Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

eMail Hijacked - Sending SPAM and phishing

Started by RuiPedro , Oct 27 2018 03:18 AM
emai hijack spam phishing

  • Please log in to reply

#16
RuiPedro
Posted 30 October 2018 - 05:02 AM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Ok!

 

Here is my "Local Process Explorer" :)

 

Attached Files


  • 0

Advertisements

#17
RKinner
Posted 30 October 2018 - 06:58 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

OK.  Looks decent tho Interrupts is still a bit high.  If you want to look into it we can try Latency Monitor:

Go to

http://www.resplendence.com/downloads

Scroll down to

System Monitoring Tools

and then find

LatencyMon 6.70 (or it may be a higher number if they update)

Click on Download free home edition

Save it then right click and Run As Admin.  It will install and then start the program.  
It will tell you to click on the Start button but there isn't one.  
Instead click on the green arrowhead (looks like a Play button).   Let it run for at least 20 seconds.  Then hit the red box to stop it.

Edit, Copy Report text to Clipboard then move to a REPLY and Ctrl + v to paste the text into a reply.

 

if you are getting tired of this we can quit now.  Doesn't seem to be any sign of an infection.


  • 0

#18
RuiPedro
Posted 30 October 2018 - 07:40 AM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

It's OK to me, since there's no sign of an infection, we can close "the case", you probably have more important things to do! :)

 

I just wonder how the password was stolen...

 

Anyway here is the report:

_________________________________________________________________________________________________________
CONCLUSION
_________________________________________________________________________________________________________
Your system appears to be suitable for handling real-time audio and other tasks without dropouts.
LatencyMon has been analyzing your system for  0:02:00  (h:mm:ss) on all processors.


_________________________________________________________________________________________________________
SYSTEM INFORMATION
_________________________________________________________________________________________________________
Computer name:                                        RUIPEDRO-PC
OS version:                                           Windows 10 , 10.0, build: 17134 (x64)
Hardware:                                             HP Compaq 6000 Pro SFF PC, Hewlett-Packard, 3048h
CPU:                                                  GenuineIntel Intel® Core™2 Duo CPU E8400 @ 3.00GHz
Logical processors:                                   2
Processor groups:                                     1
RAM:                                                  3991 MB total


_________________________________________________________________________________________________________
CPU SPEED
_________________________________________________________________________________________________________
Reported CPU speed:                                   2992 MHz

Note: reported execution times may be calculated based on a fixed reported CPU speed. Disable variable speed settings like Intel Speed Step and AMD Cool N Quiet in the BIOS setup for more accurate results.


_________________________________________________________________________________________________________
MEASURED INTERRUPT TO USER PROCESS LATENCIES
_________________________________________________________________________________________________________
The interrupt to process latency reflects the measured interval that a usermode process needed to respond to a hardware request from the moment the interrupt service routine started execution. This includes the scheduling and execution of a DPC routine, the signaling of an event and the waking up of a usermode thread from an idle wait state in response to that event.

Highest measured interrupt to process latency (µs):   492,070412
Average measured interrupt to process latency (µs):   5,446128

Highest measured interrupt to DPC latency (µs):       488,306313
Average measured interrupt to DPC latency (µs):       1,682520


_________________________________________________________________________________________________________
 REPORTED ISRs
_________________________________________________________________________________________________________
Interrupt service routines are routines installed by the OS and device drivers that execute in response to a hardware interrupt signal.

Highest ISR routine execution time (µs):              12,218583
Driver with highest ISR routine execution time:       USBPORT.SYS - Controlador de Portas USB 1.1 e 2.0, Microsoft Corporation

Highest reported total ISR routine time (%):          0,010023
Driver with highest ISR total time:                   USBPORT.SYS - Controlador de Portas USB 1.1 e 2.0, Microsoft Corporation

Total time spent in ISRs (%)                          0,010169

ISR count (execution time <250 µs):                   7688
ISR count (execution time 250-500 µs):                0
ISR count (execution time 500-999 µs):                0
ISR count (execution time 1000-1999 µs):              0
ISR count (execution time 2000-3999 µs):              0
ISR count (execution time >=4000 µs):                 0


_________________________________________________________________________________________________________
REPORTED DPCs
_________________________________________________________________________________________________________
DPC routines are part of the interrupt servicing dispatch mechanism and disable the possibility for a process to utilize the CPU while it is interrupted until the DPC has finished execution.

Highest DPC routine execution time (µs):              476,927807
Driver with highest DPC routine execution time:       ndis.sys - NDIS (Network Driver Interface Specification), Microsoft Corporation

Highest reported total DPC routine time (%):          0,040905
Driver with highest DPC total execution time:         USBPORT.SYS - Controlador de Portas USB 1.1 e 2.0, Microsoft Corporation

Total time spent in DPCs (%)                          0,185848

DPC count (execution time <250 µs):                   61258
DPC count (execution time 250-500 µs):                0
DPC count (execution time 500-999 µs):                1
DPC count (execution time 1000-1999 µs):              0
DPC count (execution time 2000-3999 µs):              0
DPC count (execution time >=4000 µs):                 0


_________________________________________________________________________________________________________
 REPORTED HARD PAGEFAULTS
_________________________________________________________________________________________________________
Hard pagefaults are events that get triggered by making use of virtual memory that is not resident in RAM but backed by a memory mapped file on disk. The process of resolving the hard pagefault requires reading in the memory from disk while the process is interrupted and blocked from execution.

NOTE: some processes were hit by hard pagefaults. If these were programs producing audio, they are likely to interrupt the audio stream resulting in dropouts, clicks and pops. Check the Processes tab to see which programs were hit.

Process with highest pagefault count:                 system

Total number of hard pagefaults                       624
Hard pagefault count of hardest hit process:          168
Number of processes hit:                              21


_________________________________________________________________________________________________________
 PER CPU DATA
_________________________________________________________________________________________________________
CPU 0 Interrupt cycle time (s):                       1,404112
CPU 0 ISR highest execution time (µs):                12,218583
CPU 0 ISR total execution time (s):                   0,024548
CPU 0 ISR count:                                      7688
CPU 0 DPC highest execution time (µs):                476,927807
CPU 0 DPC total execution time (s):                   0,435572
CPU 0 DPC count:                                      59316
_________________________________________________________________________________________________________
CPU 1 Interrupt cycle time (s):                       0,201978
CPU 1 ISR highest execution time (µs):                0,0
CPU 1 ISR total execution time (s):                   0,0
CPU 1 ISR count:                                      0
CPU 1 DPC highest execution time (µs):                75,778075
CPU 1 DPC total execution time (s):                   0,013080
CPU 1 DPC count:                                      1943
_________________________________________________________________________________________________________
 


  • 0

#19
RKinner
Posted 30 October 2018 - 11:14 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

I'm retired so have lots of time.

 

I'm surprised to see System causing HARD PAGEFAULTS.  If you rerun Process Explorer then click on View, Show Lower Pane (we want it clicked) then on Lower Pane View and click on Handles.  Now click on System and save a log.  That will gives us a long list of things that are running under System.

 

There have been some cases of routers being infected.  You might open an elevated Command Prompt.  Then type:

tracert  -d  google.com  >  \junk.txt
notepad  \junk.txt

Copy and paste the result into a Reply.


  • 0

#20
RuiPedro
Posted 30 October 2018 - 02:14 PM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

OK, thanks for your time, For me it's ok also, I'm learning at the same time :)

 

Annnd it happened again... !

 

I got an email from the scammer sent from my email to my email.

 

Also in this email he reveals a weak password that I use in some websites... stating that is the password for the email account... this is false, the password for the email is quite strong..

 

The fact is that I use the password he reveals in some websites...

 

I Have attached the email if you would like to see it! (I have masked the password for security reasons...)

 

The rest of the blabla in the email is Bullsh*** I don't visit porn sites (at least in this computer! Ahah) and I don't have any webcam.... etc...

 

 

I will follow your last instructions in your previous reply and post the results.

Attached Files


  • 0

#21
RKinner
Posted 30 October 2018 - 02:40 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

Look  in your email Sent folder.  Do you see this email?


  • 0

#22
RKinner
Posted 30 October 2018 - 02:47 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

Looking at the details I see it is coming from 94.228.89.104 which is in Slovakia so it's probably not in your Sent folder.  The return address is spoofed.  It's possible that one of the sites you have logged into has been hacked and they are using the info to mess with your mind.


  • 0

#23
RuiPedro
Posted 30 October 2018 - 02:54 PM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

no... I believe this is sent directly through the smtp of our website, since our hosting service confirmed accesses from multiple countries...

and has I told before, it stops for some time, every time i change the password for this account... and then it starts all over again!


  • 0

#24
RuiPedro
Posted 30 October 2018 - 03:06 PM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Looking at the details I see it is coming from 94.228.89.104 which is in Slovakia so it's probably not in your Sent folder.  The return address is spoofed.  It's possible that one of the sites you have logged into has been hacked and they are using the info to mess with your mind.

I See, but I never used the email password in any other site, how can they login there to send the emails ?

This is so strange to me... I really care about security and can't understand what's is going on....


  • 0

#25
RuiPedro
Posted 30 October 2018 - 03:17 PM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Tracing route to google.com [216.58.201.142]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.1.254
  2     3 ms     1 ms     1 ms  100.64.155.137
  3     1 ms     1 ms     1 ms  195.8.21.86
  4     3 ms     3 ms     3 ms  195.8.21.85
  5     2 ms     1 ms     1 ms  195.8.10.102
  6    10 ms     9 ms     9 ms  216.239.56.185
  7    10 ms    10 ms     9 ms  108.170.253.241
  8    10 ms     9 ms     9 ms  209.85.142.147
  9    10 ms    10 ms     9 ms  216.58.201.142

Trace complete.
 


  • 0

Advertisements

#26
RuiPedro
Posted 30 October 2018 - 03:24 PM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name    Verified Signer
Registry        1.248 K    14.212 K    88            
System Idle Process    67.77    52 K    8 K    0            
System    0.86    228 K    14.916 K    4            
 Interrupts    1.29    0 K    0 K    n/a    Hardware Interrupts and DPCs        
 smss.exe        496 K    244 K    348    Gestor de Sessões do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
 Memory Compression    < 0.01    1.292 K    192.380 K    2216            
csrss.exe    0.03    1.808 K    2.048 K    492    Processo de Tempo de Execução de Servidor Cliente    Microsoft Corporation    (Verified) Microsoft Windows Publisher
csrss.exe    0.45    2.488 K    2.108 K    572    Processo de Tempo de Execução de Servidor Cliente    Microsoft Corporation    (Verified) Microsoft Windows Publisher
wininit.exe        1.300 K    724 K    584    Aplicação de Arranque do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
 services.exe        5.220 K    5.196 K    712    Aplicação de serviços e controlo    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        992 K    668 K    828    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        14.080 K    18.012 K    892    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
   WmiPrvSE.exe    1.22    14.980 K    25.844 K    6800    WMI Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
   ShellExperienceHost.exe    Suspended    44.348 K    36.432 K    8080    Windows Shell Experience Host    Microsoft Corporation    (Verified) Microsoft Windows
   SearchUI.exe    Suspended    107.928 K    65.212 K    7180    Search and Cortana application    Microsoft Corporation    (Verified) Microsoft Windows
   RuntimeBroker.exe        8.760 K    18.456 K    7372    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   RuntimeBroker.exe        6.136 K    17.760 K    6388    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   LockApp.exe    Suspended    11.692 K    384 K    8572    LockApp.exe    Microsoft Corporation    (Verified) Microsoft Windows
   RuntimeBroker.exe        6.512 K    3.844 K    8648    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   SkypeBackgroundHost.exe    Suspended    2.012 K    3.836 K    8720    Microsoft Skype    Microsoft Corporation    (Nenhuma assinatura estava presente no sujeito) Microsoft Corporation
   SkypeApp.exe    Suspended    15.524 K    404 K    8780    SkypeApp    Microsoft Corporation    (Nenhuma assinatura estava presente no sujeito) Microsoft Corporation
   Video.UI.exe    Suspended    20.508 K    476 K    9008            (Nenhuma assinatura estava presente no sujeito)
   RuntimeBroker.exe        8.888 K    23.672 K    9264    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   RuntimeBroker.exe        2.404 K    13.668 K    9540    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   RuntimeBroker.exe        1.908 K    6.932 K    9708    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   hpqbam08.exe        2.020 K    3.284 K    10708    HP CUE Alert Popup Window Objects    Hewlett-Packard Co.    (Nenhuma assinatura estava presente no sujeito) Hewlett-Packard Co.
   hpqgpc01.exe        3.024 K    3.836 K    11060    GPCore COM object    Hewlett-Packard    (Nenhuma assinatura estava presente no sujeito) Hewlett-Packard
   dllhost.exe        2.176 K    5.488 K    10948    COM Surrogate    Microsoft Corporation    (Verified) Microsoft Windows
   ApplicationFrameHost.exe        11.220 K    22.188 K    9080    Application Frame Host    Microsoft Corporation    (Verified) Microsoft Windows
   WmiPrvSE.exe        4.884 K    5.124 K    6220    WMI Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
   dllhost.exe        2.312 K    7.024 K    6632    COM Surrogate    Microsoft Corporation    (Verified) Microsoft Windows
   Microsoft.Photos.exe    Suspended    138.104 K    5.216 K    3988            (Nenhuma assinatura estava presente no sujeito)
   RuntimeBroker.exe        10.376 K    20.760 K    5404    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   MicrosoftEdge.exe    Suspended    22.708 K    52.284 K    6436    Microsoft Edge    Microsoft Corporation    (Verified) Microsoft Corporation
   browser_broker.exe        1.932 K    8.172 K    5124    Browser_Broker    Microsoft Corporation    (Verified) Microsoft Windows
   RuntimeBroker.exe        1.756 K    6.212 K    12132    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
   MicrosoftEdgeCP.exe    Suspended    6.660 K    22.148 K    12000    Microsoft Edge Content Process    Microsoft Corporation    (Verified) Microsoft Corporation
   MicrosoftEdgeCP.exe    Suspended    6.716 K    22.400 K    6756    Microsoft Edge Content Process    Microsoft Corporation    (Verified) Microsoft Corporation
   OpenWith.exe        7.692 K    27.964 K    10684    Selecionar uma aplicação    Microsoft Corporation    (Verified) Microsoft Windows
   smartscreen.exe        11.408 K    21.260 K    6504    Windows Defender SmartScreen    Microsoft Corporation    (Verified) Microsoft Windows
   WmiPrvSE.exe        2.428 K    8.752 K    1104    WMI Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe    < 0.01    8.760 K    10.292 K    972    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    < 0.01    2.760 K    2.428 K    1020    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        12.200 K    7.552 K    1068    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.996 K    2.284 K    1076    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.108 K    444 K    1132    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.056 K    4.092 K    1148    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        30.456 K    8.160 K    1220    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        6.592 K    7.580 K    1228    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
   taskhostw.exe        7.632 K    15.956 K    3892    Processo Anfitrião para Tarefas do Windows    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        1.848 K    496 K    1284    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.716 K    4.704 K    1300    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.776 K    664 K    1316    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    0.02    5.768 K    2.784 K    1380    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.948 K    720 K    1392    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    0.02    2.200 K    1.948 K    1488    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.684 K    4.772 K    1496    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
   sihost.exe        10.552 K    19.076 K    3076    Shell Infrastructure Host    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        3.920 K    3.088 K    1700    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  launcher_service_ex.exe        4.576 K    2.212 K    1732    Remote Management and Monitoring Component    Comodo Security Solutions, Inc.    (Verified) Comodo Security Solutions
   unit_manager.exe    0.14    3.976 K    6.304 K    6796    Remote Management and Monitoring Component    Comodo Security Solutions, Inc.    (Verified) Comodo Security Solutions
    unit.exe    0.03    8.148 K    13.268 K    7312    Remote Management and Monitoring Component    Comodo Security Solutions, Inc.    (Verified) Comodo Security Solutions
    unit.exe    0.21    12.520 K    14.072 K    6760    Remote Management and Monitoring Component    Comodo Security Solutions, Inc.    (Verified) Comodo Security Solutions
  svchost.exe        2.044 K    3.356 K    1828    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        3.000 K    6.532 K    1868    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.428 K    10.688 K    1964    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        3.868 K    7.972 K    2016    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.364 K    8.208 K    2060    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.012 K    6.596 K    2068    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.516 K    4.812 K    2076    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.256 K    7.636 K    2088    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.372 K    5.304 K    2112    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.836 K    7.104 K    2240    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.880 K    3.392 K    2284    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.936 K    6.732 K    2292    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.196 K    8.184 K    2332    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        3.616 K    11.792 K    2480    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
   audiodg.exe        7.256 K    12.620 K    8376    Windows Audio Device Graph Isolation     Microsoft Corporation    (Verified) Microsoft Windows
  RTKAUDIOSERVICE64.EXE        1.644 K    5.948 K    2656    Realtek Audio Service    Realtek Semiconductor    (Verified) Realtek Semiconductor Corp
  svchost.exe        5.380 K    13.256 K    2664    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    0.48    11.856 K    20.664 K    2692    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.660 K    5.484 K    2712    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.132 K    6.396 K    2720    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.960 K    9.568 K    2772    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.244 K    10.628 K    2812    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  spoolsv.exe    < 0.01    12.460 K    20.464 K    2964    Spooler SubSystem App    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        2.112 K    7.408 K    2096    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        6.276 K    14.820 K    3096    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.716 K    5.484 K    3112    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
   dasHost.exe        6.496 K    11.512 K    3204    Device Association Framework Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        7.720 K    18.668 K    3188    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  armsvc.exe        1.344 K    5.600 K    3260    Adobe Acrobat Update Service    Adobe Systems Incorporated    (Verified) Adobe Systems
  AppleMobileDeviceService.exe    0.08    3.520 K    7.544 K    3268    MobileDeviceService    Apple Inc.    (Verified) Apple Inc.
  remoting_host.exe        4.728 K    9.400 K    3280    Processo do Anfitrião    Google Inc.    (Verified) Google Inc
   remoting_host.exe    2.41    54.584 K    67.568 K    4288    Processo do Anfitrião    Google Inc.    (Verified) Google Inc
  mDNSResponder.exe        1.656 K    5.364 K    3288    Bonjour Service    Apple Inc.    (Verified) Apple Inc.
  svchost.exe        6.644 K    15.012 K    3296    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        3.752 K    10.124 K    3304    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        27.476 K    28.928 K    3312    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        5.008 K    8.376 K    3320    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    0.01    9.524 K    20.640 K    3332    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    < 0.01    3.352 K    9.680 K    3396    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  BackupService.exe    0.50    13.624 K    15.936 K    3448    CTERA Agent Service        (Verified) CTERA Networks inc
  svchost.exe        1.308 K    4.616 K    3492    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  mqsvc.exe        4.992 K    10.284 K    3528    Message Queuing Service    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        3.836 K    7.536 K    3548    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  SMSvcHost.exe        25.188 K    2.280 K    3576    SMSvcHost.exe    Microsoft Corporation    (Verified) Microsoft Corporation
  svchost.exe        1.480 K    5.428 K    3600    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.976 K    5.984 K    3632    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        4.252 K    10.692 K    3660    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  RMMRSP.exe    0.04    2.400 K    6.696 K    3676    RMM Remote Screen Protocol Server    Comodo Security Solutions, Inc.    (Verified) Comodo Security Solutions
  SecurityHealthService.exe        4.288 K    12.868 K    3684    Windows Security Health Service    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.328 K    4.976 K    3716    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  MsMpEng.exe    1.22    162.632 K    102.444 K    3768    Antimalware Service Executable    Microsoft Corporation    (Verified) Microsoft Corporation
  SearchIndexer.exe    < 0.01    53.800 K    48.700 K    3776    Indexador do Microsoft Windows Search    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        4.452 K    18.212 K    3792    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.616 K    3.040 K    4264    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.340 K    4.832 K    4360    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.700 K    4.700 K    4588    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.776 K    3.636 K    4656    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
   ctfmon.exe        49.868 K    14.448 K    5184    Carregador do CTF    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe    < 0.01    3.548 K    9.816 K    5276    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        4.380 K    10.588 K    5720    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  SMSvcHost.exe        22.592 K    14.168 K    5848    SMSvcHost.exe    Microsoft Corporation    (Verified) Microsoft Corporation
  wmpnetwk.exe        7.284 K    3.240 K    5944    Serviço de Partilha de Rede do Windows Media Player    Microsoft Corporation    (Verified) Microsoft Windows
  svchost.exe        4.416 K    8.220 K    6264    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.948 K    11.168 K    6720    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.892 K    10.100 K    7060    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.456 K    5.744 K    2820    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  NisSrv.exe        7.188 K    9.712 K    7536    Microsoft Network Realtime Inspection Service    Microsoft Corporation    (Verified) Microsoft Corporation
  svchost.exe        3.572 K    10.984 K    7912    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        4.012 K    17.520 K    8656    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        22.660 K    18.784 K    9636    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    < 0.01    4.188 K    9.428 K    10548    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        5.584 K    16.504 K    10996    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  HPSupportSolutionsFrameworkService.exe        46.984 K    11.016 K    2308    HP Support Solutions Framework Service    HP Inc.    (Verified) HP Inc.
  TouchpointAnalyticsClientService.exe    0.98    45.440 K    19.044 K    5480    HP Touchpoint Analytics Client Service    HP Inc.    (Verified) HP Inc.
  SgrmBroker.exe        3.060 K    3.208 K    11156    Serviço de Mediador de Monitor de Tempo de Execução do System Guard    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        2.196 K    2.588 K    10260    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  hpqwmiex.exe        1.776 K    416 K    9236    HP Software Framework WMI Service    Hewlett-Packard Company    (Verified) Hewlett-Packard Company
  svchost.exe        2.940 K    2.016 K    10892    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  OSPPSVC.EXE        3.524 K    11.612 K    2808    Microsoft Office Software Protection Platform Service    Microsoft Corporation    (Verified) Microsoft Corporation
  svchost.exe        6.116 K    4.496 K    9840    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe    < 0.01    10.040 K    10.904 K    10000    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
  svchost.exe        1.528 K    5.700 K    5472    Processo Anfitrião dos Serviços do Windows    Microsoft Corporation    (Verified) Microsoft Windows Publisher
 lsass.exe    0.02    7.912 K    10.844 K    728    Local Security Authority Process    Microsoft Corporation    (Verified) Microsoft Windows Publisher
 fontdrvhost.exe        5.048 K    976 K    844    Usermode Font Driver Host    Microsoft Corporation    (Verified) Microsoft Windows
winlogon.exe        2.452 K    3.096 K    672    Aplicação de Início de Sessão do Windows    Microsoft Corporation    (Verified) Microsoft Windows
 fontdrvhost.exe        4.844 K    6.600 K    836    Usermode Font Driver Host    Microsoft Corporation    (Verified) Microsoft Windows
 dwm.exe    1.89    102.088 K    56.756 K    380    Gestor de Janelas do Ambiente do Trabalho    Microsoft Corporation    (Verified) Microsoft Windows
explorer.exe    0.14    88.480 K    93.732 K    6132    Explorador do Windows    Microsoft Corporation    (Verified) Microsoft Windows
 MSASCuiL.exe        1.956 K    7.964 K    9868    Windows Defender notification icon    Microsoft Corporation    (Verified) Microsoft Windows
 OneDrive.exe        25.760 K    7.628 K    10116    Microsoft OneDrive    Microsoft Corporation    (Verified) Microsoft Corporation
 hpqtra08.exe    0.03    8.804 K    10.928 K    9816    HP Digital Imaging Monitor    Hewlett-Packard Co.    (Nenhuma assinatura estava presente no sujeito) Hewlett-Packard Co.
  hpqste08.exe        4.632 K    6.408 K    10664    HP CUE Status Root    Hewlett-Packard Co.    (Nenhuma assinatura estava presente no sujeito) Hewlett-Packard Co.
 OUTLOOK.EXE    0.28    243.640 K    176.588 K    2616    Microsoft Outlook    Microsoft Corporation    (Verified) Microsoft Corporation
 stickies.exe    0.18    10.272 K    11.024 K    4344    Stickies 7.1e    Zhorn Software    (Nenhuma assinatura estava presente no sujeito) Zhorn Software
 phccorporate.exe    0.66    114.908 K    41.072 K    5728              (Nenhuma assinatura estava presente no sujeito)  
  splwow64.exe        5.268 K    7.148 K    13084    Print driver host for applications    Microsoft Corporation    (Verified) Microsoft Windows
 firefox.exe    0.82    195.176 K    238.876 K    9396    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
  firefox.exe    0.63    70.068 K    100.700 K    12784    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
  firefox.exe    1.71    185.620 K    259.216 K    13108    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
  firefox.exe        69.584 K    86.116 K    11604    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
  firefox.exe        19.192 K    34.112 K    6048    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
 cmd.exe        3.192 K    3.304 K    6440    Windows Command Processor    Microsoft Corporation    (Verified) Microsoft Windows
  conhost.exe        6.404 K    16.496 K    1568    Anfitrião de Janelas de Consola    Microsoft Corporation    (Verified) Microsoft Windows
 procexp64.exe    14.16    42.600 K    75.872 K    10360    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com    (Verified) Microsoft Corporation
hpwuschd2.exe        1.228 K    5.592 K    6068    hpwuSchd Application    Hewlett-Packard    (Verified) Hewlett-Packard Company
CteraAgentWD.exe        964 K    4.104 K    10264            (Verified) CTERA Networks inc
 CTERAAgent.exe    0.35    14.220 K    6.860 K    10444    CTERA Agent        (Verified) CTERA Networks inc
jusched.exe        3.080 K    11.452 K    10372    Java Update Scheduler    Oracle Corporation    (Verified) Oracle America
EXCEL.EXE        25.868 K    30.944 K    6740    Microsoft Excel    Microsoft Corporation    (Verified) Microsoft Corporation
 splwow64.exe        4.508 K    11.196 K    12404    Print driver host for applications    Microsoft Corporation    (Verified) Microsoft Windows
Skype.exe    0.02    47.344 K    43.668 K    7360    Skype    Skype Technologies S.A.    (Verified) Skype Software Sarl
 Skype.exe        8.084 K    1.288 K    864    Skype    Skype Technologies S.A.    (Verified) Skype Software Sarl
 Skype.exe        44.064 K    9.880 K    4724    Skype    Skype Technologies S.A.    (Verified) Skype Software Sarl
 Skype.exe    0.09    240.088 K    101.184 K    7624    Skype    Skype Technologies S.A.    (Verified) Skype Software Sarl
remoting_desktop.exe    1.25    14.012 K    45.688 K    5536    Processo de Integração do Ambiente de Trabalho    Google Inc.    (Verified) Google Inc

Process: System Pid: 4

Type    Name
ALPC Port    \PowerMonitorPort
ALPC Port    \PowerPort
ALPC Port    \PdcPort
ALPC Port    \SeRmCommandPort
ALPC Port    \BaseNamedObjects\[CoreMsgK]-{df636f50-db7c-11e8-bb4b-d4856414d59c}
Desktop    \Disconnect
Desktop    \Disconnect
Directory    \GLOBAL??
Directory    \KernelObjects
Directory    \Device\Harddisk0
Directory    \Device\Harddisk1
Directory    \Windows\WindowStations
Directory    \Sessions\1\Windows\WindowStations
Directory    \Sessions\0\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\RPC Control
Directory    \Sessions\0\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\RPC Control
Directory    \Sessions\0\DosDevices\00000000-0000ae37
Directory    \Sessions\0\DosDevices\00000000-0000ae45
Directory    \Sessions\0\DosDevices\00000000-000003e4
Directory    \Sessions\0\DosDevices\00000000-00010d38
Directory    \Sessions\0\DosDevices\00000000-000003e5
Directory    \Sessions\0\DosDevices\00000000-0001c1ec
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\RPC Control
Directory    \Sessions\0\DosDevices\00000000-0001c19b
Directory    \Device\Http
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\1821068571-1793888307-623627345-1529106238\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2246530975-808720366-1776470054-230329187-4153223113-3550430174-4193313734\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2246530975-808720366-1776470054-230329187-4153223113-3550430174-4193313734
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\4256926629-1688279915-2739229046-3928706915
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\4256926629-1688279915-2739229046-3928706915\RPC Control
Directory    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\1821068571-1793888307-623627345-1529106238
Event    \KernelObjects\LowPagedPoolCondition
Event    \KernelObjects\HighPagedPoolCondition
Event    \KernelObjects\LowNonPagedPoolCondition
Event    \KernelObjects\HighNonPagedPoolCondition
Event    \KernelObjects\LowMemoryCondition
Event    \KernelObjects\HighMemoryCondition
Event    \KernelObjects\LowCommitCondition
Event    \KernelObjects\HighCommitCondition
Event    \KernelObjects\MaximumCommitCondition
Event    \KernelObjects\MemoryErrors
Event    \KernelObjects\PhysicalMemoryChange
Event    \EFSInitEvent
Event    \UniqueInteractiveSessionIdEvent
Event    \Sessions\1\BaseNamedObjects\EventShutDownCSRSS
Event    \Sessions\1\BaseNamedObjects\DwmComposedEvent_1
Event    \LanmanServerAnnounceEvent
Event    \BaseNamedObjects\CfProgressEvent
File    C:\System Volume Information\{7bf53610-d522-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    \Device\Tcp
File    \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
File    \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001
File    \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
File    \clfs
File    \Device\Mup
File    \clfs
File    \Device\HarddiskVolume1\$Extend\$RmMetadata\$Txf
File    \clfs
File    \clfs
File    C:\Windows\bootstat.dat
File    \clfs
File    C:\System Volume Information\{991a2a05-d846-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{24cb5f02-d954-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{a63b3279-d756-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{7bf51512-d522-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{9d7de10b-d2b5-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{2cc2ad6d-dac8-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{a63b471d-d756-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{8c84b765-d3be-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000023
File    C:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000022
File    C:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
File    \clfs
File    C:\Windows\System32\drivers\pt-PT\ntfs.sys.mui
File    \clfs
File    \clfs
File    C:\$Extend\$RmMetadata\$Txf
File    \clfs
File    \clfs
File    C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{24cb74fc-d954-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\System Volume Information\{2cc2b276-dac8-11e8-bb4a-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    G:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
File    \clfs
File    C:\Windows\System32\pt-PT\win32kbase.sys.mui
File    \Device\KsecDD
File    C:\Windows\bootstat.dat
File    E:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
File    E:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
File    C:\Windows\System32\config\TxR\{ad35a797-3ddf-11e8-a9db-e41d2db3b7b1}.TMContainer00000000000000000001.regtrans-ms
File    C:\Windows\System32\config\RegBack\SAM
File    E:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000004
File    \clfs
File    \clfs
File    E:\$Extend\$RmMetadata\$Txf
File    \clfs
File    \clfs
File    \clfs
File    F:\$Extend\$RmMetadata\$Txf
File    \clfs
File    \clfs
File    G:\$Extend\$RmMetadata\$Txf
File    \clfs
File    F:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
File    F:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001
File    F:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
File    \clfs
File    \clfs
File    \clfs
File    \clfs
File    \clfs
File    \clfs
File    G:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001
File    G:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
File    \clfs
File    \Device\HarddiskVolume1\Boot\BCD
File    \Device\HarddiskVolume3\$Extend\$RmMetadata\$Txf
File    \clfs
File    \Device\HarddiskVolume3\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
File    \Device\HarddiskVolume3\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001
File    \Device\HarddiskVolume3\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
File    \clfs
File    \clfs
File    \clfs
File    C:\hiberfil.sys
File    C:\Windows\System32\config\SYSTEM
File    \Device\HarddiskVolume1\Boot\BCD.LOG
File    C:\Windows\System32\config\RegBack\SOFTWARE
File    C:\Windows\System32\config\SYSTEM.LOG1
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
File    C:\Windows\System32\config\RegBack\DEFAULT
File    C:\Windows\System32\config\SYSTEM.LOG2
File    C:\Windows\System32\config\SAM.LOG1
File    C:\Windows\System32\config\TxR\{ad35a797-3ddf-11e8-a9db-e41d2db3b7b1}.TM.blf
File    C:\Windows\System32\config\RegBack\SYSTEM
File    C:\Windows\System32\config\TxR\{ad35a797-3ddf-11e8-a9db-e41d2db3b7b1}.TMContainer00000000000000000002.regtrans-ms
File    C:\Windows\System32\config\SOFTWARE.LOG2
File    \clfs
File    \clfs
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
File    C:\Windows\System32\config\SOFTWARE
File    C:\Windows\System32\config\SOFTWARE.LOG1
File    \Device\Tcp
File    \Device\Udp
File    \Device\Udp
File    C:\Windows\System32\config\DEFAULT.LOG2
File    C:\Windows\System32\config\DEFAULT.LOG1
File    \Device\Tcp
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe\ActivationStore.dat.LOG2
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl
File    C:\Windows\System32\config\SECURITY.LOG2
File    C:\Windows\System32\config\DEFAULT
File    C:\Windows\System32\config\SECURITY.LOG1
File    C:\Windows\System32\config\RegBack\SECURITY
File    C:\Windows\System32\config\SAM.LOG2
File    C:\Windows\System32\config\SECURITY
File    C:\Windows\System32\config\SAM
File    C:\pagefile.sys
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl
File    C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003
File    \Device\00000020
File    \Device\Tcp
File    \Device\NamedPipe
File    \Device\00000047
File    \Device\0000004b
File    \Device\0000004d
File    \Device\0000004c
File    \Device\NamedPipe
File    \Device\NamedPipe
File    C:\swapfile.sys
File    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
File    \clfs
File    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1
File    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf
File    C:\Windows\System32\SleepStudy\UserNotPresentSession.etl
File    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms
File    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2
File    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms
File    \clfs
File    \Device\00000059
File    C:\Windows\System32\config\BBI.LOG1
File    C:\Windows\System32\config\BBI
File    C:\Windows\System32\config\BBI.LOG2
File    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
File    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{18e5a0f0-5352-11e8-b4f6-fffd3006ef44}.TM.blf
File    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1
File    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2
File    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{18e5a0f0-5352-11e8-b4f6-fffd3006ef44}.TMContainer00000000000000000001.regtrans-ms
File    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{18e5a0f0-5352-11e8-b4f6-fffd3006ef44}.TMContainer00000000000000000002.regtrans-ms
File    \clfs
File    \clfs
File    \Device\Tcp
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
File    \Device\0000005b
File    \Device\00000049
File    \Device\00000055
File    \Device\0000004e
File    \Device\HarddiskVolume2
File    C:\Windows\CSC
File    \Device\HarddiskVolume2៌
File    C:\Windows\CSC\v2.0.6
File    C:\Windows\CSC\v2.0.6\temp
File    C:\Windows\CSC\v2.0.6\pq
File    C:\Windows\CSC\v2.0.6\namespace
File    \Device\HarddiskVolume2៑
File    \clfs
File    \Device\Tcp
File    C:\Users\RuiPedro\NTUSER.DAT
File    \Device\Tcp
File    C:\Users\RuiPedro\ntuser.dat.LOG1
File    \clfs
File    C:\Users\RuiPedro\ntuser.dat.LOG2
File    C:\Windows\System32\LogFiles\HTTPERR\httperr1.log
File    C:\Users\RuiPedro\NTUSER.DAT{18e5a2bb-5352-11e8-b4f6-d4856414d59c}.TMContainer00000000000000000002.regtrans-ms
File    C:\Users\RuiPedro\NTUSER.DAT{18e5a2bb-5352-11e8-b4f6-d4856414d59c}.TMContainer00000000000000000001.regtrans-ms
File    C:\Users\RuiPedro\NTUSER.DAT{18e5a2bb-5352-11e8-b4f6-d4856414d59c}.TM.blf
File    C:\Users\RuiPedro\AppData\Local\Microsoft\Windows\UsrClass.dat{18e5a2f6-5352-11e8-b4f6-d4856414d59c}.TMContainer00000000000000000002.regtrans-ms
File    C:\Users\RuiPedro\AppData\Local\Microsoft\Windows\UsrClass.dat
File    C:\Users\RuiPedro\AppData\Local\Microsoft\Windows\UsrClass.dat{18e5a2f6-5352-11e8-b4f6-d4856414d59c}.TMContainer00000000000000000001.regtrans-ms
File    C:\Users\RuiPedro\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
File    C:\Users\RuiPedro\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
File    \clfs
File    C:\Users\RuiPedro\AppData\Local\Microsoft\Windows\UsrClass.dat{18e5a2f6-5352-11e8-b4f6-d4856414d59c}.TM.blf
File    \clfs
File    \Device\Mup
File    \Device\Mup
File    \Device\NamedPipe\
File    \Device\Ndis
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTWFP-IPsec Diagnostics.etl
File    C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl
File    C:\Windows\ServiceProfiles\NetworkService\msmqlog.bin
File    C:\ProgramData\Microsoft\Windows Security Health\Logs\WDSC-10292018-131658-7-20-17134.1.amd64fre.rs4_release.180410-1804.etl
File    C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10292018-131658-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagtrack-Listener.etl
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    C:\Windows\appcompat\Programs\Amcache.hve
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
File    C:\Windows\appcompat\Programs\Amcache.hve.LOG2
File    C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181029-131700-00000003-ffffffff.bin
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1
File    \Device\Tcp
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
File    \Device\NamedPipe
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2
File    C:\Windows\System32\config\TxR\{ad35a796-3ddf-11e8-a9db-e41d2db3b7b1}.TxR.3.regtrans-ms
File    C:\Windows\System32\config\TxR\{ad35a796-3ddf-11e8-a9db-e41d2db3b7b1}.TxR.2.regtrans-ms
File    C:\Windows\System32\SleepStudy\ScreenOn\ScreenOnPowerStudyTraceSession-2018-10-30-20-30-18.etl
File    C:\System Volume Information\{df638824-db7c-11e8-bb4b-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    \Device\Tcp
File    \Device\NamedPipe
File    C:\Windows\System32\config\TxR\{ad35a796-3ddf-11e8-a9db-e41d2db3b7b1}.TxR.blf
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.17134.112_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_2018.18081.14710.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1
File    \Device\Tcp
File    \Device\Tcp
File    \clfs
File    C:\Windows\System32\config\TxR\{ad35a796-3ddf-11e8-a9db-e41d2db3b7b1}.TxR.1.regtrans-ms
File    C:\Windows\System32\config\TxR\{ad35a796-3ddf-11e8-a9db-e41d2db3b7b1}.TxR.0.regtrans-ms
File    \Device\Tcp
File    C:\Windows\System32\config\TxR\{ad35a796-3ddf-11e8-a9db-e41d2db3b7b1}.TxR.4.regtrans-ms
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.17134.112_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.17134.112_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
File    \Device\Tcp
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_2018.18081.14710.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_14.33.41.0_x64__kzf8qxf38zg5c\ActivationStore.dat
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe\ActivationStore.dat.LOG1
File    \Device\NamedPipe
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_14.33.41.0_x64__kzf8qxf38zg5c\ActivationStore.dat.LOG1
File    \Device\Mup
File    \Device\Tcp
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.LockApp_10.0.17134.1_neutral__cw5n1h2txyewy\ActivationStore.dat
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.LockApp_10.0.17134.1_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.LockApp_10.0.17134.1_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2
File    \Device\NamedPipe
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_14.33.41.0_x64__kzf8qxf38zg5c\ActivationStore.dat.LOG2
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat.LOG1
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat.LOG2
File    \Device\NamedPipe
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat
File    \Device\NamedPipe
File    \Device\Tcp
File    \Device\Tcp
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe\ActivationStore.dat
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG2
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat
File    C:\Windows\System32\LogFiles\WMI\LwtNetLog.etl
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG1
File    \Device\Tcp
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG2
File    \Device\NetBT_Tcpip_{587B957F-C966-491E-A8C2-206B4AC665E5}
File    \Device\NamedPipe
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\NamedPipe
File    \Device\Tcp
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG1
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1
File    \Device\Tcp
File    \Device\Tcp
File    C:\System Volume Information\{df638301-db7c-11e8-bb4b-d4856414d59c}{3808876b-c176-4e48-b7ae-04046e6cc752}
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_2018.18081.14710.0_x64__8wekyb3d8bbwe\ActivationStore.dat
File    \Device\Tcp
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG2
File    \Device\Tcp
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat
File    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe\ActivationStore.dat
File    \Device\Tcp
File    C:\Users\RuiPedro\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG2
File    C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20181029.131722.777.4.etl
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTPROCEXP TRACE.etl
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\NamedPipe
File    \Device\Tcp
File    \Device\Tcp
FilterConnectionPort    \MicrosoftMalwareProtectionPortWD
FilterConnectionPort    \MicrosoftMalwareProtectionControlPortWD
FilterConnectionPort    \MicrosoftMalwareProtectionVeryLowIoPortWD
FilterConnectionPort    \MicrosoftMalwareProtectionRemoteIoPortWD
FilterConnectionPort    \MicrosoftMalwareProtectionAsyncPortWD
FilterConnectionPort    \WcifsPort
FilterConnectionPort    \CLDMSGPORT
FilterConnectionPort    \storqosfltport
Key    HKLM\SYSTEM\ControlSet001\Control\hivelist
Key    \REGISTRY
Key    HKLM\SYSTEM\Setup
Key    HKLM\SYSTEM\ControlSet001\Control\Notifications
Key    HKLM\SYSTEM\ControlSet001
Key    HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters
Key    HKLM\SYSTEM\DriverDatabase
Key    HKLM\SYSTEM\ControlSet001\Control\Power
Key    HKLM\SYSTEM\ControlSet001
Key    HKLM\SYSTEM
Key    HKU
Key    HKLM\SYSTEM\ControlSet001\Control\DeviceClasses
Key    HKLM\SYSTEM\ControlSet001\Enum
Key    HKLM\SYSTEM\ControlSet001\Control\DeviceClasses
Key    HKLM\SYSTEM\ControlSet001\Control\DeviceContainers
Key    HKLM\SYSTEM\ControlSet001\Control\Class
Key    HKLM\SYSTEM\ControlSet001\Control\DevicePanels
Key    HKLM\SYSTEM\ControlSet001\Services
Key    HKLM\SYSTEM\HardwareConfig
Key    HKLM\SYSTEM\ControlSet001\Control\PnP
Key    HKLM\SYSTEM\Setup
Key    HKLM\SYSTEM\ControlSet001\Hardware Profiles
Key    HKLM\SYSTEM\RNG
Key    HKLM\SYSTEM\ControlSet001\Control\WMI\Security
Key    HKLM\SYSTEM\ControlSet001\Services\bam\UserSettings
Key    HKLM\SYSTEM\HardwareConfig\{27dfa9e3-5907-11df-bbda-6414d59cd485}\ProductIds
Key    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 2
Key    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0
Key    HKLM\SYSTEM\ControlSet001\Control\FileSystem
Key    HKLM\SYSTEM\ControlSet001\Services\Dfsc\Parameters
Key    HKLM\SYSTEM\ControlSet001\Control\Lsa
Key    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
Key    HKLM\SYSTEM\ControlSet001\Services\vwififlt\State\Parameters\VWifiSettings
Key    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1
Key    HKLM\SYSTEM\ControlSet001\Control\FileSystem
Key    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 3
Key    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 4
Key    HKLM\SYSTEM\ControlSet001\Control\Power\Profile\Events\{54533251-82be-4824-96c1-47b60b740d00}\{0AABB002-A307-447e-9B81-1D819DF6C6D0}\{CE74AA52-A71A-4036-BEEF-B6C411010E28}
Key    HKLM\SYSTEM\ControlSet001\Control\Power\Profile\Events\{54533251-82be-4824-96c1-47b60b740d00}\{0DA965DC-8FCF-4c0b-8EFE-8DD5E7BC959A}\{7E01ADEF-81E6-4e1b-8075-56F373584694}
Key    HKLM\SYSTEM\ControlSet001\Control\Power\Profile\Events\{54533251-82be-4824-96c1-47b60b740d00}\{8BC6262C-C026-411d-AE3B-7E2F70811A13}\{C072EEBB-1955-4fa9-B4BA-421E96E1D674}
Key    HKLM\SYSTEM\ControlSet001\Control\Power\Profile\Events\{54533251-82be-4824-96c1-47b60b740d00}\{D4140C81-EBBA-4e60-8561-6918290359CD}\{35037BB4-9528-481d-8CB2-8FCC63A9DD81}
Key    HKLM\SYSTEM\ControlSet001\Control\Power\Profile\Events\{54533251-82be-4824-96c1-47b60b740d00}\{EE1E4F72-E368-46b1-B3C6-5048B11C2DBD}\{9C1F0DBA-33E9-43af-9EDA-A607AA5139DA}
Key    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 5
Key    HKLM\SYSTEM\ControlSet001\Control\FileSystem
Key    HKLM\SYSTEM\ControlSet001\Policies
Key    HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\1
Key    HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\131
Key    HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\23
Key    HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\24
Key    HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\6
Key    HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\71
Key    HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order
Key    HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\ProviderOrder
Key    HKLM\SYSTEM\ControlSet001\Services\Mup
Key    HKLM\SYSTEM\ControlSet001\Services\iorate
Key    HKLM\SYSTEM\ControlSet001\Control\Power\EnergyEstimation\Storage\SSD\IdleState
Key    HKLM\SYSTEM\ControlSet001\Control\Power\EnergyEstimation\Storage\HDD\IdleState
Key    HKLM\SYSTEM\ControlSet001\Control
Key    HKLM\SYSTEM\ControlSet001\Control
Key    HKLM\SYSTEM\ControlSet001\Control
Key    HKLM\SYSTEM\ControlSet001\Control\{7746D80F-97E0-4E26-9543-26B41FC22F79}\{A25AE4F2-1B96-4CED-8007-AA30E9B1A218}
Key    HKLM\SYSTEM\ControlSet001\Control\{7746D80F-97E0-4E26-9543-26B41FC22F79}\{D73E01AC-F5A0-4D80-928B-33C1920C38BA}
Key    HKLM\SYSTEM\ControlSet001\Control\{7746D80F-97E0-4E26-9543-26B41FC22F79}\{59AEE675-B203-4D61-9A1F-04518A20F359}
Key    HKLM\SYSTEM\ControlSet001\Control\{7746D80F-97E0-4E26-9543-26B41FC22F79}\{498B1B9F-8618-4E6C-9AD1-6A759BFBFB23}
Key    HKLM\SYSTEM\ControlSet001\Control\{7746D80F-97E0-4E26-9543-26B41FC22F79}\{FB9F5B62-B48B-45F5-8586-E514958C92E2}
Key    HKLM\SYSTEM\ControlSet001\Control\{7746D80F-97E0-4E26-9543-26B41FC22F79}\{221601AB-48C7-4970-B0EC-96E66F578407}
Key    HKLM\SYSTEM\ControlSet001\Services\swenum\Notify
Key    HKLM\SYSTEM\ControlSet001\Control\Lsa
Key    HKLM\SOFTWARE\Policies\Microsoft\Windows
Key    HKLM\SYSTEM\ControlSet001\Control
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data
Key    HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0030
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Key    HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#USB#VID_03F0&PID_2504&MI_01#6&34f56002&4&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#\Device Parameters
Key    HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e96e-e325-11ce-bfc1-08002be10318}\0000
Key    HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e96e-e325-11ce-bfc1-08002be10318}\0000
Key    HKLM\SYSTEM\ControlSet001\Control\Session Manager\Quota System
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications
Key    HKLM\SYSTEM\ControlSet001\Services\wcifs\Instances\wcifs Instance
Key    HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
Key    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine
Key    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine
Key    HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters\UrlAclInfo
Key    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{587b957f-c966-491e-a8c2-206b4ac665e5}
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{262578e4-4ad1-435c-89da-d6adac7beb7f}
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PersistentRoutes
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ad059eae-b9da-11e7-9bbd-806e6f6e6963}
Key    HKLM\SYSTEM\ControlSet001\Control\ProductOptions
Key    HKLM\SYSTEM\ControlSet001\Services\rspLLL\Instances\rspLLL - Bottom Instance
Key    HKLM\SYSTEM\DriverDatabase\DeviceIds
Key    HKLM\SYSTEM\DriverDatabase\DriverPackages
Key    HKLM\SOFTWARE\Policies\Microsoft
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
Key    HKLM\SYSTEM\DriverDatabase\DriverInfFiles
Key    HKLM\SYSTEM\ControlSet001\Services\rspLLL\Instances\rspLLL - Middle Instance
Mutant    \KernelObjects\BcdSyncMutant
Partition    \KernelObjects\MemoryPartition0
Process    System(4)
Process    Registry(88)
Process    System(4)
Process    smss.exe(348)
Process    smss.exe(348)
Process    smss.exe(348)
Process    smss.exe(348)
Process    csrss.exe(572)
Process    svchost.exe(1020)
Process    svchost.exe(1020)
Process    csrss.exe(492)
Process    csrss.exe(492)
Process    svchost.exe(10000)
Process    Microsoft.Photos.exe(3988)
Process    Skype.exe(4724)
Process    csrss.exe(572)
Process    wininit.exe(584)
Process    wininit.exe(584)
Process    svchost.exe(892)
Process    winlogon.exe(672)
Process    csrss.exe(492)
Process    svchost.exe(892)
Process    csrss.exe(492)
Process    csrss.exe(492)
Process    wininit.exe(584)
Process    csrss.exe(572)
Process    winlogon.exe(672)
Process    winlogon.exe(672)
Process    lsass.exe(728)
Process    lsass.exe(728)
Process    lsass.exe(728)
Process    services.exe(712)
Process    services.exe(712)
Process    services.exe(712)
Process    MicrosoftEdgeCP.exe(12000)
Process    lsass.exe(728)
Process    services.exe(712)
Process    lsass.exe(728)
Process    lsass.exe(728)
Process    lsass.exe(728)
Process    services.exe(712)
Process    svchost.exe(828)
Process    fontdrvhost.exe(836)
Process    fontdrvhost.exe(844)
Process    fontdrvhost.exe(836)
Process    svchost.exe(828)
Process    svchost.exe(828)
Process    fontdrvhost.exe(836)
Process    fontdrvhost.exe(844)
Process    fontdrvhost.exe(844)
Process    wininit.exe(584)
Process    svchost.exe(892)
Process    svchost.exe(892)
Process    svchost.exe(892)
Process    services.exe(712)
Process    svchost.exe(972)
Process    svchost.exe(892)
Process    svchost.exe(972)
Process    svchost.exe(972)
Process    svchost.exe(972)
Process    svchost.exe(892)
Process    svchost.exe(1020)
Process    svchost.exe(892)
Process    winlogon.exe(672)
Process    dwm.exe(380)
Process    svchost.exe(5472)
Process    dwm.exe(380)
Process    dwm.exe(380)
Process    svchost.exe(892)
Process    svchost.exe(892)
Process    OUTLOOK.EXE(2616)
Process    OUTLOOK.EXE(2616)
Process    svchost.exe(1068)
Process    svchost.exe(1068)
Process    svchost.exe(1068)
Process    svchost.exe(1076)
Process    svchost.exe(1076)
Process    svchost.exe(1076)
Process    svchost.exe(1148)
Process    svchost.exe(1132)
Process    svchost.exe(1132)
Process    svchost.exe(1148)
Process    svchost.exe(1132)
Process    svchost.exe(1148)
Process    svchost.exe(1220)
Process    svchost.exe(1228)
Process    svchost.exe(1228)
Process    svchost.exe(1220)
Process    svchost.exe(1228)
Process    svchost.exe(1220)
Process    svchost.exe(1284)
Process    svchost.exe(1284)
Process    svchost.exe(1284)
Process    svchost.exe(1300)
Process    svchost.exe(1300)
Process    svchost.exe(1300)
Process    svchost.exe(1316)
Process    svchost.exe(1380)
Process    svchost.exe(1316)
Process    svchost.exe(1316)
Process    svchost.exe(1228)
Process    svchost.exe(1392)
Process    svchost.exe(1380)
Process    svchost.exe(1380)
Process    svchost.exe(1392)
Process    svchost.exe(1392)
Process    svchost.exe(1488)
Process    svchost.exe(1488)
Process    svchost.exe(1220)
Process    svchost.exe(1488)
Process    svchost.exe(1496)
Process    remoting_desktop.exe(5536)
Process    svchost.exe(1228)
Process    svchost.exe(1496)
Process    svchost.exe(1496)
Process    svchost.exe(1488)
Process    svchost.exe(1228)
Process    svchost.exe(1488)
Process    phccorporate.exe(5728)
Process    svchost.exe(2076)
Process    svchost.exe(1700)
Process    launcher_service_ex.exe(1732)
Process    svchost.exe(10996)
Process    svchost.exe(10996)
Process    svchost.exe(1228)
Process    hpqtra08.exe(9816)
Process    svchost.exe(1828)
Process    svchost.exe(1700)
Process    svchost.exe(1700)
Process    TouchpointAnalyticsClientService.exe(5480)
Process    launcher_service_ex.exe(1732)
Process    svchost.exe(10996)
Process    launcher_service_ex.exe(1732)
Process    MSASCuiL.exe(9868)
Process    svchost.exe(1828)
Process    svchost.exe(1868)
Process    svchost.exe(1828)
Process    svchost.exe(1868)
Process    svchost.exe(1868)
Process    Video.UI.exe(9008)
Process    hpqgpc01.exe(11060)
Process    svchost.exe(1964)
Process    svchost.exe(1964)
Process    svchost.exe(1964)
Process    svchost.exe(1700)
Process    svchost.exe(2016)
Process    svchost.exe(1700)
Process    svchost.exe(2016)
Process    svchost.exe(2016)
Process    launcher_service_ex.exe(1732)
Process    svchost.exe(1964)
Process    Microsoft.Photos.exe(3988)
Process    launcher_service_ex.exe(1732)
Process    svchost.exe(10892)
Process    svchost.exe(2060)
Process    svchost.exe(2060)
Process    unit.exe(7312)
Process    svchost.exe(2076)
Process    svchost.exe(2068)
Process    svchost.exe(2060)
Process    svchost.exe(2088)
Process    svchost.exe(2068)
Process    svchost.exe(2068)
Process    svchost.exe(2076)
Process    svchost.exe(2112)
Process    svchost.exe(2076)
Process    svchost.exe(2088)
Process    svchost.exe(2088)
Process    unit.exe(7312)
Process    svchost.exe(2112)
Process    svchost.exe(2112)
Process    Memory Compression(2216)
Process    dwm.exe(380)
Process    svchost.exe(2664)
Process    svchost.exe(2060)
Process    svchost.exe(2060)
Process    svchost.exe(2060)
Process    svchost.exe(2068)
Process    svchost.exe(2240)
Process    svchost.exe(2240)
Process    svchost.exe(2240)
Process    svchost.exe(2292)
Process    svchost.exe(2292)
Process    svchost.exe(2284)
Process    svchost.exe(2284)
Process    svchost.exe(2292)
Process    svchost.exe(2332)
Process    svchost.exe(2284)
Process    svchost.exe(2332)
Process    unit.exe(6760)
Process    svchost.exe(2332)
Process    unit_manager.exe(6796)
Process    unit_manager.exe(6796)
Process    svchost.exe(2292)
Process    unit_manager.exe(6796)
Process    smartscreen.exe(6504)
Process    unit.exe(6760)
Process    procexp64.exe(10360)
Process    svchost.exe(2480)
Process    svchost.exe(2480)
Process    svchost.exe(2480)
Process    dllhost.exe(6632)
Process    svchost.exe(2332)
Process    RTKAUDIOSERVICE64.EXE(2656)
Process    svchost.exe(2480)
Process    svchost.exe(2480)
Process    RTKAUDIOSERVICE64.EXE(2656)
Process    RTKAUDIOSERVICE64.EXE(2656)
Process    svchost.exe(2480)
Process    svchost.exe(2664)
Process    svchost.exe(2720)
Process    svchost.exe(2664)
Process    ApplicationFrameHost.exe(9080)
Process    RTKAUDIOSERVICE64.EXE(2656)
Process    svchost.exe(2692)
Process    svchost.exe(2692)
Process    svchost.exe(2692)
Process    unit_manager.exe(6796)
Process    svchost.exe(2712)
Process    svchost.exe(2712)
Process    svchost.exe(2720)
Process    svchost.exe(2712)
Process    svchost.exe(2720)
Process    conhost.exe(1568)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    svchost.exe(1284)
Process    svchost.exe(2720)
Process    svchost.exe(2812)
Process    svchost.exe(2812)
Process    svchost.exe(2812)
Process    unit.exe(6760)
Process    svchost.exe(2720)
Process    svchost.exe(2720)
Process    svchost.exe(2720)
Process    svchost.exe(2720)
Process    svchost.exe(2772)
Process    svchost.exe(2720)
Process    dasHost.exe(3204)
Process    svchost.exe(7912)
Process    svchost.exe(2772)
Process    svchost.exe(2720)
Process    svchost.exe(7060)
Process    svchost.exe(2772)
Process    svchost.exe(2720)
Process    svchost.exe(2720)
Process    svchost.exe(2720)
Process    svchost.exe(2720)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    hpqgpc01.exe(11060)
Process    hpqgpc01.exe(11060)
Process    svchost.exe(3332)
Process    svchost.exe(2096)
Process    svchost.exe(2096)
Process    svchost.exe(2096)
Process    svchost.exe(2692)
Process    sihost.exe(3076)
Process    sihost.exe(3076)
Process    sihost.exe(3076)
Process    svchost.exe(3096)
Process    svchost.exe(3096)
Process    svchost.exe(3096)
Process    svchost.exe(3112)
Process    svchost.exe(3112)
Process    svchost.exe(3112)
Process    dasHost.exe(3204)
Process    svchost.exe(3188)
Process    svchost.exe(3188)
Process    mDNSResponder.exe(3288)
Process    svchost.exe(3188)
Process    AppleMobileDeviceService.exe(3268)
Process    armsvc.exe(3260)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    armsvc.exe(3260)
Process    AppleMobileDeviceService.exe(3268)
Process    remoting_host.exe(3280)
Process    svchost.exe(3304)
Process    AppleMobileDeviceService.exe(3268)
Process    remoting_host.exe(3280)
Process    svchost.exe(3296)
Process    remoting_host.exe(3280)
Process    armsvc.exe(3260)
Process    armsvc.exe(3260)
Process    remoting_host.exe(3280)
Process    svchost.exe(3304)
Process    svchost.exe(3332)
Process    svchost.exe(3320)
Process    svchost.exe(3312)
Process    mDNSResponder.exe(3288)
Process    mDNSResponder.exe(3288)
Process    svchost.exe(3296)
Process    svchost.exe(3312)
Process    svchost.exe(3296)
Process    svchost.exe(3312)
Process    svchost.exe(3096)
Process    svchost.exe(3320)
Process    svchost.exe(3304)
Process    svchost.exe(3304)
Process    svchost.exe(3320)
Process    svchost.exe(3332)
Process    svchost.exe(3332)
Process    BackupService.exe(3448)
Process    BackupService.exe(3448)
Process    svchost.exe(3396)
Process    BackupService.exe(3448)
Process    BackupService.exe(3448)
Process    svchost.exe(3396)
Process    svchost.exe(3396)
Process    svchost.exe(3492)
Process    svchost.exe(1068)
Process    svchost.exe(4264)
Process    remoting_host.exe(4288)
Process    mqsvc.exe(3528)
Process    svchost.exe(3492)
Process    svchost.exe(3492)
Process    mqsvc.exe(3528)
Process    svchost.exe(3548)
Process    mqsvc.exe(3528)
Process    sihost.exe(3076)
Process    svchost.exe(3548)
Process    svchost.exe(3548)
Process    SMSvcHost.exe(3576)
Process    SMSvcHost.exe(3576)
Process    svchost.exe(3632)
Process    svchost.exe(3600)
Process    RMMRSP.exe(3676)
Process    svchost.exe(3632)
Process    svchost.exe(3600)
Process    SMSvcHost.exe(3576)
Process    svchost.exe(3600)
Process    svchost.exe(3660)
Process    svchost.exe(3632)
Process    svchost.exe(3660)
Process    SecurityHealthService.exe(3684)
Process    SecurityHealthService.exe(3684)
Process    RMMRSP.exe(3676)
Process    SecurityHealthService.exe(3684)
Process    RMMRSP.exe(3676)
Process    svchost.exe(1068)
Process    RMMRSP.exe(3676)
Process    svchost.exe(3792)
Process    svchost.exe(3716)
Process    dllhost.exe(10948)
Process    svchost.exe(3660)
Process    MsMpEng.exe(3768)
Process    svchost.exe(3716)
Process    MsMpEng.exe(3768)
Process    mDNSResponder.exe(3288)
Process    MsMpEng.exe(3768)
Process    SearchIndexer.exe(3776)
Process    SearchIndexer.exe(3776)
Process    svchost.exe(3716)
Process    SearchIndexer.exe(3776)
Process    taskhostw.exe(3892)
Process    svchost.exe(7060)
Process    svchost.exe(3792)
Process    svchost.exe(3792)
Process    taskhostw.exe(3892)
Process    svchost.exe(4360)
Process    armsvc.exe(3260)
Process    AppleMobileDeviceService.exe(3268)
Process    BackupService.exe(3448)
Process    taskhostw.exe(3892)
Process    svchost.exe(892)
Process    svchost.exe(892)
Process    spoolsv.exe(2964)
Process    MicrosoftEdgeCP.exe(12000)
Process    svchost.exe(3548)
Process    svchost.exe(3396)
Process    RMMRSP.exe(3676)
Process    svchost.exe(3792)
Process    Skype.exe(7624)
Process    svchost.exe(3320)
Process    svchost.exe(3548)
Process    svchost.exe(4264)
Process    svchost.exe(3332)
Process    ctfmon.exe(5184)
Process    ctfmon.exe(5184)
Process    svchost.exe(5276)
Process    remoting_host.exe(3280)
Process    svchost.exe(3312)
Process    unit.exe(7312)
Process    remoting_host.exe(4288)
Process    remoting_host.exe(4288)
Process    svchost.exe(4360)
Process    ctfmon.exe(5184)
Process    svchost.exe(3332)
Process    svchost.exe(4656)
Process    svchost.exe(4360)
Process    svchost.exe(4588)
Process    Video.UI.exe(9008)
Process    remoting_host.exe(4288)
Process    remoting_host.exe(4288)
Process    svchost.exe(3332)
Process    svchost.exe(4656)
Process    mqsvc.exe(3528)
Process    svchost.exe(3716)
Process    svchost.exe(4588)
Process    MsMpEng.exe(3768)
Process    svchost.exe(4264)
Process    svchost.exe(4264)
Process    svchost.exe(4656)
Process    BackupService.exe(3448)
Process    svchost.exe(4588)
Process    svchost.exe(4588)
Process    svchost.exe(4588)
Process    svchost.exe(5276)
Process    svchost.exe(5276)
Process    dwm.exe(380)
Process    svchost.exe(10000)
Process    RuntimeBroker.exe(9264)
Process    remoting_desktop.exe(5536)
Process    Microsoft.Photos.exe(3988)
Process    svchost.exe(2096)
Process    svchost.exe(5720)
Process    spoolsv.exe(2964)
Process    hpqste08.exe(10664)
Process    wmpnetwk.exe(5944)
Process    svchost.exe(5720)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    MsMpEng.exe(3768)
Process    MsMpEng.exe(3768)
Process    MsMpEng.exe(3768)
Process    svchost.exe(5720)
Process    svchost.exe(5720)
Process    svchost.exe(3188)
Process    SMSvcHost.exe(5848)
Process    SMSvcHost.exe(5848)
Process    SMSvcHost.exe(5848)
Process    spoolsv.exe(2964)
Process    jusched.exe(10372)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    wmpnetwk.exe(5944)
Process    sihost.exe(3076)
Process    svchost.exe(5276)
Process    spoolsv.exe(2964)
Process    wmpnetwk.exe(5944)
Process    jusched.exe(10372)
Process    svchost.exe(5276)
Process    browser_broker.exe(5124)
Process    SgrmBroker.exe(11156)
Process    OSPPSVC.EXE(2808)
Process    explorer.exe(6132)
Process    explorer.exe(6132)
Process    explorer.exe(6132)
Process    services.exe(712)
Process    WmiPrvSE.exe(6800)
Process    svchost.exe(3312)
Process    WmiPrvSE.exe(6800)
Process    svchost.exe(2712)
Process    ApplicationFrameHost.exe(9080)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    phccorporate.exe(5728)
Process    Skype.exe(7624)
Process    remoting_host.exe(4288)
Process    dasHost.exe(3204)
Process    OSPPSVC.EXE(2808)
Process    wmpnetwk.exe(5944)
Process    explorer.exe(6132)
Process    svchost.exe(6264)
Process    svchost.exe(3296)
Process    svchost.exe(892)
Process    svchost.exe(7912)
Process    OUTLOOK.EXE(2616)
Process    svchost.exe(6264)
Process    svchost.exe(6264)
Process    dasHost.exe(3204)
Process    dasHost.exe(3204)
Process    RuntimeBroker.exe(7372)
Process    svchost.exe(6264)
Process    svchost.exe(6264)
Process    SearchUI.exe(7180)
Process    smartscreen.exe(6504)
Process    RuntimeBroker.exe(7372)
Process    RuntimeBroker.exe(5404)
Process    hpqgpc01.exe(11060)
Process    svchost.exe(6720)
Process    SearchUI.exe(7180)
Process    WmiPrvSE.exe(6800)
Process    svchost.exe(6720)
Process    svchost.exe(6720)
Process    svchost.exe(6720)
Process    svchost.exe(7060)
Process    svchost.exe(3188)
Process    RuntimeBroker.exe(6388)
Process    OSPPSVC.EXE(2808)
Process    firefox.exe(11604)
Process    svchost.exe(7060)
Process    hpwuschd2.exe(6068)
Process    SearchUI.exe(7180)
Process    svchost.exe(3792)
Process    svchost.exe(2820)
Process    svchost.exe(2820)
Process    CTERAAgent.exe(10444)
Process    svchost.exe(2820)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    RuntimeBroker.exe(6388)
Process    RuntimeBroker.exe(6388)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    ShellExperienceHost.exe(8080)
Process    svchost.exe(7912)
Process    OUTLOOK.EXE(2616)
Process    svchost.exe(3660)
Process    svchost.exe(3660)
Process    unit.exe(7312)
Process    svchost.exe(1220)
Process    svchost.exe(8656)
Process    CteraAgentWD.exe(10264)
Process    unit.exe(7312)
Process    svchost.exe(3188)
Process    svchost.exe(7060)
Process    NisSrv.exe(7536)
Process    NisSrv.exe(7536)
Process    NisSrv.exe(7536)
Process    NisSrv.exe(7536)
Process    unit.exe(6760)
Process    unit.exe(6760)
Process    CteraAgentWD.exe(10264)
Process    firefox.exe(9396)
Process    RuntimeBroker.exe(9540)
Process    OUTLOOK.EXE(2616)
Process    TouchpointAnalyticsClientService.exe(5480)
Process    Skype.exe(864)
Process    NisSrv.exe(7536)
Process    hpqwmiex.exe(9236)
Process    explorer.exe(6132)
Process    jusched.exe(10372)
Process    jusched.exe(10372)
Process    firefox.exe(9396)
Process    explorer.exe(6132)
Process    audiodg.exe(8376)
Process    RuntimeBroker.exe(5404)
Process    ApplicationFrameHost.exe(9080)
Process    svchost.exe(7060)
Process    svchost.exe(10548)
Process    SkypeApp.exe(8780)
Process    MsMpEng.exe(3768)
Process    stickies.exe(4344)
Process    svchost.exe(7912)
Process    SearchUI.exe(7180)
Process    ShellExperienceHost.exe(8080)
Process    ShellExperienceHost.exe(8080)
Process    phccorporate.exe(5728)
Process    Skype.exe(4724)
Process    svchost.exe(7912)
Process    ShellExperienceHost.exe(8080)
Process    SkypeApp.exe(8780)
Process    svchost.exe(9636)
Process    SearchUI.exe(7180)
Process    spoolsv.exe(2964)
Process    RuntimeBroker.exe(7372)
Process    Skype.exe(4724)
Process    SearchUI.exe(7180)
Process    svchost.exe(10996)
Process    stickies.exe(4344)
Process    spoolsv.exe(2964)
Process    Video.UI.exe(9008)
Process    procexp64.exe(10360)
Process    svchost.exe(5472)
Process    svchost.exe(10000)
Process    RuntimeBroker.exe(8648)
Process    CTERAAgent.exe(10444)
Process    SearchUI.exe(7180)
Process    phccorporate.exe(5728)
Process    smartscreen.exe(6504)
Process    RuntimeBroker.exe(8648)
Process    LockApp.exe(8572)
Process    svchost.exe(8656)
Process    LockApp.exe(8572)
Process    svchost.exe(8656)
Process    LockApp.exe(8572)
Process    TouchpointAnalyticsClientService.exe(5480)
Process    OneDrive.exe(10116)
Process    HPSupportSolutionsFrameworkService.exe(2308)
Process    hpqbam08.exe(10708)
Process    jusched.exe(10372)
Process    jusched.exe(10372)
Process    svchost.exe(10548)
Process    RuntimeBroker.exe(6388)
Process    splwow64.exe(12404)
Process    spoolsv.exe(2964)
Process    svchost.exe(10996)
Process    svchost.exe(2480)
Process    OUTLOOK.EXE(2616)
Process    hpqgpc01.exe(11060)
Process    svchost.exe(8656)
Process    unit_manager.exe(6796)
Process    svchost.exe(5472)
Process    Skype.exe(7624)
Process    SkypeBackgroundHost.exe(8720)
Process    SkypeBackgroundHost.exe(8720)
Process    dllhost.exe(10948)
Process    SkypeApp.exe(8780)
Process    svchost.exe(892)
Process    remoting_desktop.exe(5536)
Process    SkypeBackgroundHost.exe(8720)
Process    svchost.exe(10996)
Process    RuntimeBroker.exe(8648)
Process    LockApp.exe(8572)
Process    WmiPrvSE.exe(1104)
Process    MicrosoftEdgeCP.exe(6756)
Process    browser_broker.exe(5124)
Process    Skype.exe(4724)
Process    Video.UI.exe(9008)
Process    WmiPrvSE.exe(6220)
Process    svchost.exe(10260)
Process    Skype.exe(7360)
Process    hpqbam08.exe(10708)
Process    CteraAgentWD.exe(10264)
Process    Video.UI.exe(9008)
Process    RuntimeBroker.exe(9264)
Process    EXCEL.EXE(6740)
Process    hpqste08.exe(10664)
Process    TouchpointAnalyticsClientService.exe(5480)
Process    RuntimeBroker.exe(9540)
Process    SkypeApp.exe(8780)
Process    HPSupportSolutionsFrameworkService.exe(2308)
Process    hpqwmiex.exe(9236)
Process    OpenWith.exe(10684)
Process    Skype.exe(7624)
Process    WmiPrvSE.exe(6220)
Process    TouchpointAnalyticsClientService.exe(5480)
Process    SgrmBroker.exe(11156)
Process    RuntimeBroker.exe(9264)
Process    SgrmBroker.exe(11156)
Process    RuntimeBroker.exe(12132)
Process    Skype.exe(7360)
Process    WmiPrvSE.exe(6220)
Process    RuntimeBroker.exe(9264)
Process    HPSupportSolutionsFrameworkService.exe(2308)
Process    ApplicationFrameHost.exe(9080)
Process    svchost.exe(9636)
Process    svchost.exe(10260)
Process    TouchpointAnalyticsClientService.exe(5480)
Process    Video.UI.exe(9008)
Process    HPSupportSolutionsFrameworkService.exe(2308)
Process    hpqwmiex.exe(9236)
Process    RuntimeBroker.exe(9540)
Process    svchost.exe(9636)
Process    svchost.exe(9636)
Process    svchost.exe(10996)
Process    svchost.exe(10996)
Process    RuntimeBroker.exe(9708)
Process    svchost.exe(9840)
Process    svchost.exe(10260)
Process    RuntimeBroker.exe(9708)
Process    svchost.exe(10996)
Process    MicrosoftEdge.exe(6436)
Process    MSASCuiL.exe(9868)
Process    svchost.exe(3792)
Process    Video.UI.exe(9008)
Process    svchost.exe(9636)
Process    OSPPSVC.EXE(2808)
Process    RuntimeBroker.exe(9708)
Process    MSASCuiL.exe(9868)
Process    svchost.exe(9636)
Process    SecurityHealthService.exe(3684)
Process    firefox.exe(9396)
Process    OneDrive.exe(10116)
Process    Skype.exe(7360)
Process    OneDrive.exe(10116)
Process    firefox.exe(13108)
Process    hpqbam08.exe(10708)
Process    svchost.exe(10548)
Process    CTERAAgent.exe(10444)
Process    svchost.exe(10260)
Process    hpqste08.exe(10664)
Process    splwow64.exe(13084)
Process    jusched.exe(10372)
Process    OneDrive.exe(10116)
Process    hpqste08.exe(10664)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    Microsoft.Photos.exe(3988)
Process    CteraAgentWD.exe(10264)
Process    RuntimeBroker.exe(5404)
Process    OneDrive.exe(10116)
Process    OneDrive.exe(10116)
Process    SearchUI.exe(7180)
Process    dllhost.exe(10948)
Process    SearchUI.exe(7180)
Process    hpqtra08.exe(9816)
Process    EXCEL.EXE(6740)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    spoolsv.exe(2964)
Process    hpqste08.exe(10664)
Process    CTERAAgent.exe(10444)
Process    hpqtra08.exe(9816)
Process    spoolsv.exe(2964)
Process    svchost.exe(10548)
Process    hpqtra08.exe(9816)
Process    hpqtra08.exe(9816)
Process    hpqtra08.exe(9816)
Process    hpwuschd2.exe(6068)
Process    svchost.exe(10892)
Process    CTERAAgent.exe(10444)
Process    hpwuschd2.exe(6068)
Process    Microsoft.Photos.exe(3988)
Process    hpwuschd2.exe(6068)
Process    hpqbam08.exe(10708)
Process    svchost.exe(10996)
Process    CTERAAgent.exe(10444)
Process    svchost.exe(10548)
Process    hpqbam08.exe(10708)
Process    CTERAAgent.exe(10444)
Process    svchost.exe(10892)
Process    hpqwmiex.exe(9236)
Process    hpqwmiex.exe(9236)
Process    svchost.exe(10000)
Process    Microsoft.Photos.exe(3988)
Process    EXCEL.EXE(6740)
Process    svchost.exe(10996)
Process    procexp64.exe(10360)
Process    Skype.exe(4724)
Process    procexp64.exe(10360)
Process    svchost.exe(10000)
Process    svchost.exe(10996)
Process    Skype.exe(7624)
Process    cmd.exe(6440)
Process    OUTLOOK.EXE(2616)
Process    phccorporate.exe(5728)
Process    svchost.exe(10000)
Process    WmiPrvSE.exe(6800)
Process    remoting_desktop.exe(5536)
Process    smartscreen.exe(6504)
Process    svchost.exe(10996)
Process    svchost.exe(9840)
Process    Skype.exe(7624)
Process    Skype.exe(7360)
Process    firefox.exe(12784)
Process    cmd.exe(6440)
Process    MicrosoftEdgeCP.exe(12000)
Process    OpenWith.exe(10684)
Process    remoting_desktop.exe(5536)
Process    RuntimeBroker.exe(12132)
Process    svchost.exe(9840)
Process    WmiPrvSE.exe(1104)
Process    svchost.exe(10000)
Process    MicrosoftEdge.exe(6436)
Process    MicrosoftEdge.exe(6436)
Process    svchost.exe(10000)
Process    dwm.exe(380)
Process    OpenWith.exe(10684)
Process    firefox.exe(12784)
Process    MsMpEng.exe(3768)
Process    Skype.exe(864)
Process    Skype.exe(7624)
Process    firefox.exe(6048)
Process    Skype.exe(864)
Process    MicrosoftEdgeCP.exe(6756)
Process    MicrosoftEdge.exe(6436)
Process    Skype.exe(7624)
Process    splwow64.exe(13084)
Process    RuntimeBroker.exe(9264)
Process    dllhost.exe(6632)
Process    MicrosoftEdge.exe(6436)
Process    stickies.exe(4344)
Process    firefox.exe(12784)
Process    MicrosoftEdgeCP.exe(12000)
Process    Skype.exe(4724)
Process    dllhost.exe(6632)
Process    svchost.exe(10996)
Process    splwow64.exe(13084)
Process    MicrosoftEdgeCP.exe(6756)
Process    browser_broker.exe(5124)
Process    phccorporate.exe(5728)
Process    EXCEL.EXE(6740)
Process    OUTLOOK.EXE(2616)
Process    Skype.exe(864)
Process    stickies.exe(4344)
Process    Skype.exe(7360)
Process    audiodg.exe(8376)
Process    WmiPrvSE.exe(1104)
Process    EXCEL.EXE(6740)
Process    stickies.exe(4344)
Process    MicrosoftEdge.exe(6436)
Process    Skype.exe(4724)
Process    cmd.exe(6440)
Process    Skype.exe(864)
Process    firefox.exe(11604)
Process    conhost.exe(1568)
Process    smartscreen.exe(6504)
Process    MicrosoftEdgeCP.exe(6756)
Process    conhost.exe(1568)
Process    firefox.exe(12784)
Process    Skype.exe(7360)
Process    splwow64.exe(12404)
Process    Skype.exe(864)
Process    firefox.exe(6048)
Process    svchost.exe(1220)
Process    splwow64.exe(12404)
Process    RuntimeBroker.exe(12132)
Process    MicrosoftEdgeCP.exe(6756)
Process    MicrosoftEdgeCP.exe(12000)
Process    firefox.exe(9396)
Process    MicrosoftEdgeCP.exe(6756)
Process    audiodg.exe(8376)
Process    firefox.exe(13108)
Process    procexp64.exe(10360)
Process    firefox.exe(9396)
Section    \Device\PhysicalMemory
Section    \Device\PhysicalMemory
Section    \Win32kCrossSessionGlobals
Session    \KernelObjects\Session0
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
Session    \KernelObjects\Session1
SymbolicLink    \GLOBAL??\ACPI#PNP0501#2#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
SymbolicLink    \GLOBAL??\ACPI#FixedButton#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857}
SymbolicLink    \GLOBAL??\ACPI#PNP0C0C#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857}
SymbolicLink    \GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_10DE&SUBSYS_3048103C&REV_02#3&21436425&0&C8#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\PCIIDE#IDEChannel#4&27379b&0&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A02&SUBSYS_3048103C&REV_02#3&21436425&0&FA#{2accfe60-c130-11d2-b082-00a0c91efb8b}
SymbolicLink    \GLOBAL??\ROOT#vdrvroot#0000#{2e34d650-5819-42ca-84ae-d30803bae505}
SymbolicLink    \GLOBAL??\ROOT#spaceport#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\PCIIDE#IDEChannel#4&27379b&0&1#{2accfe60-c130-11d2-b082-00a0c91efb8b}
SymbolicLink    \GLOBAL??\ROOT#spaceport#0000#{ef66a56f-88d1-4cd8-98c4-49faf57ad8af}
SymbolicLink    \GLOBAL??\ROOT#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{0b893598-ba11-11e5-989c-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\SCSI#Disk&Ven_ATA&Prod_CT240BX200SSD1#4&19c2fca6&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{0b893598-ba11-11e5-989c-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\SCSI#Disk&Ven_ATA&Prod_ST3160815AS#4&19c2fca6&0&020000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{0b893598-ba11-11e5-989c-806e6f6e6963}#00000037C8500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{50a6341c-c048-11e5-888c-806e6f6e6963}#0000000000007E00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{50a6341c-c048-11e5-888c-806e6f6e6963}#00000021BC041E00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{50a6341c-c048-11e5-888c-806e6f6e6963}#00000024BF400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\STORAGE#Volume#{50a6341c-c048-11e5-888c-806e6f6e6963}#000000253C386600#{7f108a28-9833-4b3b-b780-2c6b5fa5c062}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A6C&SUBSYS_3048103C&REV_02#3&21436425&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A67&SUBSYS_3048103C&REV_02#3&21436425&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_10DE&SUBSYS_3048103C&REV_02#3&21436425&0&C8#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A69&SUBSYS_3048103C&REV_02#3&21436425&0&D2#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A66&SUBSYS_3048103C&REV_02#3&21436425&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A6A&SUBSYS_3048103C&REV_02#3&21436425&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_2E14&SUBSYS_3048103C&REV_03#3&21436425&0&18#{e2d1ff34-3458-49a9-88da-8e6915ce9be5}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_2E17&SUBSYS_3048103C&REV_03#3&21436425&0&1B#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
SymbolicLink    \GLOBAL??\ACPI#PNP0501#2#{4d36e978-e325-11ce-bfc1-08002be10318}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_2E17&SUBSYS_3048103C&REV_03#3&21436425&0&1B#{4d36e978-e325-11ce-bfc1-08002be10318}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A65&SUBSYS_3048103C&REV_02#3&21436425&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A68&SUBSYS_3048103C&REV_02#3&21436425&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\ACPI#IFX0102#1#{c3fa81c6-2299-48f4-bd45-915e62b4db92}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}
SymbolicLink    \GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_3A64&SUBSYS_3048103C&REV_02#3&21436425&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
SymbolicLink    \GLOBAL??\ACPI#PNP0401#4&60dd4bf&0#{97f76ef0-f883-11d0-af1f-0000f800845c}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}
SymbolicLink    \GLOBAL??\SCSI#CdRom&Ven_hp&Prod_DVD-RAM_GH60L#4&19c2fca6&0&010000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}
SymbolicLink    \GLOBAL??\ROOT#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB#4&1f9c08d&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\ROOT#UMBUS#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}
SymbolicLink    \GLOBAL??\SCSI#CdRom&Ven_hp&Prod_DVD-RAM_GH60L#4&19c2fca6&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB#4&1609bac5&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\ACPI#PNP0303#4&60dd4bf&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB#4&385acbca&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB#4&3b0057b5&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\ACPI#GenuineIntel_-_Intel64_Family_6_Model_23_-_Intel®_Core™2_Duo_CPU_____E8400__@_3.00GHz#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}
SymbolicLink    \GLOBAL??\ACPI#GenuineIntel_-_Intel64_Family_6_Model_23_-_Intel®_Core™2_Duo_CPU_____E8400__@_3.00GHz#_1#{dbe4373d-3c81-40cb-ace4-e0e5d05f0c9f}
SymbolicLink    \GLOBAL??\ACPI#GenuineIntel_-_Intel64_Family_6_Model_23_-_Intel®_Core™2_Duo_CPU_____E8400__@_3.00GHz#_2#{97fadb10-4e33-40ae-359c-8bef029dbdd0}
SymbolicLink    \GLOBAL??\ACPI#GenuineIntel_-_Intel64_Family_6_Model_23_-_Intel®_Core™2_Duo_CPU_____E8400__@_3.00GHz#_2#{dbe4373d-3c81-40cb-ace4-e0e5d05f0c9f}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB20#4&26564f37&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\LPTENUM#MicrosoftRawPort#5&2d2d5f1b&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB#4&137587e6&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB20#4&8cf7f00&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\USB#ROOT_HUB#4&1d068fe4&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{a17579f0-4fec-4936-9364-249460863be5}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}
SymbolicLink    \GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_103C3048&REV_1001#4&1741f254&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
SymbolicLink    \GLOBAL??\USB#VID_03F0&PID_2504#CN96M552MK05C3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_2E12&SUBSYS_3048103C&REV_03#3&21436425&0&10#{1ca05180-a699-450a-9a0c-de4fbe3ddd89}
SymbolicLink    \GLOBAL??\ROOT#BasicRender#0000#{1ca05180-a699-450a-9a0c-de4fbe3ddd89}
SymbolicLink    \GLOBAL??\USB#VID_1D57&PID_5A66#5&32eda04f&4&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
SymbolicLink    \GLOBAL??\USB#VID_05E3&PID_0604#5&6510c33&4&1#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
SymbolicLink    \GLOBAL??\ROOT#BasicDisplay#0000#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}
SymbolicLink    \GLOBAL??\PCI#VEN_8086&DEV_2E12&SUBSYS_3048103C&REV_03#3&21436425&0&10#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}
SymbolicLink    \GLOBAL??\USB#VID_03F0&PID_2504&MI_00#6&34f56002&4&0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}
SymbolicLink    \GLOBAL??\USB#VID_03F0&PID_2504&MI_01#6&34f56002&4&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}
SymbolicLink    \GLOBAL??\DOT4#VID_03F0&PID_2504&REV_0100&MI_02&PRINT#7&29f32b7&0&0#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}
SymbolicLink    \GLOBAL??\USB#VID_18F8&PID_0F97#5&3645541f&4&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
SymbolicLink    \GLOBAL??\USB#VID_04E6&PID_5116#5&3645541f&4&2#{077e2f20-e171-4dc6-8a24-ecea3035c257}
SymbolicLink    \GLOBAL??\USB#VID_04E6&PID_5116#5&3645541f&4&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
SymbolicLink    \GLOBAL??\USB#VID_04E6&PID_5116#5&3645541f&4&2#{50dd5230-ba8a-11d1-bf5d-0000f805f530}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Session
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_01&Col03#7&10919d4e&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_01&Col04#7&10919d4e&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\{892EDE5E-BE49-443c-A0B3-005D74F2D69C}#ScFilter#6&4230a6a&0&01#{d86354cc-a2ac-4223-95b9-2e48ce154434}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_00&Col02#7&39030da7&0&0001#{4afa3d53-74a7-11d0-be5e-00a0c9062857}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_00&Col02#7&39030da7&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_00&Col03#7&39030da7&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_00&Col04#7&39030da7&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_01&Col02#7&10919d4e&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_00&Col01#7&39030da7&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_00&Col01#7&39030da7&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_01#7&2bf02089&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
SymbolicLink    \GLOBAL??\HID#VID_1D57&PID_5A66&MI_01#7&2bf02089&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_01&Col01#7&10919d4e&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\DISPLAY#SAM03D0#4&1546bf1b&0&UID16843008#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_00#7&3468db10&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_00#7&3468db10&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_18F8&PID_0F97&MI_01&Col01#7&10919d4e&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
SymbolicLink    \GLOBAL??\DISPLAY#SAM03D0#4&1546bf1b&0&UID16843008#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7}
SymbolicLink    \GLOBAL??\USB#VID_0D8C&PID_000C#6&5efc3eb&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
SymbolicLink    \GLOBAL??\USB#VID_0D8C&PID_000C&MI_00#7&34180b66&0&0000#{65e8773e-8f56-11d0-a3b9-00a0c9223196}
SymbolicLink    \GLOBAL??\USB#VID_0D8C&PID_000C&MI_00#7&34180b66&0&0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
SymbolicLink    \Sessions\0\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\Local
SymbolicLink    \GLOBAL??\USB#VID_0D8C&PID_000C&MI_00#7&34180b66&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}
SymbolicLink    \Sessions\0\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\Global
SymbolicLink    \Sessions\0\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\Session
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523\Session
SymbolicLink    \GLOBAL??\HID#VID_0D8C&PID_000C&MI_03#8&2351380c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\USB#VID_04D9&PID_1603#6&5efc3eb&0&4#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
SymbolicLink    \GLOBAL??\HID#VID_04D9&PID_1603&MI_00#8&2c32b2a0&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
SymbolicLink    \GLOBAL??\HID#VID_04D9&PID_1603&MI_01&Col02#8&85b74de&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_04D9&PID_1603&MI_00#8&2c32b2a0&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_04D9&PID_1603&MI_01&Col01#8&85b74de&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
SymbolicLink    \GLOBAL??\HID#VID_04D9&PID_1603&MI_01&Col01#8&85b74de&0&0000#{4afa3d53-74a7-11d0-be5e-00a0c9062857}
SymbolicLink    \GLOBAL??\SWD#MMDEVAPI#{0.0.0.00000000}.{aec91fe7-c877-4704-9cb5-cfaa926067be}#{e6327cad-dcec-4949-ae8a-991e976a79d2}
SymbolicLink    \GLOBAL??\SWD#MMDEVAPI#MicrosoftGSWavetableSynth#{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}
SymbolicLink    \GLOBAL??\SWD#MMDEVAPI#{0.0.1.00000000}.{57736683-e039-44b0-b5ae-f976e189166b}#{2eef81be-33fa-4800-9670-1cd474972c3f}
SymbolicLink    \GLOBAL??\SWD#MMDEVAPI#{0.0.0.00000000}.{3a34aa5a-e2af-4e6b-854c-d0200910de3f}#{e6327cad-dcec-4949-ae8a-991e976a79d2}
SymbolicLink    \GLOBAL??\SWD#ScDeviceEnum#1_SCM_Microsystems_Inc._SCR33x_USB_Smart_Card_Reader_0#{deebe6ad-9e01-47e2-a3b2-a66aa2c036c9}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_SSTPMINIPORT#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{93688270-32A6-4BEB-B6EC-E24C4F737E53}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \GLOBAL??\SWD#DAFWSDProvider#urn:uuid:e3248000-80ce-11db-8000-30055c667ebc#{b04bb22a-5c2b-4739-8362-5491665cfca2}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_AGILEVPNMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518\Session
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_AGILEVPNMINIPORT#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_L2TPMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_NDISWANBH#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_SSTPMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_L2TPMINIPORT#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_NDISWANBH#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_PPTPMINIPORT#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_PPTPMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_NDISWANIP#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_PPPOEMINIPORT#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_NDISWANIP#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_PPPOEMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_NDISWANIPV6#{ad498944-762f-11d0-8dcb-00c04fc3358c}
SymbolicLink    \GLOBAL??\SWD#MSRRAS#MS_NDISWANIPV6#{cac88484-7515-4c03-82e6-71a87abac361}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:0451aef1-927f-4bc2-9633-506de6434e5e#{8b7780be-bf63-564f-83b6-719f86ef2a83}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:0451aef1-927f-4bc2-9633-506de6434e5e#{2a323d9d-edf1-430b-ab95-5860894493d4}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:0451aef1-927f-4bc2-9633-506de6434e5e#{575d078a-63b9-5bc0-958b-87cc35b279cc}
SymbolicLink    \GLOBAL??\SWD#DAFWSDProvider#urn:uuid:16a65700-007c-1000-bb49-0015999eadf4#{b04bb22a-5c2b-4739-8362-5491665cfca2}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742\Session
SymbolicLink    \GLOBAL??\SWD#DAFWSDProvider#urn:uuid:e3248000-80ce-11db-8000-30055c667ebc#uri:e3248000-80ce-11db-8000-30055c667ebc#PrinterService#{f8580555-8cdf-4396-baea-a937cff94d5a}
SymbolicLink    \GLOBAL??\SWD#DAFWSDProvider#urn:uuid:e3248000-80ce-11db-8000-30055c667ebc#uri:e3248000-80ce-11db-8000-30055c667ebc#ScannerService#{6bdd1fc6-810f-11d0-bec7-08002be2092f}
SymbolicLink    \GLOBAL??\SWD#DAFWSDProvider#urn:uuid:16a65700-007c-1000-bb49-0015999eadf4#uri:Printer1#{f8580555-8cdf-4396-baea-a937cff94d5a}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:0451aef1-927f-4bc2-9633-506de6434e5e#{c96037ae-a558-4470-b432-115a31b85553}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:0451aef1-927f-4bc2-9633-506de6434e5e#{ae9eb9c4-8819-51d8-879d-9a42ffb89d4e}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Local
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:77071b80-c1b1-531d-8ba2-99d4474276f2#{c96037ae-a558-4470-b432-115a31b85553}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:77071b80-c1b1-531d-8ba2-99d4474276f2#{2a323d9d-edf1-430b-ab95-5860894493d4}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:77071b80-c1b1-531d-8ba2-99d4474276f2#{575d078a-63b9-5bc0-958b-87cc35b279cc}
SymbolicLink    \GLOBAL??\SWD#DAFUPnPProvider#uuid:77071b80-c1b1-531d-8ba2-99d4474276f2#{ae9eb9c4-8819-51d8-879d-9a42ffb89d4e}
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{4948F49E-41E6-4727-A223-2060F98D4870}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708\Session
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312\Session
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2246530975-808720366-1776470054-230329187-4153223113-3550430174-4193313734\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723\Session
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2246530975-808720366-1776470054-230329187-4153223113-3550430174-4193313734\Session
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2246530975-808720366-1776470054-230329187-4153223113-3550430174-4193313734\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741\Session
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\4256926629-1688279915-2739229046-3928706915\Global
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{6275CF7E-B038-4CC4-A4E0-F53782D487D2}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\1821068571-1793888307-623627345-1529106238\Session
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{C4996C87-013C-4C36-9E19-B6E1A68A43DD}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\4256926629-1688279915-2739229046-3928706915\Local
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{AC9609F4-1FD0-4783-82AF-01EB9D4E17A9}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{48AAC7E7-E6A4-4F5B-84B5-21D088183724}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{EEF6E76B-813E-4E1F-A49F-E583F911D18B}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \GLOBAL??\SWD#PRINTENUM#{A0BB1017-7409-49F5-A6E8-7FA6010A8B0B}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\1821068571-1793888307-623627345-1529106238\Global
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\1821068571-1793888307-623627345-1529106238\Local
SymbolicLink    \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\4256926629-1688279915-2739229046-3928706915\Session
Thread    System(4): 28
Thread    System(4): 72
Thread    System(4): 340
Thread    System(4): 276
Thread    System(4): 272
Thread    System(4): 360
Thread    System(4): 420
Thread    System(4): 528
Thread    System(4): 524
Thread    System(4): 852
Thread    System(4): 3064
Thread    System(4): 2948
Thread    System(4): 2940
Thread    System(4): 2944
Thread    System(4): 3488
Thread    System(4): 3640
Thread    System(4): 5412
Thread    System(4): 5416
Thread    System(4): 5424
Thread    System(4): 5420
Thread    System(4): 5428
Thread    System(4): 5432
Thread    System(4): 5528
Thread    System(4): 11116
Thread    System(4): 10568
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    NT AUTHORITY\Serviço de rede:3e4
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\Serviço de rede:3e4
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SYSTEM:3e7
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    NT AUTHORITY\SYSTEM:3e7
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\Serviço de rede:3e4
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\ANONYMOUS LOGON:3e6
Token    NT AUTHORITY\Serviço de rede:3e4
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    NT AUTHORITY\SYSTEM:3e7
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    NT AUTHORITY\SYSTEM:3e7
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    NT AUTHORITY\SYSTEM:3e7
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    RUIPEDRO-PC\RuiPedro:1c19b
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    NT AUTHORITY\SERVIÇO LOCAL:3e5
Token    RUIPEDRO-PC\RuiPedro:1c1ec
Token    RUIPEDRO-PC\RuiPedro:1c1ec
 


  • 0

#27
RKinner
Posted 30 October 2018 - 05:12 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

What I'm seeing in this email:

 

Received: from [94.228.89.104] (port=37540 helo=host-94-228-89-104.e-net.sk)
    by cpanel34.dnscpanel.com with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 1gHa5X-00DEvr-Ow
    for [email protected]; Tue, 30 Oct 2018 19:54:11 +0000

 

 

indicates that the email is just being received from 94.228.89.104 in the usual way.  There is no login or password.  The tricky part is that it claims to be from you but it's not in your Sent folder so we know it's not.  This part of the email header is easily faked. 

 

The contact website for the Slovakian ISP is:

 

https://e-net.sk/kontakt/

 

If you use Chrome it will automatically translate the page for you.  You might try contacting them and give them a copy of the email.  I would write to them in English rather than Portuguese.  They appear to be a legit operation so probably won't appreciate being used as a source of blackmail emails.  It's possible that the PC on the Slovakian net is owned by a bot-net and the owner doesn't even know the PC is being used this way.

 

You can probably also reach them with an email to [email protected]

 

Since your email address is [email protected] - is your email address used by a webpage that you host?  Could the webpage have been hacked?  Is it hosted on a web server somewhere rather than on your own PC?

 

I'll need to take some time with the results of the process explorer log.  Probably won't get back to you until tomorrow.  The odd thing I notice is your System process shows:
 

System    0.86    228 K    14.916 K    4          

 

 

whereas mine says:

 

System    0.36    188 K    2,248 K    4  

        
Note your Working Set value is about 7 times mine.  I suppose it depends on how many processes are running.  If you right click on System in Process Explorer (hit Space bar to stop it changing) and select Properties then Disk and Network it will show you how many bytes it reads and writes.  Mine has 66 reads for a total of 22.7 M and 243 writes for a total of 2.5 M.  There is no network traffic.  What does yours say?


  • 0

#28
RKinner
Posted 01 November 2018 - 10:15 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

I'm not seeing anything unusual in your System process. 


  • 0

#29
RuiPedro
Posted 02 November 2018 - 01:32 AM

RuiPedro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Hello! Sry for delay in my reply.

 

I see your point in the email and i followed your suggestion and sent a complain to the abuse email :)

 

And we are getting to the same opinion, since my PC is clean, there must be a security fault in the server... The webpage is hosting a prestashop, that is not the latest version, maybe they exploited something there...

 

yes, that a web page we host, and it's hosted on a web server in Claranet, I think that from now on I will continue to speak with claranet to se if there's any problem there...


  • 0

#30
RKinner
Posted 02 November 2018 - 05:31 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

I found this article on a blackmail scheme:

 

https://myonlinesecu...-watching-porn/

 

Sounds like it might apply to you.


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics


Also tagged with one or more of these keywords: emai, hijack, spam, phishing

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP