f4d02aa53c0d975244c481d2f193c7af22ff6455 |
| SHA256 | 4291d91728b30297699eff029def170e3df9536088b3ab0424bb7730178cc708 |
| SHA512 | 8ec3a3e04cf84ee7e28ab6b590dcd949967638719f30bd5fe2f7e053026f90c2e33baa6cfc0904bcd508e9a1291810ee15767014b23fdc13f4b2e0147209697f |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 5da8899e2e47c397cab576c9b264fc91 |
| SHA1 | b24d7d7e2bbd2b49d804c1945c4669a5a617a887 |
| SHA256 | 62cee02d45c1054d65ae25856762043318276ba4be7308f8ca58f7014326f018 |
| SHA512 | e897c94eb8cc5441ef641d6e86eed71e10ed49babaeacfb80d7e617ef05a661bbf26e9124a7dd3c322375be8379f0c84f8af3110cd1f2a48a806edc27e8cb706 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 81ad6863030ed3356f7456845d6ce23a |
| SHA1 | c573ae15f7f0159771a6723122355d5dd1506ebf |
| SHA256 | 9603ee5c5edcaae0d960b7cd0b0acb8d39a8b540f69f6218aaaa235894f11dde |
| SHA512 | 741db236c52afc295f22544c41a8fdba1aee96285f0f21f60a8c1dfb6aa7d41b3db6dc7f8a247c346615048c6949199a014c094c72d62791555f1b5c026b8e30 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | d4f75a41b0e57fcbf94ca83f60480496 |
| SHA1 | 7115eaab33db91b2eb8153b3754e107dc0353084 |
| SHA256 | 08b5ec22e771c0825488873f72ad60279241262b2936350a8e2cf796623d420c |
| SHA512 | 24b770b2c82adad092353140880ebf3ec085d4ed74bbc77660e8b6dfc7b5f0bde5e2ecdf2b1765c43db90931295948a4938ed63f7e46c7649e783f9ff247dbdb |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | ad78d36549fd8d74d3661205d135ef09 |
| SHA1 | 2c40c413089ae3c16af5ca846f96b9640e8a6e60 |
| SHA256 | 8378de62bf8e1bbcfab8d0c17434fe48a37dc5c25cc0d67cc4b713660400ef6a |
| SHA512 | 1df3f5f1970cdf7b509030c7ff8aab2d95d0435437ebcd4ddc67bd52b9b4abae013e4c03d2085664d2decf7b72471e219c7902596e0f2ff9ac08f67045428fbc |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | aa80f25280b4890372a263220737288a |
| SHA1 | 2d94f71fca78d16ebdab1325a83043efe49277ab |
| SHA256 | c9af78aff0823c1a477bfddeb319259b25e350f490c3b9fa8a488da5d72a2775 |
| SHA512 | ada0e92ce3d7828136b90984fcd9cc636cc75217a06429d8afd7217a7a6f0f8abaf02665ff676b0547d3afb5ea1b5c2f25137a7e09e7538fbd1507216d3c751e |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 70f5c362c8187e4d249ef0e5c9d8e53c |
| SHA1 | fe8ad8cfe24f56d096b66cf1eda2b43de922fe3b |
| SHA256 | a61eebb1e1957bd05958f34755fbc78380587855072f3c858ef816b818bcd000 |
| SHA512 | 8f9ab49fbae5bf3989b8e2d39c6492b7d4f62abd8113454645b49dbc261ddeebed7e1482d4235a2c5a4c6670af8d936174d3b55a44968e91909aa00c9d691f71 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 6c767228013d3639d30d12fc847d7b76 |
| SHA1 | 1d3060f44e89944de3c81d0386e7f2a47fa2382f |
| SHA256 | 783d61676b44b834bb14568f90dfa48d757a46460363ddc0b62e89e4c63aa1da |
| SHA512 | 1ebbcff16f587393a221a149d75441585dba2f7bb9a090b8e82d34065b5258a9dc84b5491b22c28d8f0cd10562062f36e79c4e8b4c8866743a97861a7a0163bb |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 6d72b301a1a74ae919cea264e5c46052 |
| SHA1 | 4f916abf41b5f592e887af49b0f8716536357906 |
| SHA256 | b06649789a353241e35fb033c193f3e22ed08bde114fd74cea1a75633f61570e |
| SHA512 | dc7351060b7071ece3b57cf02dbae9ef501f3bd5d61cde222d0f6d8d82115aa40c035385a3fb089807f12de78e5a88f75fe160091450f693b37c35c853fed34b |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | c8001f6f35bfdc6498f94420d673f23c |
| SHA1 | 3f8fc7e926bc6f31b562e4d69ac272895a25d149 |
| SHA256 | 9752f058e0fc605ad064ea2fab729dfabd1f36c1ce1260ae8f695780c8d58c60 |
| SHA512 | a0fd8c3f6c73448f6bcf23e73c1673f66d099d4d2f69478a4b597424926bd6e6cee3618e363f3abee51bfe7ab69a34e7f61400f0cd117d8a77f848914855cd5b |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 8d98acd4374428af3f6d794363a28aa9 |
| SHA1 | 24992c433bb455f96fbf5b9a7834c8aa8ad8a527 |
| SHA256 | d3f0deca68a11e550ed8c135cf80d67e6fce4bba43583dd69d1943688337dde3 |
| SHA512 | 8d3d61cc455f0aa20ca9ecc12ef8b211fa45bd216c51f789052f52f9207521073cb7b3dd270e11a4b6118e631fbb187533be12472a66352df3729f00d90c3816 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 83615623d08868f17bcd11d4315301b1 |
| SHA1 | cd23962402b0fe4be4fb9ca2e52cac148296a77f |
| SHA256 | 83e8c947c5e8603d7fc03698f1caeef8b2acb41955bb8b533eba762e21c06bd9 |
| SHA512 | ff751e7c2761528c4c77c2b9dd92400c1dffa92b95640e297ebc8d2c34c53287fa859f88cdc05c20372b3c0d04704fbd8f0537362227968da3632ac5d39dc580 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | fdcba62dcc7e47a9d16dd5677fa83488 |
| SHA1 | 3f2ed899c1e23031d46f3ec1f3e6003144a947ca |
| SHA256 | 61bd7f1b122ef857b771754637d2e999f5c4a782d782f4323094666ebb5c85dd |
| SHA512 | 216fca8145f0f10ea2365306ff75f306a68b84079b2529933d22aaa7635b78b673aadc2aa5199c44fd6256952b94ec700d3d041606058cbaea964cc6742075b4 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | 5e0027b95d9ddb9b8064351bab3c61ca |
| SHA1 | 6e6a794679fac45d07ee95c447d24fa55c4e9955 |
| SHA256 | 2dc051daf2c185643e6c51d88e2f0ec6571a59b2ec790229c81f8a3e1695652c |
| SHA512 | b123f2ebc0ba59fcfed7370ddad4bd78f5736ec5898ffabab5607e53b45e39ed12312a352a82c022decb241560467fb99246692b4e09527e36fc3e563bc12ce7 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | eef70e70e9604e2e60c3174f5c23fbb0 |
| SHA1 | ec1f1ddf6397ddd5f7b7477f1623ce10e61a22e6 |
| SHA256 | 1fde020a42b908d28732e34e1c93cfc7668346e404f41315aaac25a9e4c85db9 |
| SHA512 | 7ca47c3c5187b53ce5a17082797ce6d553aae6501cc4e94bd22097048f469304adc4dfc8d16daa3025bfe6f03595a6e28de11984b71f5086e67df6c77eec8420 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | e6df6c6f8dd6e9b02d93802e53adcc61 |
| SHA1 | 43f9be5f851a470a59661f963c9cc8800182a8db |
| SHA256 | 05dc70d4fa6eeb79225c9aaea73651c67b709e734ed8125a12d398fd6461fb99 |
| SHA512 | 2c17d2201d3c5b8671a9e843b996a8343ac7ddb2adaafb0c32af0c3c5eae4371cb678515b7a168c399a3ee86c0df35ae3f5b1053da01c0f7c8da87affff3ca2a |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | e8024dd513a52c657f317d7df2808ff7 |
| SHA1 | 0bf29b03ffb881ca15515e8bae05f83f84ec9c86 |
| SHA256 | 266e487100a1337196d73a17c6395f3dbbbe26f4b38d9ed1224d190bee6eed5d |
| SHA512 | 7ff11e4496df70d47a7c220f24bf9ebd8810fe3aad84f7d313317895b1f6dbd47e7ef0a797b018547e89465ad9ed6cdfb4169119715a73e85718fa59ae47e8ed |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 38dc03dc91337d03214f18f5e9fc076c |
| SHA1 | dec6942be1e1cc05e98c8460faabbc5f4a19b31d |
| SHA256 | b2fa54aa2f748b637742efe2504bc066e9c19901d7fb417f36eba752eafb9b16 |
| SHA512 | c585f4417809d497a0c15efd6ea9217b67d9ebd8d893ed95aa826dc59bad3a4c72b9d549f8030f1f675f8a0db6b9d8d0d2e33d00fa024ba813f62b6e99a41dc8 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | 61badae48f01e033c09ab07254f1481d |
| SHA1 | 17a7df2ecdc2982856ffa9d37ae83d2c615f1940 |
| SHA256 | 5c2e2525732c3b8391554b2dbf251ad4efd26ab399cb7164d9bad735fe5556ba |
| SHA512 | 2475f6143e16e18fdae84bfc91d3a879f960702b701f8389b7e1b787064f340cc0cfa9d9685500bef4425ffe5da63906d2254a6dce89c9b7864ca3905e315e73 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | 0b66950eb5cb0144c776a66ec8bb5fae |
| SHA1 | acaca860653911256d8053f8cb81a4ecc77e2bb0 |
| SHA256 | cd9249954c431352806345de220607b9b0fbdcc45ccda752a189eebd825f6164 |
| SHA512 | 0b625d8869176f530dd1f9809165c5169344ca81d30b2bf26c654c0db9eab3dc78562c1c9259d2d4996fae2f35ee15d19efa61aebce7f0cfa22ed2adedfda8c0 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | 64bab8479e1e7b8a4e5c0092dff65916 |
| SHA1 | d9e332e1150fd8dc6d2d3cd334f48532cf418c53 |
| SHA256 | 8eb6ca51485c9222570a842ed96979e2ee87e704833b01b99a69bd7f0971e0cd |
| SHA512 | e5418e1f62b8cae81a2c936d31cc0fe53fe6ab7878bee6e3465301802b8b1995f64296fd4bd0c871168414c1a50c9b949ac0b134df522fd9d05e81c7f9868bef |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | c8deb1e7677e60defe09303bbbbaf30b |
| SHA1 | 448a02520888cc9f4660c15fc6dd64d3f7b1f288 |
| SHA256 | 5dd3d042a4484961ef0d577eec801ed50b20d289da5d946c772743d00c27c8c7 |
| SHA512 | a1bb9bdd30af23507ce6110259bda5f5773700d8bbab41d2349e4d89b89f35415ae381c5a2992970ff8d6dfbe35f27c87f5b7332b86d0b23e7fe8ba6045624e5 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 277995655f6edb6c6ae778279f4a77bd |
| SHA1 | 3bf52a6c89e3d0a8c6a1a22da2962511eeaccdda |
| SHA256 | 5b0312b2d4df2667d9a3004517096a60a39db27dbd261d247f941e646a032ff5 |
| SHA512 | 278fc9fd21ad5284e8ee198bd056a0590365a64bacfdbf9cab61effe8d1c68235ed7aa843b8e9c7bf7ef087832f9a18314856d959ddf570da8826eca681b5810 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 15fcf152959b81781ffd32993270e475 |
| SHA1 | a25fb73e6c3ffae27f08815fcecc7edb221722a7 |
| SHA256 | 6bd2bc7e5a0c42bf580481c6459053f71891963161e057a0b54036ad28f6eb05 |
| SHA512 | d712462138465a561625a6dda6677bd98234c8a178c4a06c7cdd97e967ef60615668c58893b78a7775961282c2ee03a171203be631c36481d6b220f2ed398fb4 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | f2f21cb3c4a4699a507af354c38fe0b8 |
| SHA1 | ff0e9e89625de4bec757d16a926871ea57656173 |
| SHA256 | f016625dc6d4d86bf7905e699d12aa191b7ecbcfdcc3ecb220269575dd9a0230 |
| SHA512 | 041fd597e3c250d0fc532b70e24baa3f6d8143c0159772b840af03f846792b654e9eb3da7a863a588893952177051627d7535c453115185af4c6ee9f95aaac51 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | d0f0edb33efceac332a0c0400df687c3 |
| SHA1 | e8b339fcd6968cdb569bdf96de0d912bc01cf510 |
| SHA256 | 3f8f555b3ee9b565f348d0ad1e1c86ce5d133ac505e4ff3c72a5f45389d26314 |
| SHA512 | 35a48aacfc71506ff9588bf2679f0b64d191cab9cf0ca73b826a1c2b4a3d87ef4f234d1fa3beae82deeb843134b6a7c9e51316f2f6f3a2436f643ed04c38058d |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 7f900fb35169b55e841ec6da75e9c9d7 |
| SHA1 | 5a82de63a7b6153ded1d2785033d97e47186bc60 |
| SHA256 | d13323c778f38ebf31dbfbadd87f6ab41bcafe04e7c2ebea21cbd5e6c1224425 |
| SHA512 | 1e5dc1765bdfb395c786fed8cec4fce5b0dd0976d773069d221442247d5ce523fbb4e91059053d2b9751653cbcdf5b9521aad0b7f0db4e77ebae810d1dcd0a41 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | e273b9a9102f99d03fdf72c11200f80b |
| SHA1 | c422ecbd6cdd42d060c9d046cc5ce4cd49878e04 |
| SHA256 | ff734751d8acd8ab73efd0825815673cf2dfde9008a78fbe06549bf76024f7d1 |
| SHA512 | eb75f104394b63371f30c88a48642607246b56a8e93fa28c597f03748f95aa25dc2f1e1797df400bf95a90bbd861ed79154bf9f73b8fb94cccb8e7447f093ab2 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | ae496c0eeaf015f8978c104efbc13ebb |
| SHA1 | 1789b3c48eb97f5b8b76f75e44bbda0935c2cfa2 |
| SHA256 | 6020169c25422860f3598325b1cf0dbc59022942b2fb6ee9248b1ae70774ba0c |
| SHA512 | 87b5e8985a72c3bb5916cb21004d4b3d3846510bebace604be94d052efb71e179e83c00fbbb03335f4269a98fd58a1c8e63b5699408b1d53462681c9c79e1784 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 3b2ac12467d15fed7e134816b2101372 |
| SHA1 | 1487c0761cab727f893e4ecc47d723297233956a |
| SHA256 | d1376cc1393f28f5e3eb73922407857fcbe0268569d246582d49df80f1902b1c |
| SHA512 | df7fed8f346083d2668def87a5843790ac19738024f544f0a40de212b159539d3b883dc75f369d6ba4d0c527fbdf2e389bb04816508f5b03b223f6e2ef698ce1 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 169c8b588ad6434fac46b92c02a34bbf |
| SHA1 | 80618793179dc2cc9834079c73aa4e092097a016 |
| SHA256 | 6cbb3b7891b4e02dcf24eab55afbfe7d8998c33e202c6d2f0a19103715f9c465 |
| SHA512 | 5b4ea0b89c8d87d6daa886545bd40dfd8333d6ad837ec0218872b8bc5955241020f978224de6017f9c694a4d83d896a42358fb1697ff4f9e5708e2597f5694d5 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 293c027671a1358929f5a335e2647c99 |
| SHA1 | c6adb79ccc70b8b0e0d1d61b7555733f3ebfff03 |
| SHA256 | d3d76cc2e146dc4cf0aadd7f4d23feb93d5f6b6b3a4edf97a9204aa3655c38dd |
| SHA512 | 12d7414c197503898d27718026c5e24a1987ddcd6c129aa561b6d2e378e0b8fbe364ba298ebb60540b8cd715ae4ec75ab3931b5350bc383c12b4de74f6524932 |