Analysis Overview
SHA256
8fe2e0a081f2af8ecaabc8ddc4a8988a093ab00d70e279eaa641a2e993fd39c0
Threat Level: Shows suspicious behavior
The file 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy service COM API
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-20 12:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-20 12:05
Reported
2025-01-20 12:07
Platform
win7-20240708-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\e30e95c7a4d605c0.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE4C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A8A.tmp\Microsoft.Office.Tools.Common.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4921.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5033.tmp\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30D0.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4338.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index154.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 238 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d0 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 238 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 26c -NGENProcess 248 -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 258 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 238 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 238 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 248 -NGENProcess 1d4 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 298 -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 25c -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 25c -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 228 -NGENProcess 268 -Pipe 22c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1d0 -NGENProcess 29c -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 260 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 1f4 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 1f4 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f4 -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 27c -NGENProcess 29c -Pipe 218 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1c0 -NGENProcess 240 -Pipe 228 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 240 -NGENProcess 1f4 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 1f4 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2ac -NGENProcess 260 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 28c -NGENProcess 214 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 214 -NGENProcess 2b0 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 248 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 28c -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b0 -NGENProcess 248 -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1c0 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2c0 -NGENProcess 28c -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 1f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 1c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 260 -NGENProcess 2b0 -Pipe 2bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 214 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 260 -Pipe 2d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 260 -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 260 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2dc -NGENProcess 308 -Pipe 2fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d4 -NGENProcess 2f8 -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 304 -NGENProcess 28c -Pipe 308 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 28c -NGENProcess 2d4 -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ec -NGENProcess 314 -Pipe 2dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 31c -NGENProcess 2f8 -Pipe 2e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 314 -Pipe 2f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2d4 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 2ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f8 -Pipe 31c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2d4 -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f8 -Pipe 328 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 338 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 330 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 340 -Pipe 310 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 348 -Pipe 334 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f8 -Pipe 2d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 340 -Pipe 358 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 35c -NGENProcess 354 -Pipe 314 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 348 -NGENProcess 34c -Pipe 32c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 338 -NGENProcess 354 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 368 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 374 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 35c -NGENProcess 354 -Pipe 348 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 354 -NGENProcess 35c -Pipe 37c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 380 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 35c -Pipe 338 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 35c -NGENProcess 354 -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 36c -NGENProcess 38c -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 394 -NGENProcess 384 -Pipe 34c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 38c -NGENProcess 394 -Pipe 384 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a4 -NGENProcess 354 -Pipe 35c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 354 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 38c -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 394 -NGENProcess 3a4 -Pipe 3ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 388 -NGENProcess 3b8 -Pipe 38c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 364 -NGENProcess 3a4 -Pipe 36c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 388 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a8 -NGENProcess 3a4 -Pipe 354 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c4 -NGENProcess 364 -Pipe 398 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d0 -NGENProcess 3a4 -Pipe 3cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 394 -NGENProcess 3b8 -Pipe 364 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3d4 -NGENProcess 3a8 -Pipe 3bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3a4 -Pipe 3b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3b8 -Pipe 3c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3a8 -Pipe 3c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3a4 -Pipe 3d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3b8 -Pipe 394 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3a8 -Pipe 3d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3a4 -Pipe 3d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3b8 -Pipe 3dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 3a8 -Pipe 3fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3e0 -NGENProcess 3f8 -Pipe 3e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 404 -NGENProcess 3b8 -Pipe 3c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3a8 -Pipe 3ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f8 -Pipe 3f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 408 -NGENProcess 3b8 -Pipe 3e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f4 -NGENProcess 410 -Pipe 3e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 410 -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 41c -NGENProcess 3b8 -Pipe 404 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 418 -Pipe 414 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 40c -Pipe 408 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 40c -NGENProcess 410 -Pipe 42c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3f4 -NGENProcess 428 -Pipe 40c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 428 -NGENProcess 424 -Pipe 420 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 434 -NGENProcess 410 -Pipe 3b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 410 -NGENProcess 3f4 -Pipe 430 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 41c -NGENProcess 3a8 -Pipe 3a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 434 -NGENProcess 444 -Pipe 410 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 418 -NGENProcess 3a8 -Pipe 428 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3a8 -NGENProcess 440 -Pipe 41c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 44c -NGENProcess 444 -Pipe 438 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 444 -NGENProcess 418 -Pipe 448 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 454 -NGENProcess 440 -Pipe 434 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 44c -NGENProcess 45c -Pipe 444 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 45c -NGENProcess 450 -Pipe 440 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 45c -Pipe 460 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 45c -NGENProcess 454 -Pipe 424 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 468 -NGENProcess 3f4 -Pipe 458 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 450 -Pipe 43c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 3a8 -NGENProcess 3f4 -Pipe 44c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 474 -NGENProcess 45c -Pipe 418 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 45c -NGENProcess 46c -Pipe 450 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 47c -NGENProcess 3f4 -Pipe 464 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 478 -Pipe 468 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 46c -Pipe 3a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 3f4 -Pipe 470 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 3f4 -NGENProcess 480 -Pipe 478 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 490 -NGENProcess 46c -Pipe 45c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 494 -NGENProcess 48c -Pipe 47c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 48c -NGENProcess 3f4 -Pipe 480 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 49c -NGENProcess 46c -Pipe 474 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 494 -NGENProcess 4a4 -Pipe 48c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 488 -NGENProcess 46c -Pipe 490 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4a0 -NGENProcess 4ac -Pipe 494 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 498 -NGENProcess 46c -Pipe 4b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 498 -NGENProcess 4a0 -Pipe 454 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 3f4 -NGENProcess 49c -Pipe 4b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 4a4 -NGENProcess 4a0 -Pipe 488 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4bc -NGENProcess 484 -Pipe 4ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 49c -Pipe 4b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 4a0 -Pipe 46c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 484 -Pipe 498 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 49c -Pipe 3f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 4a0 -Pipe 4a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 484 -Pipe 4bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4d8 -NGENProcess 49c -Pipe 4c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 4a0 -Pipe 4c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4d4 -NGENProcess 4e4 -Pipe 4d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4c8 -NGENProcess 4a0 -Pipe 4cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4e8 -NGENProcess 4dc -Pipe 4a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4e4 -Pipe 4d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 4a0 -Pipe 484 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 4dc -Pipe 4e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 4e4 -Pipe 4d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 4a0 -Pipe 4c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4dc -Pipe 4e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 4e4 -Pipe 4ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 4a0 -Pipe 4f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 508 -NGENProcess 504 -Pipe 4dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 4f4 -NGENProcess 4a0 -Pipe 4f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 514 -NGENProcess 50c -Pipe 4fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 49c -NGENProcess 4a0 -Pipe 510 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 500 -NGENProcess 508 -Pipe 520 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 508 -NGENProcess 4f4 -Pipe 524 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 518 -NGENProcess 4e4 -Pipe 504 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 528 -NGENProcess 49c -Pipe 50c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 4f4 -Pipe 51c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4e4 -Pipe 514 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 518 -NGENProcess 49c -Pipe 538 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 518 -NGENProcess 530 -Pipe 534 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 508 -NGENProcess 49c -Pipe 4a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 540 -NGENProcess 52c -Pipe 4f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 500 -NGENProcess 530 -Pipe 548 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 53c -NGENProcess 544 -Pipe 528 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 54c -NGENProcess 52c -Pipe 4e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 530 -Pipe 518 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 544 -Pipe 508 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 558 -NGENProcess 52c -Pipe 540 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 55c -NGENProcess 530 -Pipe 500 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 560 -NGENProcess 544 -Pipe 53c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 52c -Pipe 54c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 564 -NGENProcess 560 -Pipe 530 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 550 -NGENProcess 52c -Pipe 554 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 570 -NGENProcess 55c -Pipe 49c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 204 -NGENProcess 564 -Pipe 560 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 564 -NGENProcess 208 -Pipe 558 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 544 -Pipe 55c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 578 -NGENProcess 550 -Pipe 52c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 208 -Pipe 570 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 568 -NGENProcess 584 -Pipe 578 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 574 -NGENProcess 208 -Pipe 204 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 588 -NGENProcess 57c -Pipe 530 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 584 -Pipe 564 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 590 -NGENProcess 208 -Pipe 544 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 594 -NGENProcess 57c -Pipe 580 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 584 -Pipe 568 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 208 -Pipe 574 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a0 -InterruptEvent 59c -NGENProcess 598 -Pipe 57c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 588 -NGENProcess 208 -Pipe 58c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 5a0 -NGENProcess 5ac -Pipe 59c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a0 -InterruptEvent 550 -NGENProcess 208 -Pipe 5a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 5b0 -NGENProcess 588 -Pipe 584 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b0 -InterruptEvent 5b4 -NGENProcess 5ac -Pipe 590 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 5b8 -NGENProcess 208 -Pipe 594 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b8 -InterruptEvent 5bc -NGENProcess 588 -Pipe 5a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5bc -InterruptEvent 5c0 -NGENProcess 5ac -Pipe 5a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c0 -InterruptEvent 5c4 -NGENProcess 208 -Pipe 550 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c4 -InterruptEvent 5c8 -NGENProcess 588 -Pipe 5b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c8 -InterruptEvent 5cc -NGENProcess 5ac -Pipe 5b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 5d0 -NGENProcess 208 -Pipe 5b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d0 -InterruptEvent 5d4 -NGENProcess 588 -Pipe 5bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d8 -InterruptEvent 5cc -NGENProcess 5dc -Pipe 5d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 5c0 -NGENProcess 588 -Pipe 5c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c0 -InterruptEvent 5e0 -NGENProcess 5d8 -Pipe 5ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5e0 -InterruptEvent 598 -NGENProcess 588 -Pipe 5c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 5e8 -NGENProcess 5cc -Pipe 208 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5e8 -InterruptEvent 5ec -NGENProcess 5d8 -Pipe 5e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ec -InterruptEvent 5f0 -NGENProcess 588 -Pipe 5d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f0 -InterruptEvent 5f4 -NGENProcess 5cc -Pipe 5c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f4 -InterruptEvent 5f8 -NGENProcess 5d8 -Pipe 5e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f8 -InterruptEvent 5fc -NGENProcess 588 -Pipe 598 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5fc -InterruptEvent 600 -NGENProcess 5cc -Pipe 5e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 600 -InterruptEvent 604 -NGENProcess 5d8 -Pipe 5ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 604 -InterruptEvent 608 -NGENProcess 588 -Pipe 5f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 60c -NGENProcess 5cc -Pipe 5f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 60c -InterruptEvent 610 -NGENProcess 5d8 -Pipe 5f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 610 -InterruptEvent 614 -NGENProcess 588 -Pipe 5fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 614 -InterruptEvent 618 -NGENProcess 5cc -Pipe 600 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 61c -NGENProcess 5d8 -Pipe 604 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 61c -NGENProcess 618 -Pipe 588 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 61c -InterruptEvent 608 -NGENProcess 5d8 -Pipe 60c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 628 -NGENProcess 614 -Pipe 5dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 628 -InterruptEvent 62c -NGENProcess 618 -Pipe 624 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 630 -NGENProcess 5d8 -Pipe 610 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 630 -InterruptEvent 634 -NGENProcess 614 -Pipe 620 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 634 -InterruptEvent 638 -NGENProcess 618 -Pipe 61c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 638 -InterruptEvent 63c -NGENProcess 5d8 -Pipe 608 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 63c -InterruptEvent 640 -NGENProcess 614 -Pipe 628 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 640 -InterruptEvent 644 -NGENProcess 618 -Pipe 62c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 644 -InterruptEvent 648 -NGENProcess 5d8 -Pipe 630 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 648 -InterruptEvent 64c -NGENProcess 614 -Pipe 634 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 64c -InterruptEvent 650 -NGENProcess 618 -Pipe 638 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 650 -InterruptEvent 654 -NGENProcess 5d8 -Pipe 63c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 654 -InterruptEvent 658 -NGENProcess 614 -Pipe 640 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 658 -InterruptEvent 65c -NGENProcess 618 -Pipe 644 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 65c -InterruptEvent 660 -NGENProcess 5d8 -Pipe 648 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 660 -InterruptEvent 664 -NGENProcess 614 -Pipe 64c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 664 -InterruptEvent 668 -NGENProcess 618 -Pipe 650 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 654 -NGENProcess 5d8 -Pipe 658 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 66c -InterruptEvent 654 -NGENProcess 668 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 654 -InterruptEvent 5cc -NGENProcess 5d8 -Pipe 65c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 674 -NGENProcess 664 -Pipe 614 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 664 -NGENProcess 66c -Pipe 67c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 664 -InterruptEvent 670 -NGENProcess 678 -Pipe 660 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 680 -NGENProcess 5cc -Pipe 618 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 684 -NGENProcess 66c -Pipe 668 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 684 -InterruptEvent 688 -NGENProcess 678 -Pipe 654 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 688 -InterruptEvent 670 -NGENProcess 5cc -Pipe 690 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 674 -NGENProcess 68c -Pipe 664 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 694 -NGENProcess 678 -Pipe 5d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 670 -NGENProcess 69c -Pipe 674 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 69c -NGENProcess 694 -Pipe 68c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 69c -InterruptEvent 6b8 -NGENProcess 6a4 -Pipe 6ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6bc -InterruptEvent 670 -NGENProcess 6c0 -Pipe 69c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 6a0 -NGENProcess 6a4 -Pipe 698 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6a0 -InterruptEvent 6c4 -NGENProcess 6b8 -Pipe 6a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c4 -InterruptEvent 6c8 -NGENProcess 6c0 -Pipe 6b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c8 -InterruptEvent 6cc -NGENProcess 6a4 -Pipe 6b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6cc -InterruptEvent 6d0 -NGENProcess 6b8 -Pipe 6bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6d0 -InterruptEvent 6d8 -NGENProcess 6c0 -Pipe 6d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6d8 -InterruptEvent 670 -NGENProcess 694 -Pipe 6a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 6dc -NGENProcess 6c8 -Pipe 6a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6dc -InterruptEvent 6e0 -NGENProcess 6c0 -Pipe 6c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e0 -InterruptEvent 6e4 -NGENProcess 694 -Pipe 6cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e4 -InterruptEvent 6e8 -NGENProcess 6c8 -Pipe 6d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e8 -InterruptEvent 6ec -NGENProcess 6c0 -Pipe 6d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6ec -InterruptEvent 6f4 -NGENProcess 694 -Pipe 6f0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6f4 -InterruptEvent 6f8 -NGENProcess 6b8 -Pipe 670 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6f8 -InterruptEvent 700 -NGENProcess 6c0 -Pipe 6fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6dc -InterruptEvent 6e8 -NGENProcess 6e0 -Pipe 708 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e8 -InterruptEvent 6b8 -NGENProcess 704 -Pipe 6e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 694 -InterruptEvent 6b8 -NGENProcess 6e8 -Pipe 6f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 6b8 -NGENProcess 694 -Pipe 704 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6b8 -InterruptEvent 710 -NGENProcess 6e8 -Pipe 6ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 710 -InterruptEvent 6e8 -NGENProcess 6c8 -Pipe 70c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e8 -InterruptEvent 6f4 -NGENProcess 718 -Pipe 694 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6f4 -InterruptEvent 6c0 -NGENProcess 6b8 -Pipe 714 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c0 -InterruptEvent 71c -NGENProcess 6c8 -Pipe 6dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 71c -InterruptEvent 6e8 -NGENProcess 718 -Pipe 724 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e8 -InterruptEvent 700 -NGENProcess 720 -Pipe 710 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 728 -InterruptEvent 700 -NGENProcess 6e8 -Pipe 6c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 6e0 -NGENProcess 720 -Pipe 6f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6e0 -InterruptEvent 730 -NGENProcess 71c -Pipe 6b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 734 -InterruptEvent 700 -NGENProcess 738 -Pipe 6e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 72c -NGENProcess 71c -Pipe 6c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 72c -InterruptEvent 73c -NGENProcess 730 -Pipe 718 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 73c -InterruptEvent 740 -NGENProcess 738 -Pipe 728 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 740 -InterruptEvent 744 -NGENProcess 71c -Pipe 6e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 744 -InterruptEvent 748 -NGENProcess 73c -Pipe 72c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 748 -InterruptEvent 734 -NGENProcess 730 -Pipe 74c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 734 -InterruptEvent 750 -NGENProcess 73c -Pipe 754 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 750 -InterruptEvent 720 -NGENProcess 700 -Pipe 738 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 720 -InterruptEvent 758 -NGENProcess 730 -Pipe 740 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 758 -InterruptEvent 75c -NGENProcess 73c -Pipe 71c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 75c -InterruptEvent 764 -NGENProcess 700 -Pipe 760 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 764 -InterruptEvent 768 -NGENProcess 744 -Pipe 748 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 770 -InterruptEvent 768 -NGENProcess 75c -Pipe 758 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 768 -InterruptEvent 720 -NGENProcess 764 -Pipe 700 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 720 -InterruptEvent 764 -NGENProcess 750 -Pipe 774 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 764 -InterruptEvent 76c -NGENProcess 730 -Pipe 744 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 76c -InterruptEvent 778 -NGENProcess 768 -Pipe 734 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 778 -InterruptEvent 780 -NGENProcess 750 -Pipe 77c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 780 -InterruptEvent 720 -NGENProcess 75c -Pipe 784 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 720 -InterruptEvent 76c -NGENProcess 73c -Pipe 788 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 76c -InterruptEvent 770 -NGENProcess 730 -Pipe 768 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 770 -InterruptEvent 78c -NGENProcess 75c -Pipe 764 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 78c -InterruptEvent 790 -NGENProcess 73c -Pipe 778 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 790 -InterruptEvent 794 -NGENProcess 730 -Pipe 780 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 794 -InterruptEvent 798 -NGENProcess 75c -Pipe 720 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 798 -InterruptEvent 79c -NGENProcess 73c -Pipe 76c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 79c -InterruptEvent 7a0 -NGENProcess 730 -Pipe 770 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7a0 -InterruptEvent 7a4 -NGENProcess 75c -Pipe 78c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7a4 -InterruptEvent 7a8 -NGENProcess 73c -Pipe 790 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7a8 -InterruptEvent 7ac -NGENProcess 730 -Pipe 794 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7ac -InterruptEvent 7b0 -NGENProcess 75c -Pipe 798 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7b4 -InterruptEvent 7a8 -NGENProcess 7b8 -Pipe 7ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7a8 -InterruptEvent 79c -NGENProcess 75c -Pipe 7a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 79c -InterruptEvent 7bc -NGENProcess 7b0 -Pipe 750 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7bc -InterruptEvent 7c0 -NGENProcess 7b8 -Pipe 7a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7c0 -InterruptEvent 7c4 -NGENProcess 75c -Pipe 73c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7c4 -InterruptEvent 7c8 -NGENProcess 7b0 -Pipe 7b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7c8 -InterruptEvent 7cc -NGENProcess 7b8 -Pipe 7a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7cc -InterruptEvent 7d0 -NGENProcess 75c -Pipe 79c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7d0 -InterruptEvent 7d4 -NGENProcess 7b0 -Pipe 7bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7d4 -InterruptEvent 7d8 -NGENProcess 7b8 -Pipe 7c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7d8 -InterruptEvent 7dc -NGENProcess 75c -Pipe 7c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7dc -InterruptEvent 7e4 -NGENProcess 7b0 -Pipe 7e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7e4 -InterruptEvent 7e8 -NGENProcess 730 -Pipe 7c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7e8 -InterruptEvent 7ec -NGENProcess 75c -Pipe 7b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7ec -InterruptEvent 7f0 -NGENProcess 7b0 -Pipe 7d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7d8 -InterruptEvent 7e8 -NGENProcess 7f0 -Pipe 7ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7e8 -InterruptEvent 7f8 -NGENProcess 7e4 -Pipe 7f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7f8 -InterruptEvent 7fc -NGENProcess 7d0 -Pipe 75c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7fc -InterruptEvent 804 -NGENProcess 7f0 -Pipe 7b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 804 -InterruptEvent 808 -NGENProcess 7e4 -Pipe 7dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 808 -InterruptEvent 80c -NGENProcess 7d0 -Pipe 7d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 80c -InterruptEvent 7fc -NGENProcess 7f0 -Pipe 814 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7fc -InterruptEvent 7e8 -NGENProcess 810 -Pipe 7f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7e8 -InterruptEvent 818 -NGENProcess 7d0 -Pipe 7cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 818 -InterruptEvent 7d0 -NGENProcess 80c -Pipe 820 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 7d0 -InterruptEvent 804 -NGENProcess 81c -Pipe 808 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 804 -InterruptEvent 824 -NGENProcess 7e8 -Pipe 7e4 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww7.przvgke.biz | udp |
| US | 199.59.243.228:80 | ww7.przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww12.przvgke.biz | udp |
| US | 13.248.148.254:80 | ww12.przvgke.biz | tcp |
| US | 13.248.148.254:80 | ww12.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
Files
memory/1724-8-0x0000000000300000-0x0000000000366000-memory.dmp
memory/1724-7-0x0000000000400000-0x000000000061B000-memory.dmp
memory/1724-0-0x0000000000300000-0x0000000000366000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | d63336493f8b5e14b9c331d1057912cc |
| SHA1 | 75d7f937e41cbff3abbee7c2929f83feb45d1842 |
| SHA256 | 884c66a8a4f61d69d2ed1c0c455d29b14855959ad351e15bb9e4e6af0967a1a2 |
| SHA512 | 5e760d556d993aebc7449921a8217ea08ea993dcac9a4bc5b3a45ba2c4c85fa001ee52c15f8cc9cdbd41a538911ed37e0d7a49ac0088db824454583aa40dd4df |
memory/2252-13-0x0000000100000000-0x000000010013B000-memory.dmp
memory/2252-14-0x0000000000840000-0x00000000008A0000-memory.dmp
memory/2252-22-0x0000000000840000-0x00000000008A0000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | c8a077f599f876c17544c54f0bda1d93 |
| SHA1 | 799282a9dde80b16fbf3ce0d3f730f54ecefc7fe |
| SHA256 | bec504b7b59075da6205595e8f3785489ae13fd6300eaff1fb6c7000969e48e4 |
| SHA512 | 671b6d9e25c7b7876847fa448979e0aca411ff33c81daf00e49e17d304432d0e0b9083c369530bba25f7a74f7931674145ca7f3258a2f867c9ff2ab2be6a8a27 |
memory/2916-27-0x0000000140000000-0x0000000140134000-memory.dmp
memory/2916-36-0x0000000000A90000-0x0000000000AF0000-memory.dmp
memory/2916-28-0x0000000000A90000-0x0000000000AF0000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | e6846998d3c65241db63b06d34bc3524 |
| SHA1 | 86b8c04e03c4ccce9a85ed91ae348137d78c9f90 |
| SHA256 | 6ace06ad7a3ca31b3cf6df736a62bb1d2a0e608ccf8bb60e0a1190d05b9151dd |
| SHA512 | ebaf4086b42346d093bb09c7631baeee9759b8cabf47db9ce1afdde7c5240a54a2ab1a9bf83422b1b8d994714e12695026f9227dc6aad55fbb0d762284380e02 |
memory/2880-39-0x0000000010000000-0x0000000010136000-memory.dmp
memory/2880-40-0x0000000000230000-0x0000000000296000-memory.dmp
memory/2880-48-0x0000000000230000-0x0000000000296000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | fb3202b39ee463ab2a64c6bfb931fc7f |
| SHA1 | 6f8f61729a8d260db5812e6730fd2f5602dd7145 |
| SHA256 | b7079a9a3860d48b391696e9f3333f0bf5c699beb300368bf3b6c105e1fc56c8 |
| SHA512 | 32ab1dfe6c5f2ededa339902c8fd741602ad3ec59b05f49e4ee90b816912181fb9067e5f892ddf8a923d760c318fa2819df2950ac9f3dc61e2225fc5a6e84ded |
memory/2808-57-0x0000000000250000-0x00000000002B0000-memory.dmp
memory/2808-56-0x0000000010000000-0x000000001013E000-memory.dmp
memory/2808-63-0x0000000000250000-0x00000000002B0000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 9a8be22e289fd64b6914a93e6ac4459a |
| SHA1 | b896cfd40f0db656c60a8494aed3dbcfc07c3fd6 |
| SHA256 | 2d3c77ffd9b161dcc36fe50837870f33e97f4e69352d19ce52418305447b5c2f |
| SHA512 | 5dca8deccbbc2964e00283d8c7c3ffb5db3cbf28111789abe37760eaf287b2751c829ca97a5f655e5425eb34bd85fe6d01f1e9fc34fd4aa0c10e7231ef654e62 |
memory/2880-73-0x0000000010000000-0x0000000010136000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 2f13eb8fbb58eefed5910ed26374fe03 |
| SHA1 | 3b96a0f2aaeddded8e59a0e2f899c607aab4e2a3 |
| SHA256 | 102141e2c61413aa602432d6883c127ca055e388030904af663c2097dc7ff461 |
| SHA512 | 233a087fe08966031bba5081214332091c2d2d18962cb4aa317035da27ecc898b89d905f6546fe6ad019b7e99a40dd3d6b5abdcdbe1fd9e25d758cddb33ebf51 |
memory/2808-78-0x0000000010000000-0x000000001013E000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 140ece3c3381ae44429dfd626966d492 |
| SHA1 | 8026843ec4f3eba6c054023407e5169786c83631 |
| SHA256 | d895c1ffcb7cefde48ed525688abdeac14c00cc0f80d8664a160c788be0e2bdd |
| SHA512 | 452cc822a6fd4e8eb81ae3d3d3fa75650c243a2b383e97d024b7149d1c29c11e1ef36b16ef4e3b378fc0e7cf06a1f866be748076c27692bf1bf97d21aabf2a04 |
memory/1724-80-0x0000000000400000-0x000000000061B000-memory.dmp
memory/1476-81-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1476-82-0x0000000000670000-0x00000000006D6000-memory.dmp
memory/1476-88-0x0000000000670000-0x00000000006D6000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 61c142ff0cf86710de679569b168fc0d |
| SHA1 | edbaa03e31a50e02de0aab3cd564c60ce63a028c |
| SHA256 | 195f39a291f5d79d9ff1106ff8c0db43c18828ebe2a09361f6e1e88d7e4eadd9 |
| SHA512 | c3067229445eacd156b7d8bb2a0fb5b57fb5320299a75f36911d8650aff3299b917ba9972f4aa569cbd786a49754c7867ac141d9741d41407849f52be6386e4a |
memory/1280-96-0x0000000000590000-0x00000000005F0000-memory.dmp
memory/1280-102-0x0000000000590000-0x00000000005F0000-memory.dmp
memory/1280-95-0x0000000140000000-0x0000000140145000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 1cfe1d9d63cee476197440f9643c24b9 |
| SHA1 | 2e0677da0ca96e0b665904a768fc3b077608837f |
| SHA256 | 935076b3c1224d34bd3fc9dd8310557792e8610352988c5016c83d215c8dd5e2 |
| SHA512 | 997aface18afc2ca35cf03311bbea10648835e2c8073adb4fda382fe0cb150c8e3119ccca9010ee38c8ecc6606e53ff4873bc5c2f5aeba51f4ceabd6f035f09e |
memory/2004-111-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2004-112-0x0000000000A70000-0x0000000000AD0000-memory.dmp
memory/2004-118-0x0000000000A70000-0x0000000000AD0000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 060706b20fbb972eeecee7f5a6c47af6 |
| SHA1 | 371bac27904bba5bbaa90c0b3104f5035e938c39 |
| SHA256 | 2e875f23d457e90e5739b28aed1267bc64319e0f0452ffc36c663d11d4eebc2d |
| SHA512 | 74b55cc06edfc5047f38151cdcd9391d006751333ddfcc6cfc046121ddc75712d6fbf0f228f6dd9faa6377f70b82a76485e035065ddf727dbd47738a40732184 |
memory/2252-131-0x0000000100000000-0x000000010013B000-memory.dmp
memory/2428-132-0x0000000140000000-0x0000000140149000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | e6fa23875fab17cfe675f7e6019f0b65 |
| SHA1 | 7b951b51536e1beb84fc4fb24f048b15781310e1 |
| SHA256 | 239033a79b1f77ca34a810507cc9be1fe4e4a3f199b1e0aee218ab9e0d4b8bae |
| SHA512 | 1e519de1e1f2b5a1ecac709768c10c264347930fcf0fbf9a220a858c4ae74c471e10ac3cbe6731031ca0e4da380f5584849511763516a16d8826ab7f3d93d9d5 |
memory/1944-146-0x0000000140000000-0x0000000140237000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | f45182a04c7852e65a9bdc1a056f58fe |
| SHA1 | d35345fe6cd9b44e270fdf49902e5621f789aa61 |
| SHA256 | eb56f89ea69badc4a702642cb0b0a5dc8800640a642890f6eb6d4d718628c11a |
| SHA512 | 364f139be7f3a77345265267ae40a718a5c40d8b3738e1352087550356ffb752e6e938e4291954c2b7e3ac7eac7bdef58fb8b2ab58b3e4071fa0b1c6d6788222 |
memory/2916-158-0x0000000140000000-0x0000000140134000-memory.dmp
memory/1400-159-0x0000000140000000-0x0000000140145000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | d8034c415711632c53557f5f5c3d8ba7 |
| SHA1 | d527f0eb21320038287227055e5120393b92e1dc |
| SHA256 | ec02b8549b404aad09fe2671c66d04afae5421e424262756524fa62816092326 |
| SHA512 | 49206cc0d888fbd01d2bc54bbe026e55532e9fffa85204cb5ccf53bf9937b9cfe1c5c84a49defb1ac942ad6bd333c0b8074b3ace17fa41961eabd9fca3e14881 |
memory/1596-170-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 124808994723621988d5844ddfda112a |
| SHA1 | e9e177c3dce8a3f117c6eb498a541ec30fbc681f |
| SHA256 | 5d0f80f01bf2ba32d9dc1a9a36d74aa31e99095526afed9ef289f8de6303ec94 |
| SHA512 | 3bfffacc06e7c7c81f08c925787981f80dc5a11e47e55110360b557a74b5960426cacb00860356ad984514ef8256dd4935fd5e633291a7e88ad9a5a0d350b4b9 |
memory/2444-180-0x0000000140000000-0x0000000140161000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | d46832d0cc9e5dc36a2e2eb0b4a3c5b5 |
| SHA1 | de03bb9ba17d0836981a13571fca11aa57ec4578 |
| SHA256 | dbdbedfc5f9e9c287bd569fc1afef211025e5f1b42f17987b539b714c3d9e11a |
| SHA512 | dafade170a694850caf445f567fc9c6ff7074e11e55a7a0de61fa334917a8d2f6d7274371054d90f7a76097f3d6ae980ff53cc95179948fa55ce3ad2df5cf079 |
memory/2472-186-0x0000000140000000-0x000000014014D000-memory.dmp
memory/2444-198-0x0000000140000000-0x0000000140161000-memory.dmp
\Windows\System32\msiexec.exe
| MD5 | d37e6aca9320977fc51ef682b4e91d67 |
| SHA1 | cb30e2fb971f7764f1cbf75283e6e320befde195 |
| SHA256 | 99bc25a3753cdf826c1fb8599e00852f328b438868269b679a508522a6ce1292 |
| SHA512 | fd45b278b17ec24f6dd092b941c4ffeb29e1ccc124b592baba8d10f048c13e873c1c419c612b2fdbbffa408dd3d945c99808eee861da2fafecd37b1d1d678e33 |
memory/1028-202-0x0000000100000000-0x0000000100149000-memory.dmp
memory/1028-205-0x0000000000670000-0x00000000007B9000-memory.dmp
memory/1476-204-0x0000000000400000-0x000000000053F000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | ea0278dfb1104db07956aa7ebf388eaf |
| SHA1 | 7c87cd1138f52edb4b072e1b4ae3dedf6a33f2a1 |
| SHA256 | 2772f01c377f942fe06f13f55afcb600c54558d3aafdb44a961e9443f3b8cc77 |
| SHA512 | 5768d2adda7f72577f591a8bef957a3a5668d327f433e0aa7a02c49b9c0ff321567e28171e2087eb8a55d971b351d26173146033d01821516a3a65c162a6dc58 |
memory/1280-227-0x0000000140000000-0x0000000140145000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 16bec4cc4c7883009b1ef8ed7d994f05 |
| SHA1 | c5ad6c1fea1e8b2e2621e13c73882a0898464822 |
| SHA256 | 7b6208fc37e5c932aeba0d22facac2130affb6824bb8400d0ff8e8abc59dc75f |
| SHA512 | 7281247400b9c1c885bf75717993dab34a36a66b7da57b2bab75fb50a311c413f81d3ba5e219def2fb9f3762518f45207ce2ecdf1e61bc444a2a22c177e829b5 |
memory/2004-237-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1620-239-0x0000000001000000-0x000000000112D000-memory.dmp
memory/2964-228-0x000000002E000000-0x000000002E14C000-memory.dmp
\Windows\System32\Locator.exe
| MD5 | bb604c5ef890367b0d22fc1d5aee8d79 |
| SHA1 | e8a5c56deb1a2da35f8929022268589f89b59e65 |
| SHA256 | 7c3f2ab490b8617163085fe81105f5faea67848a5b5b36410122b718516d560e |
| SHA512 | bb48ca92d66786f5d08d71d894d4633a97c8d21c4b5fedbe4ea0fb61320127b2a108b1ba4689e5791e58e147568d9d616ee5a4689a4bec5dd33f340e6cb99756 |
memory/2428-250-0x0000000140000000-0x0000000140149000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | e821fb89138c50b08a6750375edd9869 |
| SHA1 | f280f5d1a23e2bce95c0728826d88a1923fc6802 |
| SHA256 | 205fc47211cf4424184bbe731cf71c8f5fa81c4f32f1a45edf59868ba999cc49 |
| SHA512 | 7ae363ff98dc8ac3ab68d91d90edace33e8818189bc6610a811a9ea9a5a55211f534ff48718b6f8a7599aa16d665a7b9cbebc1af484d9f5ea61498deb2bf2350 |
memory/2184-251-0x0000000100000000-0x000000010012C000-memory.dmp
memory/1944-263-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2832-265-0x0000000100000000-0x000000010012D000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 694de4aec0a295e52f77294844c44a11 |
| SHA1 | 64531b0c69d058b2948ab16300cd7fed564bd608 |
| SHA256 | 143701a193325e78bb7dcf19dd60636d0f3fd298a3152c9c13fead3c1cb407d6 |
| SHA512 | ee4ca28fdc28aeea943cdff0002c22268217655a5197765e7bb0cab62e34a4340aa763ae4e7e84c4ab71812c9be0b839fb59306639e02ddb619d82fc35e82d18 |
memory/2856-276-0x0000000100000000-0x00000001001AB000-memory.dmp
memory/1400-275-0x0000000140000000-0x0000000140145000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | c2cebf3ace7aa9682ad26f6146f60305 |
| SHA1 | b60636446aecbc850443c265761bb63690573189 |
| SHA256 | 6a8965a00d59d14663ec9f757962ac4ecebf7ba12f876ae15b3d1cdc66afd695 |
| SHA512 | 6db0b21471e494914ad07294fb216291fd35cdd1b71f4fe00485da6233a3898267aa5d4036f2f29a4b24a0ca159d79eb6790019584907b280eeb47c2bc2b1d25 |
\Windows\System32\wbengine.exe
| MD5 | bc42caeb1aeade20fa2d3bac93db28d6 |
| SHA1 | 8323dd165a3d310ea5ed3bc313a73b72d0215c35 |
| SHA256 | f3858215450b35b14ec88b0341f76551ab22505fef2614a03e36e82f95abfe03 |
| SHA512 | 181f40aae03d7f10441e11d8980850701bf339a9a985220cd92ee2b611ba9cdf51cd41abd7bb6cbfc6caf7cf68853ba0d9a74317655698b47d19fb760e6f1870 |
memory/636-299-0x0000000100000000-0x0000000100219000-memory.dmp
memory/1596-298-0x000000002E000000-0x000000002FE1E000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | a67481306f043842906f1ae6130ba55c |
| SHA1 | 897c60db83ac8be5aa051a67e9fbf5d504a0c5e0 |
| SHA256 | fcc87804aa598f73401f3b21871a8d15f64e43b1d60b338b1796d065613029b8 |
| SHA512 | 87462b6c45e6a0ee1210100d619a92406e12ca259a80d5a9838b79f56f8521903c077bfdc15399614781bffa5fac618e00571920386d642db6e8cae5e412a6ef |
memory/1044-300-0x0000000100000000-0x0000000100202000-memory.dmp
memory/2472-312-0x0000000140000000-0x000000014014D000-memory.dmp
memory/1688-313-0x0000000100000000-0x000000010015B000-memory.dmp
\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 79426ba7119c468857039c619c8a59bd |
| SHA1 | c8d08027c6d2d6e23f6a0ad463921deafdc2f215 |
| SHA256 | 9b40660660e01eb8ae34a707167d950537ef8a19deaffd71a1607f1305059dfd |
| SHA512 | 234b92eed6b4b126ea876a4646199904d95be742d94c0f2102212d20e4e2fdc90df93de14d447b4d80e3315531e8bd1cd8d1ca783f07c9f9ad594a3e30f179aa |
memory/1028-338-0x0000000000670000-0x00000000007B9000-memory.dmp
memory/2444-337-0x0000000000400000-0x000000000053F000-memory.dmp
memory/800-336-0x0000000100000000-0x000000010020A000-memory.dmp
memory/1028-335-0x0000000100000000-0x0000000100149000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | d61bf35525b19d5024f716d88bf4f51a |
| SHA1 | 51534304f0a9fcdca663530c4055aca1714da0b1 |
| SHA256 | 82c65ada3bbe26ece67b5d556058d4e7fa3af46622b6d010302a05a3c2fcd08c |
| SHA512 | dec096fea86f50f0276c7cc0dc52e157a774aba0fb03afe8e8315a825b2eb853224904204d693498bdc41d60371009bd5aaf85fd0c07707e8c1650da474010a1 |
memory/2668-350-0x0000000100000000-0x0000000100123000-memory.dmp
memory/2964-349-0x000000002E000000-0x000000002E14C000-memory.dmp
memory/1620-397-0x0000000001000000-0x000000000112D000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 6878757d876e53788ed2eb199c5ef16e |
| SHA1 | 18b215c92d3dca6974beebf7eb964d79b1c693b0 |
| SHA256 | aab0ee48ebe0bc2d068ef5a82b5c0e1f04377657db05272f82823a0df75439db |
| SHA512 | 866460288564157e6bc76e990b5645862ec9648a7d4025b28c81b230d97daf6e3b81bc8badd6f38d30bdeee61bb8cc791d9a43cf5c53ee6a5bc42c7aa9755a21 |
memory/2184-417-0x0000000100000000-0x000000010012C000-memory.dmp
memory/2548-428-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2444-434-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1320-454-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2832-453-0x0000000100000000-0x000000010012D000-memory.dmp
memory/2548-456-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1556-508-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1320-512-0x0000000000400000-0x000000000053F000-memory.dmp
memory/780-530-0x0000000000400000-0x000000000053F000-memory.dmp
memory/636-529-0x0000000100000000-0x0000000100219000-memory.dmp
memory/1556-527-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2856-505-0x0000000100000000-0x00000001001AB000-memory.dmp
memory/1784-569-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1044-568-0x0000000100000000-0x0000000100202000-memory.dmp
memory/780-572-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1388-577-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1688-576-0x0000000100000000-0x000000010015B000-memory.dmp
memory/1784-587-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2864-602-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1388-605-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2152-631-0x0000000000400000-0x000000000053F000-memory.dmp
memory/800-601-0x0000000100000000-0x000000010020A000-memory.dmp
memory/2948-652-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2164-654-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2948-670-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1084-667-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2668-666-0x0000000100000000-0x0000000100123000-memory.dmp
memory/700-678-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1084-685-0x0000000000400000-0x000000000053F000-memory.dmp
memory/700-708-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1720-726-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2924-729-0x0000000003CA0000-0x0000000003D5A000-memory.dmp
memory/2924-742-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1040-758-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1956-760-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1956-777-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2864-786-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2868-785-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2016-783-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2868-804-0x0000000000400000-0x000000000053F000-memory.dmp
memory/3036-805-0x0000000000400000-0x000000000053F000-memory.dmp
memory/3036-813-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2724-823-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1388-826-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1036-837-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2724-839-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1036-844-0x0000000000400000-0x000000000053F000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 8c69bbdfbc8cc3fa3fa5edcd79901e94 |
| SHA1 | b8028f0f557692221d5c0160ec6ce414b2bdf19b |
| SHA256 | a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d |
| SHA512 | 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 4f40997b51420653706cb0958086cd2d |
| SHA1 | 0069b956d17ce7d782a0e054995317f2f621b502 |
| SHA256 | 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553 |
| SHA512 | e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
| MD5 | 7d1c0d3183454164b0002ffdc4a7324a |
| SHA1 | d281b8c18ccd9bf7f5936aabaf7614219e182c2e |
| SHA256 | 1f23c46a079c38fc6e3b86f9f3488ecd45cb1afb93bedebd45c05db051fd11e0 |
| SHA512 | a32ef31489dd8c6b42986c092f525142cba717ec75a64eef8946b99bc57d86bdf305c547753caaa87848a77a702c6a30f0ff12b622a6cad91efad28ca0f106ea |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 71d4273e5b77cf01239a5d4f29e064fc |
| SHA1 | e8876dea4e4c4c099e27234742016be3c80d8b62 |
| SHA256 | f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575 |
| SHA512 | 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | 3c269caf88ccaf71660d8dc6c56f4873 |
| SHA1 | f9481bf17e10fe1914644e1b590b82a0ecc2c5c4 |
| SHA256 | de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48 |
| SHA512 | bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | ac901cf97363425059a50d1398e3454b |
| SHA1 | 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7 |
| SHA256 | f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58 |
| SHA512 | 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | e3a7a2b65afd8ab8b154fdc7897595c3 |
| SHA1 | b21eefd6e23231470b5cf0bd0d7363879a2ed228 |
| SHA256 | e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845 |
| SHA512 | 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
| MD5 | 2735d2ab103beb0f7c1fbd6971838274 |
| SHA1 | 6063646bc072546798bf8bf347425834f2bfad71 |
| SHA256 | f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3 |
| SHA512 | fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
| MD5 | 9c60454398ce4bce7a52cbda4a45d364 |
| SHA1 | da1e5de264a6f6051b332f8f32fa876d297bf620 |
| SHA256 | edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1 |
| SHA512 | 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
| MD5 | c26b034a8d6ab845b41ed6e8a8d6001d |
| SHA1 | 3a55774cf22d3244d30f9eb5e26c0a6792a3e493 |
| SHA256 | 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3 |
| SHA512 | 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
| MD5 | aefc3f3c8e7499bad4d05284e8abd16c |
| SHA1 | 7ab718bde7fdb2d878d8725dc843cfeba44a71f7 |
| SHA256 | 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d |
| SHA512 | 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
| MD5 | 0fd0f978e977a4122b64ae8f8541de54 |
| SHA1 | 153d3390416fdeba1b150816cbbf968e355dc64f |
| SHA256 | 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60 |
| SHA512 | ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
| MD5 | 6eaaa1f987d6e1d81badf8665c55a341 |
| SHA1 | e52db4ad92903ca03a5a54fdb66e2e6fad59efd5 |
| SHA256 | 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e |
| SHA512 | dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2caab4784ed9265fa1de3770b7418834\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
| MD5 | de4a57e03c8b004c53dd2f3b0e6df019 |
| SHA1 | dcdda28ef40fabe4c37262b553774d6ac3ee2990 |
| SHA256 | 45b776c67ab68010bf6b36b256ab4f82c8cee6d140074e7e31b88bfe823780fe |
| SHA512 | 95aa404ab788e4a4bbbda0308321cf28fd81fbee17dfb92a0a0c1a35dc67e1120f787ea9ae82fefed9dc6b66893accacaf82f59b6772fa83c61052c8d52ddf4d |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
| MD5 | 6f9f108fa2279e1c28463809d1ade2ae |
| SHA1 | f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d |
| SHA256 | bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8 |
| SHA512 | 9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\67eda57907072b765afd1afd4a545533\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
| MD5 | 3f18ec7aafc46f30be93323c586c27a9 |
| SHA1 | 685f0b6bf869ab646089080245caa473f93c6032 |
| SHA256 | 4e4c081420f71b6e7e16e45fe712d67656edbaf390ea31c8a16e93c16a3abf17 |
| SHA512 | 377f95e43f0cfba3ec48e861c3de785a99af88ce399b9be88f04447d2057b421af47e8847b32dff076f71f3f83b429e8aad3fe558ff3068ac4407d8c3e7fe0fb |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8E6.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll
| MD5 | 33c0b6ef7208bb4b831ec9b7051755ce |
| SHA1 | d6aaed1cf00ac509338ddee4884dc4df73052178 |
| SHA256 | 5e6c88275a74d407d449964f0aaa45e2b3de9f70befbf596fa379302b3ea1b66 |
| SHA512 | 31cb891dddf98520ae024ebdeb3542d2fb55d9a0c1bc19fa5c070d2560e7db37ddf744b1c77c51e4675b30c74765009c4d4cf93827bcf7f347085ced8d40636e |
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
| MD5 | 7812b0a90d92b4812d4063b89a970c58 |
| SHA1 | 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea |
| SHA256 | 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543 |
| SHA512 | 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed |
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
| MD5 | 3e72bdd0663c5b2bcd530f74139c83e3 |
| SHA1 | 66069bcac0207512b9e07320f4fa5934650677d2 |
| SHA256 | 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357 |
| SHA512 | b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
| MD5 | aeb0b6e6c5d32d1ada231285ff2ae881 |
| SHA1 | 1f04a1c059503896336406aed1dc93340e90b742 |
| SHA256 | 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263 |
| SHA512 | e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
| MD5 | 006498313e139299a5383f0892c954b9 |
| SHA1 | 7b3aa10930da9f29272154e2674b86876957ce3a |
| SHA256 | 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c |
| SHA512 | 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
| MD5 | e88828b5a35063aa16c68ffb8322215d |
| SHA1 | 8225660ba3a9f528cf6ac32038ae3e0ec98d2331 |
| SHA256 | 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142 |
| SHA512 | e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
| MD5 | c76656b09bb7df6bd2ac1a6177a0027c |
| SHA1 | 0c296994a249e8649b19be84dce27c9ddafef3e0 |
| SHA256 | a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0 |
| SHA512 | 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
| MD5 | 0637ad2bf6fc5ac1d29e547155bc818c |
| SHA1 | a502879466b6dd37eae5881bbb18353f97623852 |
| SHA256 | 868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f |
| SHA512 | 1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
| MD5 | da9f9a01a99bd98104b19a95eeef256c |
| SHA1 | 272071d5bbc0c234bc2f63dfcd5a90f83079bbab |
| SHA256 | b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d |
| SHA512 | dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
| MD5 | 87111e9d98dc79165dfc98a1fb93100b |
| SHA1 | 4f5182e5ce810f6ba3bdb3418ad33c916b6013c8 |
| SHA256 | 971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42 |
| SHA512 | abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
| MD5 | d74d434aa70ce827715b5e0ac7eda5be |
| SHA1 | b53f3374be4c96af51c78fd873de1360f17c200f |
| SHA256 | 54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496 |
| SHA512 | 631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
| MD5 | 7ebbba07bc6d54efd912bcd78b560b7b |
| SHA1 | a6aee1a80ddcdf201301ac29293c62d58bcc941d |
| SHA256 | 637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a |
| SHA512 | 2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
| MD5 | eb09a7062a66a50fe2cb16c4a80561a7 |
| SHA1 | 33b4c71ced7644be9802374a4f04c866394daaca |
| SHA256 | e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256 |
| SHA512 | c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
| MD5 | 7687295a6e19cc656b077e6a61629d4e |
| SHA1 | fa1025de5cffb56a3d1f8cae9d09b7171b33326e |
| SHA256 | ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86 |
| SHA512 | 19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
| MD5 | 58cacef7cbc000bb5ddeedc08a598f36 |
| SHA1 | f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7 |
| SHA256 | 124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270 |
| SHA512 | 9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll
| MD5 | a763a9348ab4ee3bd593bb17d854e51b |
| SHA1 | 4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9 |
| SHA256 | b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b |
| SHA512 | e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
| MD5 | e9ca062e4958cc25400c804029a5bf62 |
| SHA1 | 1ed4374d0d0f568936fdebe17d9110481d6b3344 |
| SHA256 | a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0 |
| SHA512 | 43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
| MD5 | 7bdf8e0c9aa04b71a52dd964005f4363 |
| SHA1 | a87e809146d3c70093a189c37f0a96b8bd0ce525 |
| SHA256 | 0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b |
| SHA512 | 4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-20 12:05
Reported
2025-01-20 12:07
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\CopyMeasure.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\perfhost.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000068aa29c336bdb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047118d94336bdb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a36c2a95336bdb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e6eec94336bdb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009da5394336bdb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 680 wrote to memory of 3824 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 680 wrote to memory of 3824 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 680 wrote to memory of 4584 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 680 wrote to memory of 4584 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ww7.przvgke.biz | udp |
| US | 199.59.243.228:80 | ww7.przvgke.biz | tcp |
| US | 199.59.243.228:80 | ww7.przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 228.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| SG | 47.129.31.212:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 8.8.8.8:53 | 212.31.129.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
Files
memory/1168-0-0x0000000000400000-0x000000000061B000-memory.dmp
memory/1168-1-0x0000000002480000-0x00000000024E6000-memory.dmp
memory/1168-8-0x0000000002480000-0x00000000024E6000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | aa82c13b49674dfc9e7b5607be8d3482 |
| SHA1 | c5fb9dc568d2d95c16eca592a8490e8c84e021c5 |
| SHA256 | 6395743a0661766be05729d8c3bcb696b10391e8c21e75998089fafe69c727b5 |
| SHA512 | c525d3ebb1cfa5d85994139ebd9a23a4b102567c5a8126f0e1992312fc27e3964ba496e5411b2555a686c6acb671a59fd0590b660b9381e1f4ea95ee041235dd |
memory/3252-18-0x0000000140000000-0x0000000140141000-memory.dmp
memory/3252-21-0x0000000000540000-0x00000000005A0000-memory.dmp
memory/3252-12-0x0000000000540000-0x00000000005A0000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 4b16adb42993a24e99d218497ea7b778 |
| SHA1 | 9b787cf3e79dd80c41de03f617f91ebe472b1621 |
| SHA256 | 0f5197bd351ab08154a1358c1474e8b165403ae08243f9696f005eae9ced4456 |
| SHA512 | 890aca48b671d72c959cc5179d83f1005a16d555b9d947078285cabbb1815b49de707c4bec00d9b65f8f95dc69ed67b77a288c1ea13458893c1c377ad1e6ffd0 |
memory/1828-26-0x0000000000680000-0x00000000006E0000-memory.dmp
memory/1828-35-0x0000000000680000-0x00000000006E0000-memory.dmp
memory/1828-34-0x0000000140000000-0x0000000140140000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | eff0643b9e271971e096ce205469b36f |
| SHA1 | f60365c8556aa18c19f6cb28f83cfb8347022f19 |
| SHA256 | da8492ad376220ebf0fedb0f9c4acd99a4f4c9991c30a705b34535c1f855ecee |
| SHA512 | 6bd4dd7f786bc23fb74ba3bcfac1bf58953f447c78ebcb89ecd4b7064c4a6fabeea3589c60a9a98f71006fca293540ad4457d7c2259456c00a1c25402305cd2e |
memory/3568-38-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3568-39-0x0000000000800000-0x0000000000860000-memory.dmp
memory/3568-46-0x0000000000800000-0x0000000000860000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | 08b49223d3c0a4edfd033bb252760d58 |
| SHA1 | edb3011887c5a9ea44414ef3fbba1ae71ec89b59 |
| SHA256 | 287fcd750623cc2747a608c9bc4f98011549e150985d60cfb327abced67181fb |
| SHA512 | 7c98ad4840da3f59dbe3d1623a65a0451b426afab62369ada6a147e3833de601a40a1f674ca3a94ce91bddc769f92e7ad5f93afd3576c451d7da50a84e1ed35c |
memory/3716-56-0x0000000000CB0000-0x0000000000D10000-memory.dmp
memory/3716-50-0x0000000000CB0000-0x0000000000D10000-memory.dmp
memory/3568-45-0x0000000000800000-0x0000000000860000-memory.dmp
memory/3568-63-0x0000000000800000-0x0000000000860000-memory.dmp
memory/2404-71-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2404-74-0x0000000140000000-0x000000014022B000-memory.dmp
memory/2404-65-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 55459915644e204b9efbc01aae8f13d6 |
| SHA1 | 8d2de1773186aa49489495d16f72057a6f1393fb |
| SHA256 | e8b18e6364c10368fafdee915a8ca98c0c0383e2578415685472e4222cf15a44 |
| SHA512 | cbd82f55fbf2bbf0c3c6dd034a792503f872b1f8dfdd1ecc691e03daf6d271b982d5e36e2cef223e773036b9afbf29d21502dccd2baf20b5b4ed1bf6947764af |
memory/3568-62-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3716-59-0x0000000140000000-0x0000000140234000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 5b016bf5b918b8d6a5d163559e789d5f |
| SHA1 | e24f17e2e37f62187a735bfb2cf298d66925311f |
| SHA256 | a63a3cebda528cde16859996fd02867817efd5bf34bfee2efde6579e14c15b24 |
| SHA512 | dbadc1c35309e9f7acedb1bbee6008c9e4df88afaaf86ef6dbdbf490e04614a4a7bae9a6d02dabb8c6ba5087f124279cb90edb75fd6d112018e147837e9b3b93 |
memory/4072-82-0x0000000001A30000-0x0000000001A90000-memory.dmp
memory/4072-87-0x0000000001A30000-0x0000000001A90000-memory.dmp
memory/1168-85-0x0000000000400000-0x000000000061B000-memory.dmp
memory/4072-76-0x0000000001A30000-0x0000000001A90000-memory.dmp
memory/4072-89-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3252-91-0x0000000140000000-0x0000000140141000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 4222557881d36098fa800fae9deef249 |
| SHA1 | c019d1907da8e3551821fd7521497f934aebb1e3 |
| SHA256 | 7bf45735685b47bbe58c75c0a0e3e4d85271ebcf4f8363da4c067936263db465 |
| SHA512 | aeaeddc591e1ed7752f5706a88641193ef94dd848cdea0a2a5ecaa2179a6bbf3483c5439ec0f092c734726f11fffe61452da9eac0ed976cb5e1fd0aa477376a1 |
memory/660-93-0x0000000000C40000-0x0000000000CA0000-memory.dmp
memory/660-92-0x0000000140000000-0x0000000140150000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 7f52204079035ace182da1103e703647 |
| SHA1 | efdf6dc0eba886ca16276bdac8b8a45ed84d82c9 |
| SHA256 | e522bd45934bed5db6e67de1b114df39f90ad1edf6f182086d3fccfc80155f79 |
| SHA512 | a430f6d9d14a874df56955cb1d7a925a9e5dccc7539f8dbb9cf3ff2a4a847192ed00ae63a99aed0f278074bc69af4dd58e94876b23bacd1aedbbfcaf40156389 |
memory/1464-113-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 0417b09bf1709585f0a89b38fa3b499d |
| SHA1 | 29009a639d074b62085f8a99398dc5d5d62e09be |
| SHA256 | d4de745ac82b8e946491cfdda77428a90842ede31df3447fc6919af4eaf95fe1 |
| SHA512 | e4fb4dd6fb36babf3bfce56c961fd748693f088b5377e0638082564ed715022504bca995927654584e52b2c601fffaead90c42367965cce0ca66d80c9583dafd |
memory/676-125-0x0000000140000000-0x0000000140142000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 7ac3245c3047f9c80b68cf1553cc6f26 |
| SHA1 | 33a6e4a1f281d449b098a8946a52481d0d156c0e |
| SHA256 | ed42d7d61dbb6e8a94686a2f499f4964db744e9d5c13f1a2d9d97493ecf01cdc |
| SHA512 | a795fd21139f28739ad41c44f5e3dfd6a71f765ab6a010a318a32f54ababdd9ec4cdb7733f941f7e7d04379f1e36e50703f1703f155bd7c333d0871b7e652d6a |
memory/3808-138-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | fc8f9d116cfabaeff6fb50b5d38809d0 |
| SHA1 | f2678e605aadee6bd66b1b71e2e3422f9792f4be |
| SHA256 | cea5f9d5321c554ef9b705c97a40245b33a499d3193b4ec9169088e3544fd62b |
| SHA512 | b47886dc52c227fd7a6f79175e5ef7794a50610452d18ab1884684b7b5974c329349c40d25ed9d6926f1ff8529d0c895d1f07528e3808a49d574aaf35009431f |
C:\Windows\System32\SensorDataService.exe
| MD5 | 969dbc4404cc6a756d60c25ed6337473 |
| SHA1 | c2a96399abdceb75ec660e63d594c7660e88a438 |
| SHA256 | 0c0509892773a44b92b57adab766fac75e716a681afffc4212b2276c122eb71c |
| SHA512 | 290b8befa7158f03c8e6a842174b7af85d4598bc43884f0d32e56b4c26812679b4f40eeb8cb6f0a6deda40dbcb78b4e0ca4c99ccbde3f4a32968a0cad491f4c8 |
C:\Windows\System32\snmptrap.exe
| MD5 | a1b7fbed03f9b7b833e3e054a68fc5dc |
| SHA1 | 7b8cd4d5e6c932dfc842c20d2967306a20c09d4a |
| SHA256 | 12cc1b53be3dfb094b60d1c70b980f07ed741f9b97e5da8905d386fcd5665639 |
| SHA512 | ea209078e918b58ea33f100a2cc699598417d28f0bf10a481a11ce16f10637bfbb73073145cd94face433e0e90d8802b889a83978df2f32e136e4c4337fbdbc1 |
C:\Windows\System32\Spectrum.exe
| MD5 | 1e108027f15fe9be60c1b806632182a5 |
| SHA1 | 417dcb3bab01b97f61cd293f2fb5999ed027eadb |
| SHA256 | c7a44e8a5e8057744e6ba291bbd9139c84cbe6266f710aad42f067c94e749b2a |
| SHA512 | 8be8bc089f647c3b28fdbe9f47ad8f993232a70341aed7f5707942f021fcc0982bd005e4bd72860e0a3a722cfcce0bacc6e5e82b2770d279f39a2392389b4378 |
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | eb3de8ba34fd2aa4a0a6ef51518c31be |
| SHA1 | 271893b35a4330ee7705d5a14ec144b142e06916 |
| SHA256 | 45e5094f9992ae9ea9d6517010e144cd627a78afcdcb2649e8a3e35626859453 |
| SHA512 | ad5e75d3d6bec236bbfecfb2b7e1929bdb7617175f1da70bf1450baecdd9a618e89bfd758cf018c9d96d1ca8b7c89e05889b2e4db102bb0aa7dcaafdd2779c6d |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 199d1b7f27aba051e8901e206f4db9ff |
| SHA1 | 6d43800db7b72a84aae4c5c6a78d1b03816a2922 |
| SHA256 | bd617e73cfff684cf4e889b0391c2776b569bbe04dc61045aa2bc539d84ce930 |
| SHA512 | 76e63b9b3a9301fae852c3a6a8665e867478182fdf3f41be9076c6184b3aa2610579acb48e267aa29649e869f3330970edbc312f66513014643ae85fd26ea032 |
C:\Windows\System32\vds.exe
| MD5 | f384f064e9755fceb8ce30368e038b14 |
| SHA1 | b89d7a81069f72f8fffd5a808c3a075caef511b7 |
| SHA256 | 50f993af80be9a77bd5d8b6c5718fddfdef9f0720c443db956419dfdb6f36a13 |
| SHA512 | 78b987997be666c6afe9812f88146e8ffca2688e74aeaaceaed8cf6d249bc9478d624644db128a42b9a33939af45afdd7ff6e9c4cd541d59805cb442938c92d8 |
C:\Windows\System32\VSSVC.exe
| MD5 | 3956062af6eb3da771452660fd079106 |
| SHA1 | 746a2809f0919b6cf2246075bb4adcdfe8c29883 |
| SHA256 | ae72b3ac1022ceec217cbf508381febbd1ce560e4fdb35b9f1638880d21c73ed |
| SHA512 | 2c91a1ded617e4f59023bb1f7b9fff21bef4bc306dbd019502577efd3ead99de07550445fbfdad9e193e7ab127e226607e51e51dbafb1637fc99371366ebca19 |
memory/3244-234-0x0000000140000000-0x000000014012C000-memory.dmp
memory/1056-238-0x0000000140000000-0x0000000140179000-memory.dmp
memory/2784-241-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3176-250-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4384-240-0x0000000140000000-0x0000000140147000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 56c4375e34dfd83096b310f01be547bd |
| SHA1 | 8df1119fca0b84f8b8163059e1436d5ce00295c9 |
| SHA256 | 83fc5f9f079fdc07cef1d02336ebeea4d0e6b98a7a3b0f44ce279dc7f0ac1f30 |
| SHA512 | a5acc3792012a92d3b4f28281e47ed63bd59d925ea23b635a104fcb4a073a9a1f74680ca526a957b4970490fd2130b2625c57dd9bb1df7257300c09f26066f85 |
C:\Windows\System32\SearchIndexer.exe
| MD5 | 26f91370e8baee3d0d54c55bbefe6d09 |
| SHA1 | 21fb984a3992644a293d29d1eb9b67e9c685ba70 |
| SHA256 | c0969b9522b22f373bc055e63b7f20ecf62586b63bc97318466878260bed937a |
| SHA512 | 75008cbce6d18ac68d4717ac3ea77182f00ae6b742ea69b3e635d42da10990ef67726a432d0f62c3c74ee905f13549162c07fd2d44acdc966efba1232f47af78 |
memory/452-280-0x0000000140000000-0x000000014015D000-memory.dmp
memory/680-279-0x0000000140000000-0x0000000140179000-memory.dmp
memory/2108-277-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 929a930b18dc668f048a6d220edc4155 |
| SHA1 | 50818109bd135efd0eb02bc186d5ffc4278a108d |
| SHA256 | 046b7777a57e99619974be06f78fc1812732712c91a52221f1c43b72091e1d50 |
| SHA512 | a6ec321fb76975aac30cf4bbdc51ddb679ffee60c3f17a3dcdf6ce3b7b694ac7dd8c8f9b0686b242b1903b734e6c4b68f9b4e0bec5015905726008eeb483c232 |
memory/3912-237-0x0000000140000000-0x0000000140199000-memory.dmp
memory/4168-236-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1008-235-0x0000000140000000-0x000000014012D000-memory.dmp
memory/4756-213-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 92c0ffe0ab3a36256b25acaa2deb1828 |
| SHA1 | a9e30753c908259ecccf9be52637ea9489a38f19 |
| SHA256 | 89f06ac1ace2ee0f2cc701559b94962deea62b3cb7e3932df0fa4f1b6386e278 |
| SHA512 | a167c65c129c77cb24cf7edc6eef32b68d1ce72b7e0a91ecadfcffcf4692479e7d559b6228091e82023ced27a2be87a553b131b8fafd516f101eb2cdaf9edff7 |
memory/1828-124-0x0000000140000000-0x0000000140140000-memory.dmp
memory/3716-317-0x0000000140000000-0x0000000140234000-memory.dmp
memory/2404-395-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4072-434-0x0000000140000000-0x0000000140166000-memory.dmp
memory/660-449-0x0000000140000000-0x0000000140150000-memory.dmp
memory/1464-484-0x0000000140000000-0x0000000140166000-memory.dmp
memory/676-486-0x0000000140000000-0x0000000140142000-memory.dmp
memory/3244-491-0x0000000140000000-0x000000014012C000-memory.dmp
memory/3808-490-0x0000000000400000-0x000000000052E000-memory.dmp
memory/3176-494-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/2784-495-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2108-496-0x0000000140000000-0x0000000140216000-memory.dmp
memory/680-497-0x0000000140000000-0x0000000140179000-memory.dmp
memory/452-498-0x0000000140000000-0x000000014015D000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 65cf0b219b55cd18249c5bfc1c114881 |
| SHA1 | eb7106f3d682085f56b7988895109e0bb3f7fa98 |
| SHA256 | ac8c529bc60435ffd0027e049af287223b6e336a4f13bee28c420a362ef9df04 |
| SHA512 | f0bc1b4c646ad2a0a48a1ea8cebe0f67686332c8df6fae10e7ba2d913c35a11feb215212f999396934584e9bb94c3944c645371e98cbf27c17738dce917750e8 |
C:\Windows\system32\msiexec.exe
| MD5 | 67c8dea64c0fc75409670a5567471762 |
| SHA1 | f616b2f1bf378ceb81f10a1394c457c379635bfc |
| SHA256 | 068c942398004f9cbfec55915f5c0947ab4693b778030924b667a1aafe84a071 |
| SHA512 | 9522c15db413fbe3b409fc2f2ea1f4a383fe868f11e62101464c1544ad9b47d669ce315379881c757c6df4d9e67b41484a0e3562b27b968fdc2c26fc3139208c |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | c3bc78e9ca3d5d3cb461ba58cab903ed |
| SHA1 | 9eed63c580b1fbad8b8f580ea4832113c65544f1 |
| SHA256 | cea80d04bfb39810525ed5e7c4e11f1183d3102ad9cd5356a5365043df807303 |
| SHA512 | bdf8d33ec5701350dbba9d28af22b528188d99b837165e102194b8ed2a168794cf7979a124cc17e227a3b6f0018a80f0c86c72f380a550f12c78416e5c812a25 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
| MD5 | d46eb84aaa90dfde1788939b77ecc9f5 |
| SHA1 | cc79ba7d417dd9f473bf2da32244bbdbebb0803c |
| SHA256 | cdc56bd500cb8144060c01d91b4323a4f47780d064214cd69202980452b916cf |
| SHA512 | 8b116e13e1db8c6a7a0a4a169d5740c5bf9034c66cda33bb8a27b0feddfb572ecbc6a7a9658e678c3acd8907f876a4151a5ec93ba2431d2fa610bb7d50c5c97c |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
| MD5 | ccb70825a783b25a15933b740f1ae700 |
| SHA1 | 287f02487b9e83db148bbe088abcfad8f5158f96 |
| SHA256 | 92f29fb179c9a36d4a524ecf7a559c585a1fc8d4ac6503df6188dfd8f9e44c06 |
| SHA512 | 5c1baa6932d1e6091a90328e812938e19f622ff10d92ddf2b21f5849bf84b2accf3217fcccb695b5053b2cc6fc5ec71fbd3e25783b8b08fcbe77e5b43b416d08 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe
| MD5 | 027dd4d13c3ccc41a5a5802fc7c53dd3 |
| SHA1 | 738d078b4a92e0c4f824b8197d0cf2a23b606730 |
| SHA256 | 67bf24fc18cbf34227347aab3374b5f2bc8c00f3cd158358f83c583150ff4816 |
| SHA512 | 030ba85c0786b989c9958b8d1d100a7912511a8066c2e3be2642f60f99c4bd0e9524790accbd7d0a683fc68691dad3f43b453ae713b57a90d3ed2cff35a028ca |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 8fc7bf68b9429ee454bcfb6eb1999e5a |
| SHA1 | 4069a2dbdd07374f0b67146fd9ec3878ad4891f7 |
| SHA256 | 5eced4ebb1d9d5f00e3fef12b66609abc3c955c5d6ecbc6430ae38627b7255c1 |
| SHA512 | 10e0530ba56c9c03556818f565ff6c20775c0a36deb284b165e1de743cbbd6e18830127431aad59b8c1a037271308d65e0df7a655f54d83df80f3ff06c134038 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 3d31cd7891e8590275eca37988bbf915 |
| SHA1 | ad63a17966129f1979d4b14a56e8f107c1270895 |
| SHA256 | 706a83d92ed3aad8eb9830ffffa6235b852bb2c3451d0d32407ca8c98654f41c |
| SHA512 | c8bd1cba4ebfc7c7e6066e57fc645ea896dd9595468962c7754e9c459f7e84fce951abacb19677dbce717c1ae373515cd688b888c2abf7b38f8ae1602998cf03 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 176b29c6b4ab7ae50468f391ff88a794 |
| SHA1 | 5fd93b7e11b21226f98160e849ec6463fae6b867 |
| SHA256 | 0839b08953faf989361dd243602c326ebcf349839c542e0c2e15406f63448cfb |
| SHA512 | d8b1923baa7d3a6fcaf27bf4753544b75e28790ad6ca1ad0e96900e56560051e19d751e679cdf1b84aa95cab83e4f24e269def580c31546bfb5341cfb37908d8 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 485fa7013f6ba8adedf76f7685e0cd4e |
| SHA1 | 93712b0a86269fd95f2d1b36e04d71681307ee25 |
| SHA256 | 23b6b6a9dbf40824ca5ec6e3cb62af94125cfd8040d6693cc8e7c1407116d38e |
| SHA512 | 7eecb02233f3f3519c79564de6a7a9085ef74498de2e0ce81048222853005018494650b8b685fbeabca7d1c4b7babb6c4112e6a0c94a418daf15d8f3dda51cd1 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 6761d3d423336665e000f34206d3ac82 |
| SHA1 | 6c12bf7f546f8807f1d1ce9193586958e5c2f33c |
| SHA256 | 1019609f49f1b62447196171f453b1984f8818a8de5a830d3425b6d81d85a868 |
| SHA512 | be0c5f5f7b02cf6b98770f66d37578b82572b4bea342fe22792d7a8202199d08e8a490ce21c2740d38ecbc4d44fb8a3927fcf0eaffc01a3b06f156024ca523b1 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | d583ad2b4b882ae18e00ed2049f72250 |
| SHA1 | f29ad31a79bcdc1dfc75fb4848f88d22a9507613 |
| SHA256 | bdbb59d8182a2e70061b1a180d2cb6c43c214b8edd688e1ab5832d50cf86d583 |
| SHA512 | 694dd8f7f93910497d558e118d2ad7fd019950845b8f06afc16ee82892120dc8b4398b23e0aee1e3d54e1854e580ca1a23437dfb7717eafc113b436a757ed6ab |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | d8fc9e2f7ca7d780ea5f9c1e6f56be6b |
| SHA1 | 1d24b593b38c3a88a365018cf8eab50a4f4101de |
| SHA256 | 402bf725e57638de51c6476ba0b7eef76d87edfc56ee37ea65a6551a8674baba |
| SHA512 | d8eb2c89b7515ba077dc9a7b2019f1de9cab7a6f2c6c2d6cfb008fc572d2c7ea64eaec15dd14ec7dc908fbc40eaa2cd6ac882f865f3e3e147b297e11be4a28b1 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 08a80f335d26080e00875179bbbeaac0 |
| SHA1 | 8e731026eac97af08082d6424c745816bcbfc5cc |
| SHA256 | cb0f4e95a8913faa4031db14f5883cb17ec408a2436b1ad86c34a1c5c93195ac |
| SHA512 | d5d01de425246d4e64611856c2620d2d33781e33354e420319e54df25bcaa0f0349630b4790dae189df6809a1d331323a66bc5fec8f302a098a1876e8b0250dc |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 5691ec9d0a504abcca7b8333ef9b109b |
| SHA1 | 422bab114ecf2df083fbadc6160b9bd71ba00cd2 |
| SHA256 | 074c163e7084ef23b8d051fcea552e4e444349c614959b2031118c02287dfa5b |
| SHA512 | 7bbe37854efb59ce964e181f8f70b150bd58a15451d8c9b022a843b7e79dcfadeb7376d9a737c30bef2ee4dd2bef693f661a23422202516d9317b1c8843e5ac5 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 969b2878e3164220e40caeb29621184e |
| SHA1 | 5ea292bcf54e07a7d28c1f50784b09d171afe89b |
| SHA256 | defcc20e4af0c2805a42412d42b4921d1b1f6f893f697de2c400536051f80029 |
| SHA512 | 97925b1cb76a27f73f7b58f0fdc2b498c77489351711b5afbc6bf55f235f465216cbea2c1064f415ba2bf07cbbc059014627c6474a4b6ca5abc3ac89a5fca0c0 |
C:\Program Files\7-Zip\7z.exe
| MD5 | a50bea759c9338c0dc315a4189afa9ea |
| SHA1 | bf3135973cd05c30163458b14aa4f8dc494c55c5 |
| SHA256 | d883b92b483a4fd1f390bcde721516f85bc15395a34a012cd5b01c460f2b321f |
| SHA512 | b8d506922094eab5b370a51caff8cb04e98ad8394c27a758a2fb11015c49a5cd53d1b7125eb449200efa6dc5e2c19ec28be037315eec20a90cd0fb1aa8e1be06 |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 695475c1ea57ef151372c3212c0768a1 |
| SHA1 | ccb7be2c77b103ff6a07e3f93b444631f1b5c8eb |
| SHA256 | a4384723540c33a2bfed13dd24b34818a22877e67c7690066d45fe895bcfbfae |
| SHA512 | 89062cf8d6054ca3af81b7ecd5d5ba4d4c4dccda586ecc27eef76d236559c8718b638ce177b3f1e65acdc3d3b97fec39391c5ebe17613e3b99fde39cf239aad0 |
C:\Windows\system32\SgrmBroker.exe
| MD5 | 01289be552581e7c27bf8316471cbdcf |
| SHA1 | 156271013b3c1625f92711534aa4c5a670c9c47e |
| SHA256 | 697dae159b2b474dd0102d096f57aa5a505d90313b62f76d0b8f746cd24ac7b4 |
| SHA512 | 55cd27d2feeaefe38248c322c549b25806ce605175182cfd39b176aa829ca4702e41ed18084c8b11991536534211b8687f8a9bc0bc09da32b6cbf518d2e8432e |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 8d4c6dc82c1596039653b99e30893866 |
| SHA1 | 6acc0a8be8826de7328dbc2977f62eaf77d9f4db |
| SHA256 | 7c073bd973bfce520d7c499ed0cb230e1c76b5f9943a369bc69dcc687bc6ab05 |
| SHA512 | e98b4fe717197ba63a0ab664c8e4761591ecd8d82dcfac98b5b4e60d83990c728543fd5d5f5d8e68f0abd7fe93de7751bb2cc07b4a055d9d0df26bb0ff8b693a |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 6617b672c3174d6cc8a076fdba000817 |
| SHA1 | d48e389df75de791bd8d1d8b1dbcaad80bf6c74f |
| SHA256 | a4c8597c717852cc21d7448eec1406a712884fabaf8265b5b68a781bf6fa865d |
| SHA512 | cd2e0336fab04ea4fd437416b0fb5beb55cc3f25a53355a46e992d02cff6a6d017d475635a9106a0c12d20ade29dece0b3c1992ba66ac54b8d66684c30a2ea9a |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 31b7c7ab4a04ba999efb2ad2b3276ad7 |
| SHA1 | 5fd047641fc49b2edd6531f7569463691c2988c8 |
| SHA256 | 0f559278677c3005827431fded52edff0f19136aa9ce98b81a52c3ffa82b6054 |
| SHA512 | e9b9cf699a01db01645b67d04aecf19d922471780140f5d9ad7b7ca5a2dbd5bea6930c8de7d7b74fec377287066b85befdbb2c4c8b7020b6b2056f364db8430e |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 7a080e05d4611db8b154c26b74d41eb6 |
| SHA1 | bd06d39eebe686e88c72ff74adbc4e71a6cf5a39 |
| SHA256 | 67fdbb6fe5d6bed23ffe7750d1b4a89e429eb7ac2e4abee783573c48f3213cfd |
| SHA512 | c032135209fafaa39ff6468fc29d7b865fe82a29c8a1d3cb1607064bcae1f060401c8f36b582f0687a45748e91043f5900dde2ccdd5ffd5565d00a2821c0fa9e |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 751dde81a1ea89be28bb86aa23c5967b |
| SHA1 | 22047c390f1426c3ebc73c7248d98c146610f5b7 |
| SHA256 | b13131a3146bbfe18af85c748d4a75862ed5514ee9577a2e7b758737ad5dd7bb |
| SHA512 | 53767bd848ddc1ec0bd503907aac60f297f7612322cf4b5e0129a5f560cd1cfa8f30698bcf691af4f6959904fba3d053bc69e3918dae5609a34c4cab53bb846d |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 836658154c84999783ea246f72f88494 |
| SHA1 | 34f25fed70dfe482df59e29f4caae04b75250233 |
| SHA256 | 00aa68dd9b78ebfe758e73f866f191ed4a77278f39445fbec7ff4c77b10636f2 |
| SHA512 | 17e9559a54bcee21a4174a6a795b7b2aa6c5158138a3bedc972c2fdd60e49f071cb739343cad1c90637b919b798ed74e9a6525187be77d5d8828582cb7a49604 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 76e2f1f4d1ba62bab22b6b28ab2795e3 |
| SHA1 | 88a194160820195ad91cad0f05b45e56799afae6 |
| SHA256 | 1ee69024b55333d33f0e8f159bf8fb618f9bd109c1476cfe85255da21cacd5f4 |
| SHA512 | 2f334c92aa1e9701f00cf20519d5be027d0a252ffef2614517b03e8ddb08c71200c3f17beb3e0e0903e40e1954f8566905e85bfe1d62f53b471887b3c8be57bb |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 3820c7a010813cb2719d15ab546ddfaf |
| SHA1 | 145c0697f6868f8b70d674ebbea44ec90afd85f9 |
| SHA256 | 0b50d7a003065fd18e39df1993e9b6c7315334b9498d306cbab2a6ba84a12dd3 |
| SHA512 | 5766b68e70a5038602602d4de9c08df33c9487187a6e7e654684c17fcc3d7e7b392babc2f7fa6baca4ae1109bb94ddb09bef2df43396dafbe46f7b520d9a32cd |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 71033ae3811377b0c8e8dc4821d4c89f |
| SHA1 | 018fc93347a726d1e917be8cad847a7a30bbe424 |
| SHA256 | 6eb8337a240415baeb0a9452742312241b84ebdc9e42c37786fe406d77501bff |
| SHA512 | 2f4dabe707e8c12bd6dae48b9419f50ac3ac17ef233b49a919c7f921200446d03d4ed8f82cd4f3ab2ee9190690ff8d571ba2a08100cde0b0757a9ecdd4f36465 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | d649dd310b516d7af55a36b37c7dad98 |
| SHA1 | 6415c3379316bde1d9871c7d5fbde2777615bd01 |
| SHA256 | 27c7eddfd5b0e836dcfc5e7e84feccd4f2935bf3469c883c1f348b3e55866b64 |
| SHA512 | 7e4484d655fa24cd3a5de643e8b164f13e6cfb7d8d52f99788192f44357f868d9417c13988b99ef74e1c78de3e5a15b2cbb9db9d69da324de53613bb0997831c |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 21ad9bf6f8ef0762b85b1253ba48233a |
| SHA1 | c209d2eb39e558eb16c26d9dffecaf609087cb9f |
| SHA256 | b40013f303da6fbdd331fa0babe64cd6eaf5e75d74f6c97b221af2a5c0a31020 |
| SHA512 | 32925a8aceeffe19071d2d58f2757e799c827546d78971c52c7767999f190c07a446790a2b9b388d1909cd43e6a0d2f0907ada6625dba1e3a7f9a09f93f3720c |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 19ff47519f38d8ae39393fa62a6dfcc9 |
| SHA1 | f5ca61a4f3836f93250998f90cb5e58525fa08dc |
| SHA256 | 90f757ab0e035352c731a037d163a3e574b9cc754e92e79f003042baf7698418 |
| SHA512 | 601d071515f6dbe8793cd696b4e678f75e6029999d849d81bee8076cd989d569241fdb6d083ec71382a3c6f63b61264cc162f01847a90e9da112c5e9b69e5aef |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | e81b88c7fda19168b76279effc1fc342 |
| SHA1 | d7f540208a19189439b95869c156e47828c4db46 |
| SHA256 | 54309302bc56e79ee7c3be2a796599475de12816882fa229f450ef68139c4736 |
| SHA512 | c1d572aaffdf10457f3a0527ef9d9a015997ef2923ab38956062943ffb95112b843288335f459488b88de79fa5969db8a182ec14dbe1a4979c11dc61cff6fafe |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | dda7aa880a2775d9a203b528b01c63f9 |
| SHA1 | 5da63a3da14a838a66a06e771ea71c56e318f631 |
| SHA256 | e227ca741341028a8c4582d8014ae3559a6c746c5e8ec06ff079c47a25ec7b05 |
| SHA512 | a340c2f383fe631739a9334fa9e8a580927a41634a39eaf5683f990b386e8541f89e1f242dce8b9f94ca181c457150f23b5b8dc37071e3172cb647ce8ebeb173 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | e67846e342c470753e45df0f45968c90 |
| SHA1 | 1d7449bf6dc17cf31e1f76efef53191dcdd1d27e |
| SHA256 | 7ac4db7d4076aa895094f5dc1fa7484b4dd539829dfe8895f06786e88cd67597 |
| SHA512 | 33201b3f1a67bcb026b5bf99704375ceb0324b2dde6fffed763486a6ec46a394b411bb2ab7d9dcafa4c94073b1ce1bc7fd436b9ea69005fdfe7b729824a575cf |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | a16960de894ca249aa15b659dded684d |
| SHA1 | 75194b2321f006432542386272ce634501906e89 |
| SHA256 | 17467ad47fbe653a0d6a4b2f3a17054d51095ee0861bd16925ec2d7f502547c2 |
| SHA512 | fe320eb46ad0d52c2bf7df2d301f19579326771b09996623e0ed9cf0152103f55d4768977e36bad68583b18f0db072db49f77da287c29d12d6530fce84ad0121 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 9ce3cf0c194e5a38bf270be60194f73b |
| SHA1 | 916ab46c2b25e3133c9534fffd3257e1f5b7a117 |
| SHA256 | e50f51315a57374ec5b39f00b16049990312e2c89037e8deee32770b5328ef5d |
| SHA512 | d8caebb95aeb2dc51cd0fd24c72379a50f6843c0b4035ebc8ad147d83b09633b62b24bf86b64efb5ed09d6e8628c76ef4423cc98b385f78bbe88db3089a8d156 |
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
| MD5 | af8ad8da5311bf19340e70f8f89b0f11 |
| SHA1 | 8ce9e6faa6d552de3b025423b0f4daa3f01b365f |
| SHA256 | dccae36029a5ba78a82dd3ba3d3843d55a6ce1f3d5eeae95e78f027c0660f811 |
| SHA512 | f0cdb72a5d8e914891a767cd822fa66e24352d8b8caea70a9ef014c44ec2b7584a55e283ad71289cc7f63f749d6855a683147940a1f67d70e78d3d29cc1a1c4a |