Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-xm2avs1mct
Target 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe
SHA256 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630a
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630a

Threat Level: Shows suspicious behavior

The file 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 18:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 18:59

Reported

2025-01-19 19:01

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\86acc3de38786e49.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index155.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFBDC.tmp\stdole.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D48.tmp\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB97.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEDA9.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 348 wrote to memory of 1448 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 348 wrote to memory of 1448 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 348 wrote to memory of 1448 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 348 wrote to memory of 1520 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 348 wrote to memory of 1520 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 348 wrote to memory of 1520 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2088 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 2088 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 2088 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 2088 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 2088 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2088 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe

"C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 240 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 288 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f8 -NGENProcess 23c -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 250 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 25c -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 23c -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 244 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c4 -NGENProcess 258 -Pipe 224 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 258 -NGENProcess 244 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a8 -NGENProcess 284 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 1c4 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1c4 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b0 -NGENProcess 290 -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 290 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b8 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c0 -NGENProcess 294 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 248 -NGENProcess 2c4 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 248 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 248 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 248 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2fc -NGENProcess 2f0 -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2d8 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 308 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f4 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f4 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f4 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f4 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f4 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f4 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2f4 -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 308 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 374 -NGENProcess 2f4 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 380 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 308 -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 2f4 -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 308 -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 2f4 -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 368 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 308 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 308 -NGENProcess 394 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 3a4 -NGENProcess 368 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 368 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 394 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 394 -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 394 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 3b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 39c -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3bc -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3bc -NGENProcess 3d0 -Pipe 3e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c8 -NGENProcess 3e0 -Pipe 3cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3e8 -NGENProcess 3d8 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3ec -NGENProcess 3e8 -Pipe 3e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 394 -NGENProcess 3d0 -Pipe 3dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3f8 -NGENProcess 3c8 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e8 -Pipe 3f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3d0 -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3c8 -Pipe 3f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3e8 -Pipe 3ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3e8 -NGENProcess 404 -Pipe 3d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 414 -NGENProcess 3c8 -Pipe 3f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3c8 -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 41c -NGENProcess 404 -Pipe 408 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 418 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 40c -Pipe 3e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 404 -Pipe 3fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 418 -Pipe 414 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 418 -NGENProcess 424 -Pipe 40c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 434 -NGENProcess 404 -Pipe 41c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 404 -NGENProcess 42c -Pipe 430 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 43c -NGENProcess 424 -Pipe 428 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 438 -Pipe 3c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 42c -Pipe 418 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 42c -NGENProcess 43c -Pipe 424 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 44c -NGENProcess 438 -Pipe 434 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 438 -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 454 -NGENProcess 43c -Pipe 440 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 450 -Pipe 420 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 450 -NGENProcess 438 -Pipe 444 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 438 -NGENProcess 450 -Pipe 460 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 43c -NGENProcess 468 -Pipe 458 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 420 -NGENProcess 450 -Pipe 454 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 46c -NGENProcess 438 -Pipe 3d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 468 -Pipe 42c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 450 -Pipe 45c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 450 -NGENProcess 46c -Pipe 438 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 47c -NGENProcess 468 -Pipe 43c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 478 -Pipe 420 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 46c -Pipe 470 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 468 -Pipe 464 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 468 -NGENProcess 480 -Pipe 478 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 490 -NGENProcess 46c -Pipe 450 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 494 -NGENProcess 48c -Pipe 47c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 48c -NGENProcess 468 -Pipe 480 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 49c -NGENProcess 46c -Pipe 474 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 498 -Pipe 488 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4a4 -NGENProcess 468 -Pipe 490 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4a8 -NGENProcess 46c -Pipe 484 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4ac -NGENProcess 498 -Pipe 494 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b0 -NGENProcess 468 -Pipe 48c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 46c -Pipe 49c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 498 -Pipe 4a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4bc -NGENProcess 468 -Pipe 4a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 46c -Pipe 4a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 498 -Pipe 4ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 468 -Pipe 4b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 46c -Pipe 4b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 498 -Pipe 4b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 468 -Pipe 4bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4d8 -NGENProcess 46c -Pipe 4c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 498 -Pipe 4c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 468 -Pipe 4c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 46c -Pipe 4cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 498 -Pipe 4d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 468 -Pipe 4d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 46c -Pipe 4d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 498 -Pipe 4dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 468 -Pipe 4e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 46c -Pipe 4e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 498 -Pipe 4e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 468 -Pipe 4ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 46c -Pipe 4f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 498 -Pipe 4f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 468 -Pipe 4f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 468 -NGENProcess 46c -Pipe 518 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 4fc -NGENProcess 514 -Pipe 500 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 51c -NGENProcess 50c -Pipe 404 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 46c -Pipe 504 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 514 -Pipe 508 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 50c -Pipe 510 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 46c -Pipe 468 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 514 -Pipe 4fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 50c -Pipe 51c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 46c -Pipe 520 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 514 -Pipe 524 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 540 -NGENProcess 50c -Pipe 528 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 544 -NGENProcess 46c -Pipe 52c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 548 -NGENProcess 514 -Pipe 530 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 50c -Pipe 534 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 46c -Pipe 538 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 514 -Pipe 53c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 558 -NGENProcess 50c -Pipe 540 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 55c -NGENProcess 46c -Pipe 544 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 560 -NGENProcess 514 -Pipe 548 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 50c -Pipe 54c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 46c -Pipe 550 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 514 -Pipe 554 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 570 -NGENProcess 50c -Pipe 558 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 574 -NGENProcess 46c -Pipe 55c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 578 -NGENProcess 514 -Pipe 560 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 50c -Pipe 564 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 580 -NGENProcess 46c -Pipe 568 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 514 -Pipe 56c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 50c -Pipe 570 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 46c -Pipe 574 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 590 -NGENProcess 514 -Pipe 578 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 594 -NGENProcess 50c -Pipe 57c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 46c -Pipe 580 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 514 -Pipe 584 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 5a0 -NGENProcess 50c -Pipe 588 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a0 -InterruptEvent 5a4 -NGENProcess 46c -Pipe 58c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a4 -InterruptEvent 5a8 -NGENProcess 514 -Pipe 590 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 5ac -NGENProcess 50c -Pipe 594 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ac -InterruptEvent 5b0 -NGENProcess 46c -Pipe 598 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b0 -InterruptEvent 5b4 -NGENProcess 514 -Pipe 59c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 5b8 -NGENProcess 50c -Pipe 5a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b8 -InterruptEvent 5bc -NGENProcess 46c -Pipe 5a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5bc -InterruptEvent 5c0 -NGENProcess 514 -Pipe 5a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c0 -InterruptEvent 5c4 -NGENProcess 50c -Pipe 5ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c4 -InterruptEvent 5c8 -NGENProcess 46c -Pipe 5b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c8 -InterruptEvent 5cc -NGENProcess 514 -Pipe 5b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 5d0 -NGENProcess 50c -Pipe 5b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d0 -InterruptEvent 5d4 -NGENProcess 46c -Pipe 5bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d4 -InterruptEvent 5d8 -NGENProcess 514 -Pipe 5c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d8 -InterruptEvent 5dc -NGENProcess 50c -Pipe 5c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5dc -InterruptEvent 5e0 -NGENProcess 46c -Pipe 5c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5e0 -InterruptEvent 5e4 -NGENProcess 514 -Pipe 5cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5e4 -InterruptEvent 5e8 -NGENProcess 50c -Pipe 5d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5e8 -InterruptEvent 5ec -NGENProcess 46c -Pipe 5d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ec -InterruptEvent 5f0 -NGENProcess 514 -Pipe 5d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f0 -InterruptEvent 5f4 -NGENProcess 50c -Pipe 5dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f4 -InterruptEvent 5f8 -NGENProcess 46c -Pipe 5e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f8 -InterruptEvent 5fc -NGENProcess 514 -Pipe 5e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5fc -InterruptEvent 600 -NGENProcess 50c -Pipe 5e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 600 -InterruptEvent 604 -NGENProcess 46c -Pipe 5ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 604 -InterruptEvent 608 -NGENProcess 514 -Pipe 5f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 60c -NGENProcess 50c -Pipe 5f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 60c -InterruptEvent 610 -NGENProcess 46c -Pipe 5f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 610 -InterruptEvent 614 -NGENProcess 514 -Pipe 5fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 614 -InterruptEvent 618 -NGENProcess 50c -Pipe 600 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 61c -NGENProcess 46c -Pipe 604 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 61c -InterruptEvent 620 -NGENProcess 514 -Pipe 608 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 624 -NGENProcess 50c -Pipe 60c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 624 -InterruptEvent 628 -NGENProcess 46c -Pipe 610 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 628 -InterruptEvent 62c -NGENProcess 514 -Pipe 614 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 630 -NGENProcess 50c -Pipe 618 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 630 -InterruptEvent 634 -NGENProcess 46c -Pipe 61c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 634 -InterruptEvent 638 -NGENProcess 514 -Pipe 620 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 638 -InterruptEvent 63c -NGENProcess 50c -Pipe 624 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 63c -InterruptEvent 640 -NGENProcess 46c -Pipe 628 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 640 -InterruptEvent 644 -NGENProcess 514 -Pipe 62c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 644 -InterruptEvent 648 -NGENProcess 50c -Pipe 630 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 648 -InterruptEvent 64c -NGENProcess 46c -Pipe 634 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 64c -InterruptEvent 650 -NGENProcess 514 -Pipe 638 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 650 -InterruptEvent 654 -NGENProcess 50c -Pipe 63c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 654 -InterruptEvent 658 -NGENProcess 46c -Pipe 640 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 658 -InterruptEvent 65c -NGENProcess 514 -Pipe 644 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 65c -InterruptEvent 660 -NGENProcess 50c -Pipe 648 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 660 -InterruptEvent 664 -NGENProcess 46c -Pipe 64c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 664 -InterruptEvent 668 -NGENProcess 514 -Pipe 650 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 66c -NGENProcess 50c -Pipe 654 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 66c -InterruptEvent 670 -NGENProcess 46c -Pipe 658 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 674 -NGENProcess 514 -Pipe 65c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 678 -NGENProcess 50c -Pipe 660 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 678 -InterruptEvent 67c -NGENProcess 46c -Pipe 664 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 67c -InterruptEvent 680 -NGENProcess 514 -Pipe 668 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 684 -NGENProcess 50c -Pipe 66c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 684 -InterruptEvent 688 -NGENProcess 46c -Pipe 670 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 688 -InterruptEvent 68c -NGENProcess 514 -Pipe 674 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 68c -InterruptEvent 690 -NGENProcess 50c -Pipe 678 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 690 -InterruptEvent 694 -NGENProcess 46c -Pipe 67c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 694 -InterruptEvent 698 -NGENProcess 514 -Pipe 680 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 69c -NGENProcess 50c -Pipe 684 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 69c -InterruptEvent 6a0 -NGENProcess 46c -Pipe 688 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 69c -NGENProcess 68c -Pipe 46c -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 ww7.przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 199.59.243.228:80 ww7.przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 ww12.przvgke.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 76.223.26.96:80 ww12.przvgke.biz tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/1944-0-0x0000000000400000-0x000000000066F000-memory.dmp

memory/1944-6-0x0000000000250000-0x00000000002B6000-memory.dmp

memory/1944-7-0x0000000000250000-0x00000000002B6000-memory.dmp

C:\Windows\System32\alg.exe

MD5 d03f5319207d4af72e7eb968f74939ea
SHA1 efc9138534575c7856d078fcf9e3781403335178
SHA256 e8c55952d4e89807b3666eb29782cdd13ee9572c4c1b39fa2377900c163b129c
SHA512 e2ec4fdbab76e9fc2be0ba56c53c0c2c5880216b6e0d6d70204bd1ed254e90051a82cd7f56725adefa169c25760c8a297fbcd8f01939ec1865564936935e76bf

memory/2404-21-0x0000000100000000-0x000000010018F000-memory.dmp

memory/2404-22-0x0000000000860000-0x00000000008C0000-memory.dmp

memory/2404-13-0x0000000000860000-0x00000000008C0000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 9978e4006d613b1b126db2e2cf38a512
SHA1 cf575e136d1fb66041da65868d91b5a2bcb62167
SHA256 e55636e0cddd6c142aaef5d90b64b14164a4434bbd77921db840cadf90d05839
SHA512 853ffeed10787efa99d10d9d11ff7863db424597bd759bae25f7170b597866d55335c6ff2467fe5faf4cd36096b886eb95235d40984930c9bff439275dea1af2

memory/2244-27-0x0000000140000000-0x0000000140188000-memory.dmp

memory/2244-28-0x0000000000E20000-0x0000000000E80000-memory.dmp

memory/2244-36-0x0000000000E20000-0x0000000000E80000-memory.dmp

memory/2992-40-0x00000000004C0000-0x0000000000526000-memory.dmp

memory/2992-39-0x0000000010000000-0x000000001018A000-memory.dmp

memory/2992-47-0x00000000004C0000-0x0000000000526000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 95454c9a8098101d7a648af25700624b
SHA1 9520557846f195b02d124e4d9cd107744c38d082
SHA256 06fdff28bb030e0540efa91436e37b4735ff0533e546c69dca56007b39e76889
SHA512 4a265f3714a6b800cad380de6c21fc690b85b31e4bd8157fb047c4357f607208afa85e5afc45b824396e04df96acf4eb58370ab1b6d825b14882410985a1744a

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 9817861e17afbdb377abe2bd8276c37f
SHA1 1bc2c7c0642499db8c1b02f99c5eaf4906249f2d
SHA256 37a3b7ce26eb91275bcc867d21aa44b10dd085c2858ad44409c75ebae0c428d1
SHA512 afca81c777a5bd6f370eddff6e203145d1af2e1926a73977c2ab11f05ab706944fdc2674a4c2fcdcc12a846dd54273b24c942d0464ab66cd16e7c5601c40d995

memory/2640-56-0x0000000010000000-0x0000000010192000-memory.dmp

memory/2640-63-0x0000000000520000-0x0000000000580000-memory.dmp

memory/2088-74-0x00000000005A0000-0x0000000000606000-memory.dmp

memory/2088-79-0x00000000005A0000-0x0000000000606000-memory.dmp

memory/2088-73-0x0000000000400000-0x0000000000593000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 9633c019e1338a9ca6d1eb62191cb5b4
SHA1 df339fc04e0ae5112176d910ef0dd24ebb2bee1e
SHA256 6076cf9d1bf176c257537267685dac6c92389bc000ef1f75b0944dcb2b391393
SHA512 1ddcec0531ff3749caed941fe8ec18be7938b5ae11089cb86b6b907e5e555e2d8f23c53bdf2a9084f618c370aec06c35a652e602a74ea23d46ad159e1953cb0f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 c0f4d9498224b2282b20f547ab3041a5
SHA1 2808d5431d1414842c9c2c0a629cfd71269c1ea7
SHA256 0e8785ed53372162de644e18ed2a57b7b0d521679e3237a6d0b2589c2f045419
SHA512 7c0ca39b93972d0834b96c0cef00f36a4bfc1522cec5b4d92ce8602274e57f00c86a72984f535daff4c463df23b6b810ba1413147cb9943f64e27269e12f127a

memory/2640-57-0x0000000000520000-0x0000000000580000-memory.dmp

memory/2992-85-0x0000000010000000-0x000000001018A000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 2149981fc46780556c1c92cdf1cea65e
SHA1 a0eef598f1f49fde200b8b454baf6b9a62c68b95
SHA256 c15923c1460d844750c83c777bc066feb6f50af0dcb6e8fc55e3438ec3ae34a9
SHA512 cec16b6c2fd7d99ec51fd1c475c8810a269c3fbd20b76712ad58df56cc5b0bd9ccbc16610dc2f8c94e4cc0b8561ef69561bc693e3406d2bae297e820ef996923

memory/792-99-0x0000000140000000-0x0000000140199000-memory.dmp

memory/2640-104-0x0000000010000000-0x0000000010192000-memory.dmp

memory/2900-119-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2900-111-0x0000000000AC0000-0x0000000000B20000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 95ef35694aa3add3e0411600f90f1774
SHA1 3df860b2258231b3cb107f1ffd68dbab44d73a46
SHA256 52e076b906e3eb592d6d10809d9f3e8b651371f8cc4bc8f161b5c11e339951b5
SHA512 c2de50af49a0eb50f0e2f311dfc415eda41b0f3605b61390887ee9e156620c1f227897de8bf102d178017f12b5a90657f79b037c50cf1557229bca232d1e782d

\Windows\ehome\ehsched.exe

MD5 f3250ece94e22dbec0ea3f9a83d3f0b9
SHA1 720d88c621fed5deb219174345a8f770c31b9623
SHA256 0384282c75b2bf906382036bf22eaf591bab2dff6d685cad40c196cc47ad89fa
SHA512 5ee7713e5e7f9fb59e51d0ce8d3c556102021b508b1e971241c6c39fbf5b1a8b1a0946efdce8e7a3859ec3f54ec746a879169547cb9c7ec2fefb5a9be6ec1869

memory/1684-126-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2552-138-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 7724e503600ae907f449a458d295f131
SHA1 96308e828ab81709d26628df1daf22cd5b7ad2bb
SHA256 d2ea5b97c2b640d8906e15e6b66dedb8b9f27d3bf3c94ea1f5f50b08eeace3aa
SHA512 dbf1877f2a2cf423d7aa5d5d702763cd47e97b4d09cbba73aa7e79d6634c2c72f7421870a6700824841cae900f72c2935a77131b569fc122460685928844f2c9

C:\Windows\System32\ieetwcollector.exe

MD5 870b20c81380f4449174ecaa8f935213
SHA1 30d03851977842a3cfc5d099c59a8b880e03ac45
SHA256 20718c50722239a532e7eff64ca79e2e08812d971b0811ca0b4b3fedaba1d4cb
SHA512 faaaa09811636ea9174d8a8a06bfd60fa6c27c1d28c4918aa94555b3ac4141c96075889a6dd0f825c91474028dd0f2c80e4e38dc3efb5d5c4a8587da187bcfa9

memory/1160-157-0x0000000140000000-0x0000000140199000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 8f119d3f8de2dfa382c2a3c5112ccc81
SHA1 9538b964ae10358f78ad4fb7a5d9674e90a39349
SHA256 56cc9b08179bdaa341688883c4fb044b8dd7e83ed1bad87bd9fab0e9055e2ace
SHA512 170855effa2b4b562ec1847fa15ae1dc8f531b116ea21f894bd25d4195939f38a1cb16050b40e5cad4b279f9d24255bafb73b7d8c6a782117224c4f7e02f598d

memory/2244-156-0x0000000140000000-0x0000000140188000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 3a5a3736bb755ee4fc5b8884364c40a3
SHA1 17f6f93e915bf774bf5d6c8581955b3f42f8ee09
SHA256 473601bd59acad1a45d674939f397c89bd57c9dee1ffa1a3b740dec6238e8300
SHA512 51005b126bbe1e16aafe6e8277def80b6e7b1ab4f0a75a3256334f986f4d3473dd59e5878b764c191471d1e7904b92b77c1c784e9725d84725f28d99ee38acfe

C:\Windows\System32\msdtc.exe

MD5 92993abc35baa72b3871fd8475d1510b
SHA1 2175fb7bfe5cce87fbbee102c969bc19b1abc819
SHA256 29a83a59f4456157fe9ea4d5a67baa4ce61fd6dfa8b5054376943cb54e73343b
SHA512 6db1e3fe9fea644f061979fac27f733c76823405f0cbf31d2ca95892a6d319913aabb93be1cd9319079417d6085aca1978c12509c785e208bba68f2c7dc60af0

memory/1068-195-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/2104-184-0x0000000140000000-0x00000001401B5000-memory.dmp

\Windows\System32\msiexec.exe

MD5 5635e294e1bb7190aa51bd32801b0d36
SHA1 13f1ee2a618b0a48cb0e1c1b47c47cdb36f37f14
SHA256 5c6bed03ead1f5d3e4cadf53f07037cc389668d70bf8f032cdfe6a1cb1f4d118
SHA512 d33f95d88b9cb7f1a6fe503c412df1ca1efe088afd5b2dbf3086842895f7b70647e83833aea56d7b1f82c08bd1f7210d57ff2a1e3e4838a5575d81a56888df6d

memory/3032-211-0x00000000006A0000-0x000000000083D000-memory.dmp

memory/2088-210-0x0000000000400000-0x0000000000593000-memory.dmp

memory/3032-209-0x0000000100000000-0x000000010019D000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 d9d833b670348479f433939ad6350dc4
SHA1 246c02771c23248a6c494f40bb17c5b5bad1dd8c
SHA256 f8f197f9e2a4ec8ec9f86ab923dd7bc1dbfd5e3bd1466c6efad9eaf436b72b35
SHA512 4e7f5abf67a15fa84a73fe53ffa3adb225c19603bb7a81350b5b51f02358f425f3d5fff98505883806c1b6002f7ff3b289638b7328fa48276d165e8856652e67

memory/2840-224-0x000000002E000000-0x000000002E1A0000-memory.dmp

memory/792-217-0x0000000140000000-0x0000000140199000-memory.dmp

memory/2900-229-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 9ee25c929c41b8e4f662287ff98a8cda
SHA1 f66e321c6fadca63097ed5f0dd4015c339fdacb9
SHA256 6e0f10b117487a76e0ff0d8b507d9c46a84495b5ef08f9756e9ebbb5180d9730
SHA512 de4ef26056c67810a7220460cd1ee4b1cb309ac1eaa4f08084d919b81c12eab9a45534aec00b23c7bbe95f3686bd6e5f7a1ca888d8e147efe95d979169d885b2

memory/2856-250-0x0000000100000000-0x0000000100180000-memory.dmp

memory/2552-254-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2932-264-0x0000000100000000-0x0000000100181000-memory.dmp

C:\Windows\System32\vds.exe

MD5 e8b7cfd7e4f5a80bf2c0883c4699e154
SHA1 15056af91cc0ef7b0b7f4d5328fde659148704e8
SHA256 6ca52d5eeaf09c69197cc7aae8c871bc630cda0b52cbd2ea2f7c72a71e85e117
SHA512 917edf795464284ab92bc8258e952db2afc4117392179c57b0c4dccdc0eaf2858ec9605f0e55e2c54e5ce03361cd994674634fa328af55785d95bb0fdb10fe84

memory/1160-266-0x0000000140000000-0x0000000140199000-memory.dmp

memory/1364-276-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2164-277-0x0000000100000000-0x00000001001FF000-memory.dmp

memory/3012-281-0x0000000100000000-0x0000000100219000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 b51f67d6323c2a4401fcdcab0792a43f
SHA1 5bc4cad0ba20eb42376542e4871f7aecf6eb7bba
SHA256 2d08362bde039361f06a7f28308e1f65e475efffd27eadc4686c0d7651b3b17e
SHA512 e98d8722f0fbced27763d265f26bc45c75dc2b7251bb163468aae849189ca4c28da3064221e5fe38b5d48d0e71c64f71edb10ad262028a2721f420dd1dcf2cf8

memory/1144-301-0x0000000100000000-0x0000000100202000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 9b6a56afaa3d410d0920f06e6a12a059
SHA1 d7be1e39aefb3d2f32f224835cfdac6add083ef8
SHA256 9e18081f6d13e0c2a2a5190ee14273eeda4e6f8c344fd428519645b529f37bad
SHA512 6685ad893cc8ed2a2a5caaf9c299bbcabdf4f6b2216dbffd039c7912162cfa818f3a629c58dcd230814723d9450d0d1cfb854395f7e7dd542c72ceab8c7b8c47

memory/2408-314-0x0000000100000000-0x00000001001AF000-memory.dmp

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 755902bee14f5cdf4d1e367a4c188c87
SHA1 30b068dc1bc54de695cd6de1ba4e7a4c01e5fcf9
SHA256 b7156125a9dc232b4c5166d367de2b42f0fcd90dcf3c8e9900f0b0c757911adc
SHA512 d29441bc3c75bf8e61577029b1be1e08b2a6bd112dd2cbab8c814e13584dacd20121c076c80441681b66509a1b0185037e20437a8d91fef8976378d738353207

memory/1428-327-0x0000000100000000-0x000000010020A000-memory.dmp

memory/3032-323-0x0000000100000000-0x000000010019D000-memory.dmp

memory/348-332-0x0000000100000000-0x0000000100123000-memory.dmp

memory/3032-331-0x00000000006A0000-0x000000000083D000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 05837ae85efd2c2c0029eaa17b437231
SHA1 6373f632c3386b7a58e6235d5ead8cbd430db79f
SHA256 462744dc0a61e13e15f5a3d581cf5b72cd9648291cd9e7fc69df43e0216b254a
SHA512 002091be005b10127faab7ed35fb8df74394aaf25504e5bc8c186b6441f10a792c8f61ece5a05fb3d442c58b123ad81ad90c1420ade5166b6486b250a672b07f

memory/1068-305-0x0000000140000000-0x00000001401A1000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 750872b1d48c8a77cba3d61aca3ab181
SHA1 de57b700ca168eb509e3f73aa62590086584cfdb
SHA256 8b277a5ad4c1c68d0a6729f5e0bfe3387cca4ebc52376de8790eaa66ac765ade
SHA512 66ffe655112e86c868b44e641a6235ce32aa43c9aae8315ffe3f796e85caaac32074edd0eac6ed3489c48cd445a536f5e36d5a4800be92de4b02231cb63a70de

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 51fd6f85f9cbe520ceab8de92fd8e91d
SHA1 f5eafa72e6b96da00435f81774f93732342905de
SHA256 ea41d7be77326d3720738ee5790e177c5d4769171a56f4ecec98cfcbc74d2f51
SHA512 694c6713877c96c4e9fff0932a55ee2fc6c098b69662fce3907ae2c7788bdb613de20e113c4d58964a59b1549863dee8546ff1bf66cf77a71aacc1ff7fd76500

C:\Windows\System32\snmptrap.exe

MD5 81ae07d9044160b0a6eeffb656b2830a
SHA1 d5689ebc71a1bbbcfa8cd810bd556425e7ba9bf9
SHA256 5d9efb7eaffc5197db2e7b90eac2b6a842248b903867eab3dff750681ac9a436
SHA512 c263d71c994421993a002767383318697328727efa1b29eee24b4e58531a9048d831276f52e94fe1ad4e320f05b7941e2986d71ec1935598721385160bba6247

memory/1684-249-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2664-237-0x0000000001000000-0x0000000001181000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 71b7897b67853a2f562f640966488f5d
SHA1 233b666d8f90613e7c2491bba761cefcb63169a0
SHA256 c282d1f528057c84d7b85d385719bb369f1a6b3acd8aadceae6e774ea14d4e6c
SHA512 51d385b5601812155dc4e7a9a9a0f491ca5b7f5d34d81f695e4047831c0f00518f8daf84950be4c41ec735667aba4dee4f73599619bc00e785b71e52085ea849

memory/2840-492-0x000000002E000000-0x000000002E1A0000-memory.dmp

memory/1364-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2900-117-0x0000000000AC0000-0x0000000000B20000-memory.dmp

memory/2404-110-0x0000000100000000-0x000000010018F000-memory.dmp

C:\Windows\ehome\ehrecvr.exe

MD5 0ad0671fb467eacf2a5d77ae43c80b99
SHA1 7f45080c1f85fa924b2fe348ca9b4836090a73d2
SHA256 424eb12058937502592b8a3c08fbcf8c01cbf26eb213144fdabd059d071ef150
SHA512 48631b460a3dc49544dff556d06988bb3968c81355829956988d78b186346680f912d35c00652f5b05e86811751ed7c4e14fb38d283957c48803d6c0d89caafb

memory/792-97-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1944-96-0x0000000000400000-0x000000000066F000-memory.dmp

memory/792-90-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/2664-570-0x0000000001000000-0x0000000001181000-memory.dmp

memory/2856-575-0x0000000100000000-0x0000000100180000-memory.dmp

memory/1584-593-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2164-585-0x0000000100000000-0x00000001001FF000-memory.dmp

memory/1584-605-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2416-618-0x0000000000400000-0x0000000000593000-memory.dmp

memory/1144-617-0x0000000100000000-0x0000000100202000-memory.dmp

memory/1352-616-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2408-622-0x0000000100000000-0x00000001001AF000-memory.dmp

memory/1428-633-0x0000000100000000-0x000000010020A000-memory.dmp

memory/1256-642-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2272-654-0x0000000000400000-0x0000000000593000-memory.dmp

memory/348-646-0x0000000100000000-0x0000000100123000-memory.dmp

memory/1612-666-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2416-678-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2628-695-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2400-713-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2808-717-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2912-739-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2808-750-0x0000000000400000-0x0000000000593000-memory.dmp

memory/1604-769-0x0000000000400000-0x0000000000593000-memory.dmp

memory/1568-772-0x0000000000400000-0x0000000000593000-memory.dmp

memory/852-784-0x0000000000400000-0x0000000000593000-memory.dmp

memory/1604-758-0x0000000003D50000-0x0000000003E0A000-memory.dmp

memory/1840-727-0x0000000000400000-0x0000000000593000-memory.dmp

memory/884-691-0x0000000000400000-0x0000000000593000-memory.dmp

memory/884-670-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2416-660-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2416-630-0x0000000000400000-0x0000000000593000-memory.dmp

memory/3012-595-0x0000000100000000-0x0000000100219000-memory.dmp

memory/2932-583-0x0000000100000000-0x0000000100181000-memory.dmp

memory/1684-885-0x0000000140000000-0x000000014019D000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

MD5 30911a9112f66fe0b068cb069ef37bfa
SHA1 31695a04c610e8acc12acb78c13ef92f196b2b17
SHA256 e504a536ded11cac47fd514b42d59c79e33026dffbf5a434c9d50ee789201cc8
SHA512 db12bd9d2f63f835f096aa94ec923a0bc9b8c897aa1a6049be33bb1a27d31ed02483af1e185702e54faa4ba8d8ad681cd5cd43640477d425cd59847279f4462e

memory/1160-919-0x0000000140000000-0x0000000140199000-memory.dmp

memory/2900-929-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2088-938-0x0000000000E40000-0x0000000000E4A000-memory.dmp

memory/2088-939-0x0000000000E40000-0x0000000000E5E000-memory.dmp

memory/2088-940-0x0000000000E40000-0x0000000000E5A000-memory.dmp

memory/2088-941-0x0000000002100000-0x000000000218C000-memory.dmp

memory/2088-942-0x0000000002100000-0x00000000021A4000-memory.dmp

memory/2088-943-0x0000000002380000-0x000000000251E000-memory.dmp

memory/2088-944-0x0000000002100000-0x00000000021EC000-memory.dmp

memory/2088-945-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/2088-946-0x0000000002100000-0x0000000002188000-memory.dmp

memory/2088-947-0x0000000002100000-0x0000000002124000-memory.dmp

memory/2088-948-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/2088-949-0x0000000002100000-0x000000000212A000-memory.dmp

memory/2088-950-0x0000000002100000-0x0000000002166000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 8c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1 b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256 a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 4f40997b51420653706cb0958086cd2d
SHA1 0069b956d17ce7d782a0e054995317f2f621b502
SHA256 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512 e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

MD5 46d54516be9ddcb60114c5f4b4399f38
SHA1 0430dadbe0822a652dd5b1e643484a4832cd579f
SHA256 0bdc4875f455107e2a0adbea265a89d8a842f21649b9e53f17b5d87f8c1561b1
SHA512 85e33f8636fa634f5f5189b1f33c2515d857c5429869469eb3069c9efb47ec2e5a7ada4b2e013e5e9b95dac8c798627031e37d89dae208598dc2122dac403e30

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 71d4273e5b77cf01239a5d4f29e064fc
SHA1 e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256 f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA512 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 3c269caf88ccaf71660d8dc6c56f4873
SHA1 f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256 de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512 bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

MD5 ac901cf97363425059a50d1398e3454b
SHA1 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256 f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA512 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 e3a7a2b65afd8ab8b154fdc7897595c3
SHA1 b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256 e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA512 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 2735d2ab103beb0f7c1fbd6971838274
SHA1 6063646bc072546798bf8bf347425834f2bfad71
SHA256 f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512 fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 9c60454398ce4bce7a52cbda4a45d364
SHA1 da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256 edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 c26b034a8d6ab845b41ed6e8a8d6001d
SHA1 3a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 aefc3f3c8e7499bad4d05284e8abd16c
SHA1 7ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA256 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA512 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0fd0f978e977a4122b64ae8f8541de54
SHA1 153d3390416fdeba1b150816cbbf968e355dc64f
SHA256 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512 ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 6eaaa1f987d6e1d81badf8665c55a341
SHA1 e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA256 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512 dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5678a9da48a3c9560e158f32c0f59ef7\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 8ee405fa425be91bd883cbe09b1d99c7
SHA1 25a19c9d0df3502697e9ba9e64e7b487e7aca692
SHA256 9fb4a2b257e8e2697be356c9782a756fbbbc5b11ec316eb0e89ac033b262df7f
SHA512 88a8b09b18141f7cb26e7df07a60223d6d471a16508be282be7c9110b4c6e277fe2a27bd6f1f51fc7a7c3072170a54dd701dc8983f690a744ea239f61e12e8dc

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 1eff63517430e183b5389ba579ed93e2
SHA1 5891927b05adc6db5464fb02469c113a975ebbf0
SHA256 b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856
SHA512 2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f9467e7642826683a84685b87b2a4b1e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 dccf93247340508c5263d4d26d0c4cb5
SHA1 f7bb0e3aea74b606c01e71ba10b7925f1564d0f3
SHA256 e9e8a4889eb890c6cbf4a908be965beebe225953206f4fb063fac0bd9fd1f622
SHA512 200924c81f4f7c713ef02ce512ba8f76694ac14456d3ea6dbca54dca6daa0594e24b854e62de18542fca786037716037dbb0aa3a5e7fd4bc24d8907936d5e8eb

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b510dd34cb93d4e5bca3f84ec77c4a9c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 e8073811e62004ba9296e9e7e97d7f52
SHA1 6b32fd38b4575b8f69d58ba65bc72b26b04de841
SHA256 3c6e8ccaec77a5fb9d063c4abe321385d98cce99be043d5e4c16d62cc7bae3f0
SHA512 1b8916dc9fb9beef376e1f06bc457add2c9c00dd88a52c5eaffb31c7446348787ce587a3ea05824b4382425ef3881e67bc2c81503ca7843b22d924be164f9aa2

C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

MD5 7812b0a90d92b4812d4063b89a970c58
SHA1 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

MD5 3e72bdd0663c5b2bcd530f74139c83e3
SHA1 66069bcac0207512b9e07320f4fa5934650677d2
SHA256 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512 b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 aeb0b6e6c5d32d1ada231285ff2ae881
SHA1 1f04a1c059503896336406aed1dc93340e90b742
SHA256 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512 e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 006498313e139299a5383f0892c954b9
SHA1 7b3aa10930da9f29272154e2674b86876957ce3a
SHA256 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA512 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 e88828b5a35063aa16c68ffb8322215d
SHA1 8225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA256 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512 e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

MD5 c76656b09bb7df6bd2ac1a6177a0027c
SHA1 0c296994a249e8649b19be84dce27c9ddafef3e0
SHA256 a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA512 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

MD5 0637ad2bf6fc5ac1d29e547155bc818c
SHA1 a502879466b6dd37eae5881bbb18353f97623852
SHA256 868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f
SHA512 1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

MD5 da9f9a01a99bd98104b19a95eeef256c
SHA1 272071d5bbc0c234bc2f63dfcd5a90f83079bbab
SHA256 b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d
SHA512 dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

MD5 87111e9d98dc79165dfc98a1fb93100b
SHA1 4f5182e5ce810f6ba3bdb3418ad33c916b6013c8
SHA256 971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42
SHA512 abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

MD5 d74d434aa70ce827715b5e0ac7eda5be
SHA1 b53f3374be4c96af51c78fd873de1360f17c200f
SHA256 54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496
SHA512 631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

MD5 7ebbba07bc6d54efd912bcd78b560b7b
SHA1 a6aee1a80ddcdf201301ac29293c62d58bcc941d
SHA256 637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a
SHA512 2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

MD5 eb09a7062a66a50fe2cb16c4a80561a7
SHA1 33b4c71ced7644be9802374a4f04c866394daaca
SHA256 e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256
SHA512 c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

MD5 7687295a6e19cc656b077e6a61629d4e
SHA1 fa1025de5cffb56a3d1f8cae9d09b7171b33326e
SHA256 ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86
SHA512 19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

MD5 58cacef7cbc000bb5ddeedc08a598f36
SHA1 f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7
SHA256 124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270
SHA512 9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

MD5 a763a9348ab4ee3bd593bb17d854e51b
SHA1 4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9
SHA256 b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b
SHA512 e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

MD5 e9ca062e4958cc25400c804029a5bf62
SHA1 1ed4374d0d0f568936fdebe17d9110481d6b3344
SHA256 a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0
SHA512 43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

MD5 7bdf8e0c9aa04b71a52dd964005f4363
SHA1 a87e809146d3c70093a189c37f0a96b8bd0ce525
SHA256 0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b
SHA512 4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051

memory/2196-3616-0x0000000001AC0000-0x0000000001AEC000-memory.dmp

memory/956-3626-0x0000000003CE0000-0x0000000003CE8000-memory.dmp

memory/1972-3636-0x0000000003D10000-0x0000000003D50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 18:59

Reported

2025-01-19 19:01

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\52ede60fdb05c3ba.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\java.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaws.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\perfhost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bde66342a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8872342a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a712f42a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7242142a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be554f41a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006f6b442a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008abf5c42a46adb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe

"C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 ww12.przvgke.biz udp
US 76.223.26.96:80 ww12.przvgke.biz tcp
US 8.8.8.8:53 ww7.przvgke.biz udp
US 199.59.243.228:80 ww7.przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 76.223.26.96:80 ww12.przvgke.biz tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 8.8.8.8:53 228.243.59.199.in-addr.arpa udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/4044-0-0x0000000000400000-0x000000000066F000-memory.dmp

memory/4044-1-0x00000000024E0000-0x0000000002546000-memory.dmp

memory/4044-8-0x00000000024E0000-0x0000000002546000-memory.dmp

C:\Windows\System32\alg.exe

MD5 dcb863977381acdeb3bbc52901d80fe8
SHA1 2a9baa18a010cf6cfc41fa8879407b4d7f02f84e
SHA256 9c8eb571b9bb8df9f2b3ca2107e01c1a100c5baa5f0a79beb55022e59702e9a8
SHA512 577335ca2b8429384bc579e428dea2344f6a7359650743ca687f615dc6da0c5586d907dff4cd46120d406cc716ff9f52685e46f6548429f466c9074a1e61c7a5

memory/3248-12-0x0000000000600000-0x0000000000660000-memory.dmp

memory/3248-21-0x0000000000600000-0x0000000000660000-memory.dmp

memory/3248-20-0x0000000140000000-0x0000000140195000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 999af43d2a139ee9b9de30039f983c45
SHA1 8f817f18845343f28b62f4a0ed43931f31670275
SHA256 fa12aa657241430cb39f768db83e8214e15ae6a9b52411454ab7eeaf55e75920
SHA512 14b25b5df51fda6416121a265f78bfff56f52bde7c87d6245d43a1b37559916927983e196044f883c7a18fa3860b853753f4edc2b6fa77d6bf7f00cdb7e3d79c

memory/4828-26-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4828-35-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4828-34-0x0000000140000000-0x0000000140194000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 d75e2934b2cfd2e426f0ad37d8013ea4
SHA1 dc51464c7246edcbc7a9307a6e61812f5dc918a9
SHA256 b57c32ad7a670c9404de547df6c2511f8f24cbd76980ab17c90341bf700782aa
SHA512 e4dfd2df4866ca85203a16091829fc9d5521c302673e42455c486dd65063b66b5a88fbe35a2537f267645d8d05bb653f715c6e3befa07287090394e0a1c64b66

memory/1172-38-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1172-39-0x0000000000900000-0x0000000000960000-memory.dmp

memory/1172-47-0x0000000000900000-0x0000000000960000-memory.dmp

memory/3888-56-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3888-57-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1044-67-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 1dab777e28eff11754a9dc1671761b92
SHA1 4661f3fe283c220d1833c4b001471ce6cdf26ea6
SHA256 c262f6a84d2611a4c35a571f6cfca4ade25db9536877e17aa2480703706dcf35
SHA512 65a24521404b7465d8968036e0bb8ca3237b03621a11455fca09484229f9bcdbca39f8645d16a1159d619e2d5eda7c309fc97b02501de2fd71b500166d0456d9

memory/1172-88-0x0000000000900000-0x0000000000960000-memory.dmp

memory/696-90-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3248-102-0x0000000140000000-0x0000000140195000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 634c5d3acb28628aee40dfeafa3db152
SHA1 a8291653179d44ccfd5fc4a5718ba60a5a933332
SHA256 5de07bb61c9f11da4872b47c3a4474154076662f2dabec2f077cb6bf419c639c
SHA512 8a9999663d77ecb31ff49613e474b354c6654515d933ce04f9e3e311ac4806e7f74d0c2ae85e4260285e9bdecf1d93ba60030c26203b90daacef852f04405670

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 754d359dd16c6a1a144bb07006182586
SHA1 f2467e0f70aa97524a5d6dd7aad440ad8109e78e
SHA256 a071ce70afd7f9e7137ebd98e94e5d3e81404ab2e890e46ff415dc1714d6c2d2
SHA512 b52d20e13ee0e02261a16d6cc40412d6c84c38ad6899c06ec0f56caa137e5106f6d4ae3043e74ad61e243cb4adc02518dd805523b21ef22b29b117741f3da3ff

memory/616-115-0x0000000140000000-0x0000000140196000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 17af2c79fce6d4387097ac892534ec2b
SHA1 2b6e2b790edaa4b7d76ab82566ca094702475252
SHA256 3d1d3623f2db602597028e3bb691959b0992d168519c809eb65a6371787f4436
SHA512 8633409b8b062dcebb134c47b189078d0d960633c04dce73fcf22023d21c3f0072402d935e3657c377aee829ebec7d68b8d05b06ff62ddab13819ec21d70d0c7

memory/4868-134-0x0000000000400000-0x0000000000582000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 39152b90efa8bf0b5298d9b35d744133
SHA1 0c1266c287da100f68406de27a2183d94c6a7374
SHA256 87fd8e523e46bb560f2dab4be7f9ae643282b96d0913ede7c1573776b34b9fe4
SHA512 21e558d1f0d0d97411396c5987c3ebbd1de088319dc6ea98d941a924e466ac2d8b46cac7b4d8e3b8ddb2baf8b3974044288954797075613e984e00ada1f59fa4

memory/2460-148-0x0000000140000000-0x0000000140180000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 8d79119a90c93373ee1fb43eb9315808
SHA1 dbf5195db30adee5e36424aeef34aa9286edf0ab
SHA256 ba73755efd68d5b462dccce96c63522a853a27423cd7867e732baf07f2f3db68
SHA512 40fc487b482b51116c022d9d902eb23075c8b60e5a1b508362640f9b7daf1ab8341a279b8191e409e0bd89721e08c60e445ec5b87e0175c08c9dddffcd54750b

memory/3652-159-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 0414d4552f150aadd81d02c2f45aede2
SHA1 ff89fdc9ab79704c10c0b9461e70ed89152220e5
SHA256 cd37596af8afcc10e4da1608d62e903a3c5364c82610c209c29153b8d1cd81f8
SHA512 89525644b97759866d1639ba0daa61ab6cd61f2c9657c5271e249a8c07620545eb194f768574f7405f5467b52a56ba5675be11a940742e751b665f6f0d684472

memory/2076-171-0x0000000140000000-0x0000000140181000-memory.dmp

memory/3888-181-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2840-207-0x0000000140000000-0x00000001401CD000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 843166006936aed642e4166dc7e81262
SHA1 020891913003eea0964de4d3c1fa2f148f4ce424
SHA256 88bc10ea53ed60e3f50588ad2ec39d80b543b51b78c7377299fa61be268d82f6
SHA512 ca51bf89a6b557eca429aef9789aa1182b6ac7242de19d8123bc220a690fd5329281d3ed2c76c507ecc1adfc0f1681c9374073e30354f68d5853acdcf58ece0e

memory/2280-218-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 0fe8b0a32149e93458acf68c1ba4050f
SHA1 f3c476c1734019020f66b00fa6bac6d10eb1152c
SHA256 a57e620f08de7c2bd6c8aa2db364426a64c78c1bfa986c893a3620c6dd31724e
SHA512 f4f102cff96fc36a29c3c08671970f894bf78fe91a01fc7b81d3f9d366c9fbe73c6085d413b2e0fd0ee68e42631d3ee557b8cbf00f6c4106e10597090f7293b9

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 9a03f4ac45c16bb3c9bc0d3d0d67fcb7
SHA1 339ab3aff3a1813903502f2462a3c4f62cf0416d
SHA256 4ba28118ffdb826a1bf5e1fc00bf6e190850b345d8e58c59fa9adea139a0eb4e
SHA512 5405ccac75abb01e703d5865f13eeb8734d3141d5b88c6a4bc6b57a65e60d537b567eaea593de5329763f94481f506ba7e1f0d239d86721b9c957447cffa442f

C:\Windows\System32\SearchIndexer.exe

MD5 c5e05c444be3a8d02014c6fe895aa427
SHA1 0a858a9d120c7237e444e3c1f60ee98248ed02b6
SHA256 9d0d9d0f83530205955beb90868af1b5d960c6ec97a5ab1c547761020b881327
SHA512 0fdb81e9b936ec69fe64badd5b6f4187cdb3fc292059b0a33faf32157a8ff05b19e6795568ab57b840f9de7211ad7588d5d1f7242e164e4e7d984e659c6387ce

memory/4840-281-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3652-280-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/936-269-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/2460-268-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3032-257-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4868-256-0x0000000000400000-0x0000000000582000-memory.dmp

memory/2488-244-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/616-243-0x0000000140000000-0x0000000140196000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 92be49acaafaaed6c85a0097806996cd
SHA1 dfca760df7cb328b3de73796a90d3e79cdfb349c
SHA256 3fe67f0b607e5f6b14ade3df03e688c6033cc968683efc3b7f1a3e601c68b3cb
SHA512 cffaff172354ec79f241d187079489822c3160c569b8b12e81c6fd7f9dbf9a89cd10c0908cf1b7acf14da0cfd988547d67532a33ea7a3977fd38797f230309c5

memory/1820-233-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4608-232-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Windows\System32\vds.exe

MD5 3351721e57914e7f45233193efa15b25
SHA1 f33de8b98820df492bb8f57e6aea1278a2b18b54
SHA256 7e08d565d57d6d3f0a7b222381faddf33776f5a66f6d759f3e5f878014015108
SHA512 50edbc85a73e76b242886ce0add164edd77c8a06b4f5da73d4775f26118d8ae0cb7049bdccdfd3e01e52dd8d4020a5ea1751dfe48edcb71f1c3b841a70daa0a1

memory/2280-221-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 6a4bac4a30fbb5449b741b1cb7a319d5
SHA1 a0c26ca0cd7132cdbd5d11d6f41438bdb05b75a5
SHA256 38af8926dd1770ec85666c3627380afc8aaf3549d8d1b607a591928dd77bd753
SHA512 1920be79f90a7dd6e63afc2e6ce1499f990e99945531d770935b71465da28efcf8d81a6183ab41d73c1c623f38185f29a86a8157313a8fb37d85462d3e97a80d

memory/3884-196-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1044-195-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 fc1a0294bb2e1726f5817241d53462fe
SHA1 6223aa26014e9626bea3e4285236f835d24d202a
SHA256 0b009a6881496fe5c420470059e9aafb56bfc1790f4839da218b6ae4a1f8b374
SHA512 4d64644c1d5c71f04fe52ed543990bf2f470c301b7c8160c06c4b8f0989f35d9d6e2ecc9dbd7572fdb6782e04401ba390d8f320c67032926021983c9ece26c52

memory/4516-182-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 611c0fd6d2a4c6860aab47891506854b
SHA1 8c0266723bc323568fa04bcbd0ef8373c60e3645
SHA256 d13c6534bd2a7ebf309591bb875755fe69e73d5f2bcd72f3c6c8ee9bef11ea9a
SHA512 cc3a1be1833e81db45d658226e5804a6c692e8c7e7cd385170eebe4aa458f7edfd2a35297ad8c302545da05f2a4eb9c3e60baea1b3cdee58853d65408ed2a767

memory/2076-374-0x0000000140000000-0x0000000140181000-memory.dmp

memory/4608-112-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/696-101-0x0000000140000000-0x00000001401A4000-memory.dmp

memory/4044-100-0x0000000000400000-0x000000000066F000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 929bdc04058aec2f80a2c14b6b8c295b
SHA1 f036738575767ca48fbe16c2932abe2aa8b5bce7
SHA256 6c97d67692496bab2b04e2f7165b82cb0a38205ba83864ab19b8e39c0d02a244
SHA512 0f2dd1dd8494e1a11e0e145e63b574b351909bacd4472ed8a375ddaeeb2bcc3a49fe609269810a05c60d69a3e0bc29f6d16ceaffcd6b442ea14387415dd28d4e

memory/1172-87-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4252-84-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/4252-82-0x00000000015E0000-0x0000000001640000-memory.dmp

memory/4252-78-0x00000000015E0000-0x0000000001640000-memory.dmp

memory/4252-72-0x00000000015E0000-0x0000000001640000-memory.dmp

memory/1044-70-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1044-61-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 bfeae17c0924eb5386311f1936434721
SHA1 cab5fc3a6792abab777880d8b940e07d87c45df6
SHA256 7b9782349841e655c890ee9c1739be872ab4276d684312e215219379491ae6ce
SHA512 87a050005cc532b50369fd430167c3e060c3f84ed8a9665525e3454bcdd531ffa8dd174d103de324eafeaa6589a8f8805cd17b1f579e6846342793e63c79e0a4

memory/3888-50-0x0000000000CD0000-0x0000000000D30000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 4c5e2c568031c0556bce82e1501254f1
SHA1 d00351ea32d30ef4981014ee6680dffd5e5b1fb6
SHA256 eda8c3206936ddb3f1eec14e730e4ec94be7a72449ffcdb1092cbba3fc7503a7
SHA512 281d970673caa92ab9f9dc024cbc065e2ecfd6b7aebffff4616f78f9b88e5c583a8aad6847b4baf99a742346c0db668a96c75ceab78163ca033ceb13df6809d5

memory/4516-438-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3884-455-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2840-474-0x0000000140000000-0x00000001401CD000-memory.dmp

memory/1820-479-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2488-496-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3652-499-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3032-500-0x0000000140000000-0x0000000140216000-memory.dmp

memory/936-503-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/4840-507-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 1d3a0bd27d138fbb2fc068f5e6aabff4
SHA1 e6d9d94280dd794b44c9020aad41576b28fb083b
SHA256 058f59dee85fb07f71ab4854f0dc07d4cbdfc0e7c0bc14640d981908aae65762
SHA512 edee02fae186e0d9a502a9f85bedc59040ec57e0c6971865c8caa7b615e542fd9659f544f3e2ba4222a8f7b8c64dce44f7782bbd479560696c93ffd0607b6bc5

C:\Windows\system32\msiexec.exe

MD5 00ff7f569fd635677f154fd42512dd1b
SHA1 fcdc1ba06beb7b26fa29d1664ccd72a4f73bc407
SHA256 4293ef272b12c72c796deb09c6a8d549fc89872259add4fee7a67527694fb703
SHA512 71a8853a5d639947e363ea0227bd542defad91f6279e1c1ee2746d4df9e235c69f9bcc6d5d9718fcd910cc518438d20de7399446becbbfae269becea1e43e3e5

C:\Program Files\7-Zip\7zG.exe

MD5 6cd157a737b88011d5f6ef38226b2e84
SHA1 5d8a807c5581ccb3c1151ebc086ccd8818065047
SHA256 67612424751e2eea7118d02cecf8a15c893a81c7689c4b69b65e6f24eaa0ea73
SHA512 5a41d30a7f0c68922741d09e81ea4a67ec43e5b5f0c7bef74110d6689ec8736623dedcb1d1e5fd262b8b66c0c0199c2d3a13e8835a028a42f7e7811878629c73

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 2539b7ccd885f7134ad0d0abef30cc13
SHA1 92591aa2a6dc49605a2fad5f50aa20fac8d0c63f
SHA256 c7ec78413e3189f88749916f70c050573d6b2110c487cd76d6217bbba1472626
SHA512 f9630498050f3b006bb5ac9dc2c7f9417af8752a74ea2c5f0370731388dd07b6e54eb592397ef1c3504a93a8d5fa178b8c5940a735bb478a80d980fe3d2348a0

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 cb4003ce1f232ba1d14d1c712856e9a8
SHA1 40baa69c6b9aaa297594026465929f0e100c9f1e
SHA256 4ed63a12ad4487ed39d2d2ed6e34e02d98b4985df6aa7e0c54b26c80d8871677
SHA512 7b888c979cfb7ff968f79a1fbe20012f6b0d3aa47a67eabeed884107a6b21dcdf9e144101e58e86e3c601ba7cf0a2e8fadf38462072a9d37803862bedb17f336

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 768f62c3e52d4a214aacd32c2096a061
SHA1 15e986126931647ee9bac47b48932355a2a8d0ac
SHA256 6157fed161ead2798883fab519a219f5c763e150196778e353a34ffded238f70
SHA512 394aa1aa33267a325f082358dff882c3f761b5104b0c4d0a9f4e598327301bfd5796cf3b2e1b4440a0e1323b7986d05610903f87c42ee2fa7365537d0d1983ca

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 f3147a46fb1268a000fd4f0c573efc9c
SHA1 8686ad457d6995b22c31a8f3205ba1a21bc5a93f
SHA256 a47a60f59e274dfddab76f19c1e578054e1349ccf2eba2fc568421eae8ebf732
SHA512 e168d22186065749bf0782524cee92bcc8e927e4b9a86dabb1cd4cd1bcf3fd677b548be39291f9ee3eaba6288cfcbab375ee8471dbd5466e12e6675696fe58c8

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 806183b70057778b3de6210b95f643e7
SHA1 703f0118831e8c1c9858ff5467c23bfbf3c25115
SHA256 40dfc99d60ad33332bb9768230318671f7b85e84c9e79f31ae76374c2bdcc20f
SHA512 6c5f5ed099f58c7ea15caa9428559d91bc19687be69df870116aae12b240b21b35518c4b645022d20c862432a65687bb67635be91e58eac84a21f9ca22aa63f4

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 ccd86e10239ca5feb9d9b42960302223
SHA1 cfe18d1b252c737b05c5c21922f7d8963e9cc14a
SHA256 016d66f017c4d5af1b2c26d39e02cafad0d0f5b5ebe36c6164f5740157fd1822
SHA512 69485d52a90e018f3d49294f29fea0ed1f6fa6caab0cde242a3b5c2a4aab17739aebd4393e114b0df5bdf3f184f23a9459690c339980e6aa90d39d681b4dff53

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 f89aa08be879bfd2f1d56201bf6d4a4f
SHA1 e613740bb1ab36c44d1ba33486e96ff14a041d14
SHA256 bfae447441425db3246aa7742eed261fde605a884caabcc3c0074f268cd4c092
SHA512 1d316484b2b919651b49186a889c60d9b475f2dd97e82196941a6dfee3243744eef6c41b5d54fcf1cdbb8c8c785ff808dcad04684e15b3889dd8736d2943a06f

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 a6f56b0237b113948e6b71a7bf356e90
SHA1 9edb97f9c33a47874b2266c0f492b20848b95a6a
SHA256 54c7181d6c8e0a43709b3a14f28a7ec2073844593f339862d6fe2a2dbbad7f90
SHA512 5f4d5d40a844f64aac88f74c789112a5c323babb8eb63951bb2c9c846207c29624b5c0941dc7d52a0b4685e5b77a68ab0a732562bdf9b989e09f996f11940d4d

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 7b16cfff348c24eb66d573bf82e9fd83
SHA1 fb13e6aa10e0ff54996bf1f101157459a380a2dc
SHA256 6077f0d69df1473b2377394096fbf02929a21565c725bcd52ad20cf2f8f7ec00
SHA512 bae38556e2b0f38092eadb5850bc9c50faef121d9033d32f838b29304643651f4ddea51e7e3025a57a9805b955f985eb2931d679d022b56f3eaadd0e26abc894

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 e08023dcd63e40680c9952ba9002400d
SHA1 ca1b8c36cc52bb91de8d51534241aadf75d122a4
SHA256 b3ec1876ffde16f48f2b324afc4d56f6c6b18d9d7b19f47c78426f70fd5d871a
SHA512 d226ce3aa8763b0471586efe2fc8c1037c9f417ce7d1301b27f3dd52666aac485d6af16270fe2006406ae4299eff62c50a1d6a6aab3ee890ab1f025dd07cb87a

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 7172ab195f44616f6849ad53e5354e3d
SHA1 c67d6e0646ddfd8eeefede9ba6b0f9fc637b6236
SHA256 3ea30f7e84d411d5af6b7784837cf1bc3972400172d0fef36adb73580816b6d2
SHA512 315722b2d9f798992b1a6f31aa0188a3d6807dd9e9101d273b8d6f5b238848a410f4995ccbe8f56892e6aa3e29d395c835b44df3fd01809047eb6fc17b105754

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 e1b7da972f5a15bf85bf9a35ec5df40b
SHA1 da13165e604593e73b101678efe8c3c037254715
SHA256 1c4ad00dafed5aac8d37cfdd3857df8b15569627f97d7bbefbb9f9f411c97701
SHA512 8323e7b58867e19a0c2084860dda1113400198f7e36351560e3b3f817a5116d7f024e035fbaf7d9075b297bcfb6a0f8e47dfb555ee28450627eae9848dcc851f

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 64d40fb441910b2c949626f3a5f80e08
SHA1 a3d905bdcf5ce305167366a98e7106e95b98cbe3
SHA256 ce86d1320f2ff06ed77793f7f8a0e3b8704d0699852d41730fcad1ca26a39c3e
SHA512 87dd5d1bfa8c83ad60056ed938ff4f859920fa1643158f23c13a529996d8521a17b353398515360be65d792a790e78d8734b66850993003e4e6ac77145ef8275

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 1e8e100eb5901f37914387ffe9c1f3a2
SHA1 1b4b414daee8f6087c665c48bd4ab34ca853919a
SHA256 26872e942ea8a8125c2ab65eaf7cf1be114659b66300be6141dccf9bd60c7c75
SHA512 d7ef27cd8dddd025dca2c9e8cae6e7ede9618b453a097eda5be29fa0302ccb7275e7d0cc6502abce0853878bf87a3bf023ee742e2e6438becd532f2bedc2495b

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 291e7356ae2a20a77f739b7a7d141ffc
SHA1 26845c44ef41b4bf8cac34c0b9469f02b4b962f5
SHA256 ceb179b35e6a2f84743761b6bb39b052e1a35ea8d387aafaeac3a8d22fb2efe6
SHA512 ff70818877e2602af76aaf47367e26c7c41123f9b53c6078c4cd8a262d11c1ef8b8afbd48a5352e10b0e698374cf905751d0e54577c8cf5c91b5bc05f0b65a38

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 703728a59c5bb430dd96063357253211
SHA1 d714a23663dcab8e23424b90d6da34d921bcefcc
SHA256 579b9499a885651b9d840c90cc476608cb18e050bf3984f29cf0c6fd15aa9969
SHA512 2e7c9d87feda0a100576e96bbb5f6681963d5eb28ae956dee1500b75a38adee0c9d0fef54695c1111744d68e9a302829d3326470a24dc448d584115b3520abda

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 45ff433ded65aab5e7b6bc4cab062006
SHA1 cf2df5a93b85f1d0ad6e1d4b9d3517082e8795a8
SHA256 c22846121b93692d0575dcca1c25f98a09c8c5645afe3353fe1ba0aecad3aae9
SHA512 fa3ca18d4420c7dd03285d740bcc4b614e700a805f2eaa5a8f87c52c8cad3d0faad351a037c45d68c5a9bb5cf8e4c6fd95baf9d3ae557d43104b346d84968fe7

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 1caa591bb5a82456040c4ebee7a83949
SHA1 b7c6b98a12e78df1e3ff16db438d804d743c6fc7
SHA256 dceb006438936de1e585faf239fe21abd5c1a3cbe8c4e60d9f458d164710de8c
SHA512 b6de21828c6c7b6b935c7eb8635b3e37976d26dc69e256b08afd87bc507170dc6d2700f3c3fe58da0fc827f4bd3f15fb38ac4258c04e69543af40bd2141636fb

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 facf71a67bc87bdd94a6a9f1b726dbba
SHA1 2efab307f7be52702da5f5249e59214cc37d67a8
SHA256 4c53e749f3e863e900df93550fbccee9af331dbec6ab3584ce84bedaa2e83b9f
SHA512 d76254941898f3900a41322a7c4ba8c261cda27b63253ec5d46d0127cfd46a1dbfe1cabeeb8727c716ec5b020d8aefd748d4c2867d2f3fdd3cfe7dc8948b3466

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 4ce20e1a5031aa5166808fdbabb36c12
SHA1 f947b14370454ef780db25881c0b4ef5facd4cf9
SHA256 ecea4e7636f92b91448f1149cf2308d4e6b24fddd25df434ef73d88617fa5b25
SHA512 c201b6405cf11a4aa32da2bde3632f5c0cf93a5370f153d971222814267b28fb917fe6cdfa1975f96395094babd3d65928389edfd7829b059d9bbe92a1f798b3

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 4b555feecea0b191f2a0d25961b7838a
SHA1 30edcd8052839da0e54ab212bc5957ff22790091
SHA256 269dbc6908b59c52c521fb3e71f7733712cee69a0e42fa948c209879503b1704
SHA512 6e7303cf79190cfaefcdd74f86e16dbf86c289fff88d6aab2d00ca69168c133b853a5cfad63e71bf23acf250c448b8ea407077de2b52f23ae22fa0d371d18011

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 de6bb1beebc63f49d23fbe24393931f8
SHA1 c75672b958f9f4725d2abf0a8899a43ee1a29eab
SHA256 90cd9674426769285fe8968d442bffb64266cf8895c99abd8912d58e794a5b2d
SHA512 312a8f26affb4b80f4e167bc505b350549e75e853aa4c3ead47c0deaf31970d1cc35fdbb10c0393a6ea0eed4ddebc2a7230b9140d9b5a5e602661ef532418b7b

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 2587aae9fddced2a69d2744bc6849f48
SHA1 fbc3b999b605ec5f46dcc44911d476e2cc4f7ea2
SHA256 d3d4055a22be02c08c005506cad638b0c180a63c2dd5636121477d815fd6bc8f
SHA512 0c5f6fa8eef5996f213813e86ee691169be8fc6ff5a5f9f2b7aa6b38a4e3b738f266717f3f7e582c1889699433a3e20f36bc7af760fb821d1dfc6270584fe129

C:\Program Files\dotnet\dotnet.exe

MD5 e9b75aa63516054aecff00634ad9f754
SHA1 7a88ce2aa379263b4425ac4d6b723c9caa48dc93
SHA256 5fcda74ef25648aabac9d43b08f6f295e825fef6361832d828845d5614c06f10
SHA512 e77290c8467a93210ad3856b8e851aaee382e9ab902aa27f2ebe5c3768fc5e345cea0efe80f77b2d2cd1fcca3a391ed4222239fa133dcd8efebdba96ef72f3bf

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 f55339316304d0598e6b46ff2eab2334
SHA1 8ceb9629563ae1a41db013ee36b0771d20395757
SHA256 3a414434f8da5682386ff49e77a90e9c99ff66d5dc8eabfc7691ecdf8c41eedd
SHA512 42a9c0dee7f2f92ba6465c39bc79abfcefca5339c712ae2ae89a314626beabeb06f6a378b917ceb43fb2d7574957c140fc859336eb6f609778c49a35c5c1a98f

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 2c233fd00d056f74925efeb0ed372649
SHA1 637b0be0ae380f639bc0011d426c106dd9939d5e
SHA256 3abcc81a0bf5bd1e6cf8e41859e858b9661e1b3e327489900cb22d61590e1afc
SHA512 0e1d8c85dc376797c520321990ee1b44088a666fa2f88405d2070df23a356c17c92ee850cd1038b99d738e6e149e676e952ea76d59f90ca095c40f2d59a15f91

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 d1fd794ebe37096f03242ba2e833128b
SHA1 726192fd642fd877d20b5b65c5f7cece716a5ed0
SHA256 0181d6267ec5259f17a6aad1b0604140208153fcf0044cdebf88a97888b8383f
SHA512 ed5f892448f0a55648eab1f740771b2621a70ac7db450f068214d790a22eda555d27dd7437128a4d4d4b59d0f2149167967941a665fef8c795f86041fbc0d2a7

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 2202e0028ed53fe1230246a66a92746c
SHA1 9a0fbf5b30645ebe319c0e3657671b0b0a914a81
SHA256 e4736e38ec6dc426e2c4a99301585c08665963d5e43f12a7abd6a341c596a7c8
SHA512 103fb065e6d35f43b3377f64669e984e10bded87c14f0b2915fecae79ec592a55ca86620f4993cf3ae81befe0cb8597e19f5c5ac7dc32c386c4f8b3060b06cac

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 06f8597c813d0f9a0f82f26c68d17389
SHA1 c4b34267909d540b39bfb5f0d6e5233f0917499e
SHA256 3e1b49b85da3d0cf3916e63d5036c54a8fccef6beba639cbb261a463fc46046c
SHA512 5c73a9cb5bc8be803df09b1684b37268411292c145c9a6d4388c1733631e52e14f8d9927ce9db20216f8b496ba405be3fe7ac50e01678581f25a69791453e3ed

C:\Program Files\7-Zip\Uninstall.exe

MD5 e4fa9e01fde988e6600813a20b01e268
SHA1 258da52fe741a2e1a0957eebfcc2e2e1bafc1abf
SHA256 eac4eb46306c59805f47b624c8a2c6c1635db8f412de2acca3f08560b35ca0c0
SHA512 0949a09b3024fcaf2146755a6ff13b559c62560a8f94b2f05680dfd87094ef85dd978e7009d4639b269dcd9a248f52778f82bbec39f71f245d131cc8f45a64cd

C:\Program Files\7-Zip\7zFM.exe

MD5 9faa192ce8bcc75d55de3d97ff1d56df
SHA1 e42058651b1a7b2cabd4dbeebd19ed4064fa35b2
SHA256 7d9c4fee6f56ca220a8e087340df75f9c1363af4de6dd84406489b371ded0203
SHA512 7f9aa9ec54293307c026130713c5582f17c9ade8eaa4aabc133e9c4a06c9e1d14b0601f7ba6a4fd15b5c717760e797df875ea3cbbf82ed043c1f36874c4f4c6a

C:\Program Files\7-Zip\7z.exe

MD5 beed6e9d7960cc937ec73e40d68ded93
SHA1 b4b9c72369431d9f337a7e322d8e1bbbbd7bf923
SHA256 28dae466f915a94a2e060a1c9346917b95986709656423ab7dad6b453b82ef3c
SHA512 f6a2ecec27d21b57d5e909a79a60396c2cb92e3794bef15b15b3e0396ce15a130a2f23981059fdd1af4a1c3b60f0526e27dd781e758e6bce8744678d1e99ba34

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 059e7e4235c0a2d5d04af4eb3b007b16
SHA1 f0e64fc4f85590462afcf9b66dadb28615fa9c9c
SHA256 4bc463b478d167efaf7e039efe06463506a96f114592dde9f61f4fc4cf6c3f7b
SHA512 d7286fa24b794a044ed795e1f9485e0582a42a492adfd09de6781eb1c63ab21f3f0c51d4df574bd8573bc58ad0abee0fe3a49985fccb6dd6871d5be35d991124

C:\Windows\system32\SgrmBroker.exe

MD5 9260e7a1589298daaff7da4a838cb661
SHA1 32e3aaf2ec98748a928ef95efcad11d8dd9351c9
SHA256 f60f05b933c7966405f7bd06fbfbee23ed9eaa4bb2923ddcc090f8468ead59f0
SHA512 e7f7d10c16ac70082137c8da93ee620c41dd4ebe9b07fb90607b133685b68802be4a4ca2a93736158dd85881763436b81d034c3c5510ab5eb9f5f8446b758861