blackguard | 3b5e74774cd364e1843eb858181f1d3b657c562f3a8081b972997f33e36a869d

Analysis

max time kernel
231s
max time network
240s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SimHubSetup_9.2.12.exe
Size

182.1MB
MD5

86c3226649a51d84f04677b2b989a12d
SHA1

4d792241b15bbac7471a866a5259122f519a29f1
SHA256

ed7488ee51854444834ce8294bc592ca9befe8c4c913fc8a1ebf84b32dd99c41
SHA512

d3988010d869c161764c060c2c226140ee09f93446cc93ff06731d1d044c6cd64c29195f24d8e6caa831175448b31df269704a81bedc47e34beb64b78ad4c87d
SSDEEP

3145728:9+ldCIFc7coM5LwUvdnyY2vkatUIDPCNyyETPNlzs38Y6pLw9v3wHfwALVcJTTTS:9+ldCIFicoqcUvdnCUIGNmTsMY6K9v3q

Score

10^/10

blackguard ploutus atm backdoor discovery evasion persistence stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0003000000021d57-5580.dat	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
2624	netsh.exe
1964	netsh.exe
1668	netsh.exe
3008	netsh.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Executes dropped EXE 30 IoCs

Processes:

SimHubSetup_9.2.12.tmpMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.140.exesetup.exeMicrosoftEdgeUpdate.exevcredist_x86_2012.exevcredist_x86_2012.exevcredist_x64_2012.exevcredist_x64_2012.exevcredist_x86_2013.exevcredist_x86_2013.exevcredist_x64_2013.exevcredist_x64_2013.exevcredist_x86_2019.exevcredist_x86_2019.exeVC_redist.x86.exeSimHub.PackageManager.Standalone.exeSimHubWpf.exeSimHub.PackageManager.Standalone.exeSimHub.PackageManager.Standalone.exe

pid	Process
1032	SimHubSetup_9.2.12.tmp
1544	MicrosoftEdgeWebview2Setup.exe
1540	MicrosoftEdgeUpdate.exe
1764	MicrosoftEdgeUpdate.exe
1984	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdateComRegisterShell64.exe
2792	MicrosoftEdgeUpdateComRegisterShell64.exe
1052	MicrosoftEdgeUpdateComRegisterShell64.exe
2264	MicrosoftEdgeUpdate.exe
1256	MicrosoftEdgeUpdate.exe
2928	MicrosoftEdgeUpdate.exe
2796	MicrosoftEdgeUpdate.exe
1588	MicrosoftEdge_X64_109.0.1518.140.exe
2836	setup.exe
1272	MicrosoftEdgeUpdate.exe
840	vcredist_x86_2012.exe
1876	vcredist_x86_2012.exe
908	vcredist_x64_2012.exe
816	vcredist_x64_2012.exe
1004	vcredist_x86_2013.exe
1592	vcredist_x86_2013.exe
668	vcredist_x64_2013.exe
2124	vcredist_x64_2013.exe
2976	vcredist_x86_2019.exe
1876	vcredist_x86_2019.exe
1640	VC_redist.x86.exe
304	SimHub.PackageManager.Standalone.exe
816	SimHubWpf.exe
1696	SimHub.PackageManager.Standalone.exe
2168	SimHub.PackageManager.Standalone.exe

Loads dropped DLL 64 IoCs

Processes:

SimHubSetup_9.2.12.exeSimHubSetup_9.2.12.tmpMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.140.exesetup.exevcredist_x86_2012.exevcredist_x86_2012.exevcredist_x64_2012.exevcredist_x64_2012.exevcredist_x86_2013.exevcredist_x86_2013.exevcredist_x64_2013.exevcredist_x64_2013.exevcredist_x86_2019.exevcredist_x86_2019.exeVC_redist.x86.exeSimHub.PackageManager.Standalone.exemscorsvw.exe

pid	Process
1976	SimHubSetup_9.2.12.exe
1032	SimHubSetup_9.2.12.tmp
1032	SimHubSetup_9.2.12.tmp
1032	SimHubSetup_9.2.12.tmp
1032	SimHubSetup_9.2.12.tmp
1032	SimHubSetup_9.2.12.tmp
1544	MicrosoftEdgeWebview2Setup.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1984	MicrosoftEdgeUpdate.exe
1984	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdateComRegisterShell64.exe
1984	MicrosoftEdgeUpdate.exe
1984	MicrosoftEdgeUpdate.exe
2792	MicrosoftEdgeUpdateComRegisterShell64.exe
1984	MicrosoftEdgeUpdate.exe
1984	MicrosoftEdgeUpdate.exe
1052	MicrosoftEdgeUpdateComRegisterShell64.exe
1984	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
2928	MicrosoftEdgeUpdate.exe
1256	MicrosoftEdgeUpdate.exe
2928	MicrosoftEdgeUpdate.exe
2928	MicrosoftEdgeUpdate.exe
1588	MicrosoftEdge_X64_109.0.1518.140.exe
2836	setup.exe
2928	MicrosoftEdgeUpdate.exe
1032	SimHubSetup_9.2.12.tmp
840	vcredist_x86_2012.exe
1876	vcredist_x86_2012.exe
1032	SimHubSetup_9.2.12.tmp
908	vcredist_x64_2012.exe
816	vcredist_x64_2012.exe
1032	SimHubSetup_9.2.12.tmp
1004	vcredist_x86_2013.exe
1592	vcredist_x86_2013.exe
1032	SimHubSetup_9.2.12.tmp
668	vcredist_x64_2013.exe
2124	vcredist_x64_2013.exe
1032	SimHubSetup_9.2.12.tmp
2976	vcredist_x86_2019.exe
1876	vcredist_x86_2019.exe
1876	vcredist_x86_2019.exe
2100	VC_redist.x86.exe
1032	SimHubSetup_9.2.12.tmp
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
304	SimHub.PackageManager.Standalone.exe
2216	mscorsvw.exe

Registers COM server for autorun 1 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vcredist_x86_2012.exevcredist_x64_2012.exevcredist_x86_2013.exevcredist_x64_2013.exeVC_redist.x86.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240427195501.log\" /quiet /norestart ignored \"/c:msiexec /qb /i vcredist.msi\" /burn.runonce"	vcredist_x86_2012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240427195514.log\" /quiet /norestart ignored \"/c:msiexec /qb /i vcredist.msi\" /burn.runonce"	vcredist_x64_2012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1} = "\"C:\\ProgramData\\Package Cache\\{f65db027-aff3-4070-886a-0d87064aabb1}\\vcredist_x86.exe\" /burn.runonce"	vcredist_x86_2013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{050d4fc8-5d48-4b8f-8972-47c82c46020f} = "\"C:\\ProgramData\\Package Cache\\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\\vcredist_x64.exe\" /burn.runonce"	vcredist_x64_2013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4f84f2dc-3f70-433a-8f50-8293e0089b0f} = "\"C:\\ProgramData\\Package Cache\\{4f84f2dc-3f70-433a-8f50-8293e0089b0f}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow	pid	Process
64	1872	msiexec.exe
66	1872	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 57 IoCs

Processes:

msiexec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

SimHubSetup_9.2.12.tmpsetup.exeMicrosoftEdgeWebview2Setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\SimHub\is-N5URC.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\is-8RVTU.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\is-5L5RA.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DevicesDefaults\is-KJ1DV.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\ImageLibrary\Leds\Set2\is-A1RD2.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\AssettoCorsaCompetizione\is-SMPPF.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\TimerThree\config\is-FCUA7.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\SimHub\Microsoft.CodeAnalysis.Razor.dll	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\GLCDTemplate\is-RCTUG.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\ControlCenter\is-APM4R.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2836_473694743\109.0.1518.140\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\AssettoCorsaCompetizione\is-GNMKA.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\Web\Scripts\is-PE1Q8.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\is-8VFLA.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2836_473694743\109.0.1518.140\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\ro.pak	setup.exe
File created	C:\Program Files (x86)\SimHub\DevicesDefaults\is-TLSVR.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\_Library\Leds\LEDS MODEL\is-P9Q8H.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\Automobilista2\is-I1U8Q.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\docs\html\is-JISMD.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\sunfounder_rgbMatrix\is-I0QJF.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\SimHub Leaderboard\is-25RB5.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\Automobilista2\is-TDD1F.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_NeoPixel\is-CT964.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\SimHub\DashTemplates\SimHub - Hud 1\is-7731D.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\is-NQFA5.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2836_473694743\109.0.1518.140\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\PdfPreview\PdfPreviewHandler.dll	setup.exe
File created	C:\Program Files (x86)\SimHub\ImageLibrary\Buttons\Button1\is-TMTJO.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\ImageLibrary\Leds\Set3\is-SN7QF.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\DisplayClientV2\is-JTMUE.tmp	SimHubSetup_9.2.12.tmp
File opened for modification	C:\Program Files (x86)\SimHub\CefSharp.Core.Runtime.dll	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\MYTEC\is-0JBTT.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\System Info\is-CGCUT.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\PSPAnimations\is-1MAED.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\_Library\Leds\is-KNQ4B.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\Web\is-7IBVD.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\GamePlugins\OMSI2\is-SETC4.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Robot_Control\src\is-L7CAC.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ms.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\SimHub\PluginsData\AssettoCorsa\is-6L4BG.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\Logos\is-KVI34.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\MYTEC C127 - System Info\is-E1VB7.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\GamePlugins\CodemastersDirt3\is-N8VNC.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\FastLED\platforms\arm\mxrt1062\is-HUUFD.tmp	SimHubSetup_9.2.12.tmp
File opened for modification	C:\Program Files (x86)\SimHub\CefSharp.OffScreen.dll	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\Automobilista2\is-0G9T9.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_GFX\is-7BJH3.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2836_473694743\109.0.1518.140\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\SimHub\Help\is-IL3T9.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\TM1638\is-0156G.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\is-AHAJR.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\_Library\Gauges\is-6FSI5.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\DashTemplates\_Library\Gauges\is-V11ID.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\docs\html\is-NBCQD.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_GFX\ACHubCustomFonts\is-4QTB8.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\GamePlugins\expansim\Plugins\is-G3LE7.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_GFX\Fonts\is-JTCI4.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_GFX\Fonts\is-NE3EJ.tmp	SimHubSetup_9.2.12.tmp
File created	C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Robot_Motor\src\is-HU48J.tmp	SimHubSetup_9.2.12.tmp

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exeDrvInst.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exevcredist_x64_2012.exemscorsvw.exevcredist_x86_2012.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\998-0\System.Security.Cryptography.Algorithms.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4e8-0\Jint.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Thre95f54cb4#\81549d9dfbb8d65f30526d15fce12c20\System.Threading.Tasks.Extensions.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a48-0\PCarsSharedMemory.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\270-0\SimHub.BitmapDisplay.MMF.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\908-0\System.Xml.XPath.XDocument.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Wpf.MatrixExtensions\5d54a7c3025bd784eaa7b76e9e2ab12b\Wpf.MatrixExtensions.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\150-0\MahApps.Metro.SimpleChildWindow.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b1c-0\OxyPlot.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ba8-0\System.Reflection.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\790-0\System.Threading.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\738-0\SimHub.BitmapDisplay.Turn.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\62c-0\WindowsInput.dll	mscorsvw.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtdf6812ee#\e522a51e14a37a2acf6543a5f0d4c709\System.Runtime.Serialization.Primitives.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b8c-0\Wpf.MatrixExtensions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\6f4-0\NCalc.dll	mscorsvw.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SharpDX.DirectInput\0676c5b4609c6c3e071634dac6fb52b8\SharpDX.DirectInput.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\47c-0\System.Buffers.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a78-0\NoLimits2Reader.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.Plugins\db2533dde411ce5808b5274e9965cd17\SimHub.Plugins.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\IntelHexFormatReader\5dec7ff5150ea16295b0942ad64c0c5f\IntelHexFormatReader.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.LibUsbNative\94a9b33b49dca5c01350d3738747e6c9\SimHub.LibUsbNative.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MahApps.Met20c382b6#\58618347c19ce03912d8fec591853539\MahApps.Metro.IconPacks.Material.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\RREReader\75fd5888ad2fcf3679b4b97852cf0078\RREReader.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\WindowsUpdate.log	vcredist_x64_2012.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Wpf.Control65587b73#\9bf6d9207df06158d603e1ac6f10e500\Wpf.Controls.PanAndZoom.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\WindowsUpdate.log	vcredist_x86_2012.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHubWPF\9345978da43e642286751317dd44058a\SimHubWPF.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b70-0\log4net.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ToastNotifications\57b0cf747ee8da9d88194987439071fe\ToastNotifications.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a20-0\ETS2Reader.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WoteverLocalization\d56204e7eacb4e066b0aec6dc3496523\WoteverLocalization.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SharpDX\e934c53df2234b615a789cc5330005c6\SharpDX.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5cc-0\System.Globalization.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8c8-0\SimHub.Bluetooth.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a4-0\ArduinoUploader.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.Bitm13044668#\4f65fbb4d086c5cb9dceed5219cb738d\SimHub.BitmapDisplay.USBD480.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\60c-0\CefSharp.OffScreen.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b60-0\System.Reflection.Extensions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\68c-0\RJCP.SerialPortStream.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a4-0\GTReader.dll	mscorsvw.exe
File created	C:\Windows\Installer\f7876d8.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\CefSharp.Core\35109b527825e8f6645ebc7c4957107d\CefSharp.Core.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MahApps.Metro\b8ead98dfff50fed6213d93e59d5bc94\MahApps.Metro.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ACToolsUtilities\110292d83a0e3d168084677224f9874b\ACToolsUtilities.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.Fana979621bc#\bdd21cdb8be0a684435047b83a5ccf9d\SimHub.FanatecManaged.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ETS2Reader\2a3a80410811ee8bd0d19b32d4cd20e4\ETS2Reader.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\NoLimits2Reader\779d8a6096927bec0c9667b68a096689\NoLimits2Reader.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\Installer\f7876d7.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\2a8-0\RfactorReader.dll	mscorsvw.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.ScreenCapture\5197470b2de6dcdd06c710642b6c24c3\SimHub.ScreenCapture.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Diagaa8d7fa5#\0b63c89cd96eca9c9961d34e37d8995d\System.Diagnostics.Debug.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\140-0\Melanchall.DryWetMidi.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\820-0\CefSharp.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b54-0\SharpDX.DXGI.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\be0-0\Xceed.Wpf.Toolkit.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9b4-0\CodemastersReader.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ValueTuple\92505bfd4a0de2bad5b5b02c17e3e98a\System.ValueTuple.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\log4net\9ce1512eca5b34ae7c2469e37034880b\log4net.ni.dll.aux.tmp	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeDrvInst.exeDrvInst.exeMicrosoftEdgeUpdate.exeDrvInst.exeMicrosoftEdgeUpdate.exeDrvInst.exeDrvInst.exemsiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-ed-4a-a4-ab-80\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE9EA124-CAC4-41AD-8C3F-714C41E22440}\WpadDecisionTime = d0eedea6dc98da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-ed-4a-a4-ab-80\WpadDecisionTime = d0aa42b4dc98da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE9EA124-CAC4-41AD-8C3F-714C41E22440}\WpadDecisionTime = d0aa42b4dc98da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exemsiexec.exeVC_redist.x86.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4D0B5ED88D6A27F48BFE8277A6E25E5D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7938D0804F063B44BB59BF9B05BCB0E4\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.34.31938"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\CLSID\ = "{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass.1	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

SimHubSetup_9.2.12.tmpMicrosoftEdgeUpdate.exemsiexec.exe

pid	Process
1032	SimHubSetup_9.2.12.tmp
1032	SimHubSetup_9.2.12.tmp
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1540	MicrosoftEdgeUpdate.exe
1872	msiexec.exe
1872	msiexec.exe
1872	msiexec.exe
1872	msiexec.exe
1872	msiexec.exe
1872	msiexec.exe
1872	msiexec.exe
1872	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdgeUpdate.exevssvc.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeVC_redist.x86.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	1540	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1540	MicrosoftEdgeUpdate.exe
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	2160	DrvInst.exe
Token: SeLoadDriverPrivilege	2160	DrvInst.exe
Token: SeLoadDriverPrivilege	2160	DrvInst.exe
Token: SeLoadDriverPrivilege	2160	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	856	DrvInst.exe
Token: SeLoadDriverPrivilege	856	DrvInst.exe
Token: SeLoadDriverPrivilege	856	DrvInst.exe
Token: SeLoadDriverPrivilege	856	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2620	DrvInst.exe
Token: SeLoadDriverPrivilege	2620	DrvInst.exe
Token: SeLoadDriverPrivilege	2620	DrvInst.exe
Token: SeLoadDriverPrivilege	2620	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	2144	DrvInst.exe
Token: SeLoadDriverPrivilege	2144	DrvInst.exe
Token: SeLoadDriverPrivilege	2144	DrvInst.exe
Token: SeLoadDriverPrivilege	2144	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeLoadDriverPrivilege	1616	DrvInst.exe
Token: SeLoadDriverPrivilege	1616	DrvInst.exe
Token: SeLoadDriverPrivilege	1616	DrvInst.exe
Token: SeShutdownPrivilege	1640	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	1640	VC_redist.x86.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeSecurityPrivilege	1872	msiexec.exe
Token: SeCreateTokenPrivilege	1640	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	1640	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	1640	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	1640	VC_redist.x86.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SimHubSetup_9.2.12.tmp

pid	Process
1032	SimHubSetup_9.2.12.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SimHubSetup_9.2.12.exeSimHubSetup_9.2.12.tmpMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	pid	Process	procid_target
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1976 wrote to memory of 1032	1976	SimHubSetup_9.2.12.exe	28
PID 1032 wrote to memory of 3008	1032	SimHubSetup_9.2.12.tmp	31
PID 1032 wrote to memory of 3008	1032	SimHubSetup_9.2.12.tmp	31
PID 1032 wrote to memory of 3008	1032	SimHubSetup_9.2.12.tmp	31
PID 1032 wrote to memory of 3008	1032	SimHubSetup_9.2.12.tmp	31
PID 1032 wrote to memory of 2624	1032	SimHubSetup_9.2.12.tmp	33
PID 1032 wrote to memory of 2624	1032	SimHubSetup_9.2.12.tmp	33
PID 1032 wrote to memory of 2624	1032	SimHubSetup_9.2.12.tmp	33
PID 1032 wrote to memory of 2624	1032	SimHubSetup_9.2.12.tmp	33
PID 1032 wrote to memory of 1964	1032	SimHubSetup_9.2.12.tmp	35
PID 1032 wrote to memory of 1964	1032	SimHubSetup_9.2.12.tmp	35
PID 1032 wrote to memory of 1964	1032	SimHubSetup_9.2.12.tmp	35
PID 1032 wrote to memory of 1964	1032	SimHubSetup_9.2.12.tmp	35
PID 1032 wrote to memory of 1668	1032	SimHubSetup_9.2.12.tmp	37
PID 1032 wrote to memory of 1668	1032	SimHubSetup_9.2.12.tmp	37
PID 1032 wrote to memory of 1668	1032	SimHubSetup_9.2.12.tmp	37
PID 1032 wrote to memory of 1668	1032	SimHubSetup_9.2.12.tmp	37
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1032 wrote to memory of 1544	1032	SimHubSetup_9.2.12.tmp	39
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1544 wrote to memory of 1540	1544	MicrosoftEdgeWebview2Setup.exe	40
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1764	1540	MicrosoftEdgeUpdate.exe	41
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1540 wrote to memory of 1984	1540	MicrosoftEdgeUpdate.exe	42
PID 1984 wrote to memory of 2152	1984	MicrosoftEdgeUpdate.exe	43
PID 1984 wrote to memory of 2152	1984	MicrosoftEdgeUpdate.exe	43
PID 1984 wrote to memory of 2152	1984	MicrosoftEdgeUpdate.exe	43
PID 1984 wrote to memory of 2152	1984	MicrosoftEdgeUpdate.exe	43
PID 1984 wrote to memory of 2792	1984	MicrosoftEdgeUpdate.exe	44
PID 1984 wrote to memory of 2792	1984	MicrosoftEdgeUpdate.exe	44
PID 1984 wrote to memory of 2792	1984	MicrosoftEdgeUpdate.exe	44
PID 1984 wrote to memory of 2792	1984	MicrosoftEdgeUpdate.exe	44
PID 1984 wrote to memory of 1052	1984	MicrosoftEdgeUpdate.exe	45
PID 1984 wrote to memory of 1052	1984	MicrosoftEdgeUpdate.exe	45
PID 1984 wrote to memory of 1052	1984	MicrosoftEdgeUpdate.exe	45
PID 1984 wrote to memory of 1052	1984	MicrosoftEdgeUpdate.exe	45
PID 1540 wrote to memory of 2264	1540	MicrosoftEdgeUpdate.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SimHubSetup_9.2.12.exe
"C:\Users\Admin\AppData\Local\Temp\SimHubSetup_9.2.12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\is-FDRQG.tmp\SimHubSetup_9.2.12.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FDRQG.tmp\SimHubSetup_9.2.12.tmp" /SL5="$40112,189947315,950784,C:\Users\Admin\AppData\Local\Temp\SimHubSetup_9.2.12.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="SimHub Setup rule" dir=in
    3⤵
    - Modifies Windows Firewall
    PID:3008
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="SimHub Packages Setup rule" dir=in
    3⤵
    - Modifies Windows Firewall
    PID:2624
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="SimHub Setup rule" dir=in action=allow program="C:\Program Files (x86)\SimHub\SimHubWPF.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1964
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="SimHub Packages Setup rule" dir=in action=allow program="C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1668
- - C:\Program Files (x86)\SimHub\Redist\MicrosoftEdgeWebview2Setup.exe
    "C:\Program Files (x86)\SimHub\Redist\MicrosoftEdgeWebview2Setup.exe" /silent /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Sets file execution options in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2152
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2792
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1052
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezQ1NEJDQzM5LTYwNUQtNDU0RC1COEM2LUNCRDM5MjYwNDBCMH0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7NDA5QTlDMjEtNzk5RC00OUFGLUI4MTYtMzYwMDA2QTY4MEJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjIiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTgxLjUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIzNTA3OTQwMDAiIGluc3RhbGxfdGltZV9tcz0iOTUyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Checks system information in the registry
        
        PID:2264
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{454BCC39-605D-454D-B8C6-CBD3926040B0}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1256
- - C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe
    "C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:840
  - - C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe
      "C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{2EFBA46A-EAF0-4ED7-A5D7-767E2485BCD5} {151B8102-F6CF-47F5-AD51-8259DC61B3BB} 840
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1876
- - C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe
    "C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:908
  - - C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe
      "C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{2A2C6559-B4CB-43F4-8350-8F6C57A1FA6A} {502CB4FA-EEFB-44B1-8BF6-6758B59E77C5} 908
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:816
- - C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe
    "C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1004
  - - C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe
      "C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{A8F57EA6-8CC0-46E3-B558-E0D94F87CAEC} {281E84CC-C410-46CF-87F9-11D4BD0286EE} 1004
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1592
- - C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe
    "C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:668
  - - C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe
      "C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{17CF5D8E-BA60-4694-9DB1-BAAC9E5ED7F2} {BAA136FB-1D44-4778-81B4-0D425D773743} 668
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2124
- - C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2019.exe
    "C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2019.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2976
  - - C:\Windows\Temp\{76D6FA61-9BFB-4233-8091-E0AD2C6398C4}\.cr\vcredist_x86_2019.exe
      "C:\Windows\Temp\{76D6FA61-9BFB-4233-8091-E0AD2C6398C4}\.cr\vcredist_x86_2019.exe" -burn.clean.room="C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2019.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1876
    - - C:\Windows\Temp\{FDD1CC30-1BE1-4871-B490-CF3A8BCA173F}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{FDD1CC30-1BE1-4871-B490-CF3A8BCA173F}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6F172DF2-48EE-434C-80A1-A857F5B1C7CA} {345D204F-CED4-4A2C-8413-A9A92DEA0CFA} 1876
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4f84f2dc-3f70-433a-8f50-8293e0089b0f} -burn.filehandle.self=500 -burn.embedded BurnPipe.{AB460427-EA5E-4712-9AA1-B8E6A23A1766} {33F4CE42-AA17-47C1-905E-4E1B38CAE9F5} 1640
        6⤵
        
        PID:1168
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4f84f2dc-3f70-433a-8f50-8293e0089b0f} -burn.filehandle.self=500 -burn.embedded BurnPipe.{AB460427-EA5E-4712-9AA1-B8E6A23A1766} {33F4CE42-AA17-47C1-905E-4E1B38CAE9F5} 1640
        7⤵
        Loads dropped DLL
        
        PID:2100
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{47AE0FCD-1D3C-4128-8772-4D8369A55576} {176C2B91-2866-4D54-8DCD-92115F739028} 2100
        8⤵
        
        PID:2748
- - C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe
    "C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.ndp48
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\SimHub\SimHubWPF.exe"
    3⤵
    PID:1056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 0 -NGENProcess 194 -Pipe 118 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 0 -NGENProcess 188 -Pipe 1a0 -Comment "NGen Worker Process"
      4⤵
      PID:2324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 1cc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:1760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 180 -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      PID:2308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1b0 -Pipe 1ac -Comment "NGen Worker Process"
      4⤵
      PID:2148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 180 -Pipe 194 -Comment "NGen Worker Process"
      4⤵
      PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1d4 -Comment "NGen Worker Process"
      4⤵
      PID:320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 198 -Pipe 1a8 -Comment "NGen Worker Process"
      4⤵
      PID:1768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 0 -NGENProcess 1b0 -Pipe 200 -Comment "NGen Worker Process"
      4⤵
      PID:2256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1bc -Pipe 18c -Comment "NGen Worker Process"
      4⤵
      PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 0 -NGENProcess 1ec -Pipe 180 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1f4 -Pipe 198 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1ec -Pipe 1b0 -Comment "NGen Worker Process"
      4⤵
      PID:1448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 204 -Pipe 210 -Comment "NGen Worker Process"
      4⤵
      PID:2376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 208 -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 218 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2080
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 20c -Pipe 224 -Comment "NGen Worker Process"
      4⤵
      PID:852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 220 -Pipe 228 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 21c -Comment "NGen Worker Process"
      4⤵
      PID:2980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 214 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 230 -Pipe 208 -Comment "NGen Worker Process"
      4⤵
      PID:956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      PID:1604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 20c -Pipe 22c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 238 -Pipe 218 -Comment "NGen Worker Process"
      4⤵
      PID:2668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 240 -Pipe 208 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2700
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
      4⤵
      PID:1880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 220 -Pipe 248 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 20c -Pipe 24c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"
      4⤵
      PID:2220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
      4⤵
      PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 220 -Pipe 25c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 20c -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 0 -NGENProcess 20c -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
      4⤵
      PID:1780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 268 -Pipe 234 -Comment "NGen Worker Process"
      4⤵
      PID:1956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 274 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 20c -Pipe 278 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 238 -Pipe 268 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1100
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
      4⤵
      PID:808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 290 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:2876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 294 -Pipe 20c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      PID:1236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
      4⤵
      PID:1300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 238 -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2100
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 298 -Pipe 230 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 1e0 -Pipe 284 -Comment "NGen Worker Process"
      4⤵
      PID:2716
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
      4⤵
      PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 2b0 -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      PID:1588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
      4⤵
      PID:812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 290 -Pipe 1e0 -Comment "NGen Worker Process"
      4⤵
      PID:1148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 238 -Pipe 2b8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 2b4 -Comment "NGen Worker Process"
      4⤵
      PID:1288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 238 -Pipe 2c4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:2660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2ac -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      PID:2144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 2ac -Pipe 2d8 -Comment "NGen Worker Process"
      4⤵
      PID:1676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"
      4⤵
      PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 29c -Pipe 2d4 -Comment "NGen Worker Process"
      4⤵
      PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2dc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 29c -Pipe 2f0 -Comment "NGen Worker Process"
      4⤵
      PID:1416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 300 -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      PID:2668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2ac -Pipe 2f4 -Comment "NGen Worker Process"
      4⤵
      PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
      4⤵
      PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
      4⤵
      PID:1960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 29c -Pipe 2fc -Comment "NGen Worker Process"
      4⤵
      PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2e0 -Pipe 238 -Comment "NGen Worker Process"
      4⤵
      PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
      4⤵
      PID:2672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
      4⤵
      PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 310 -Pipe 2bc -Comment "NGen Worker Process"
      4⤵
      PID:2736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
      4⤵
      PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 2ec -Pipe 30c -Comment "NGen Worker Process"
      4⤵
      PID:2100
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"
      4⤵
      PID:2976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2e0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 31c -Comment "NGen Worker Process"
      4⤵
      PID:2644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
      4⤵
      PID:1004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 29c -Pipe 330 -Comment "NGen Worker Process"
      4⤵
      PID:612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 324 -Pipe 2e4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 324 -Pipe 338 -Comment "NGen Worker Process"
      4⤵
      PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
      4⤵
      PID:2128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 33c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 29c -Pipe 340 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:420
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 308 -Pipe 344 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 324 -Pipe 348 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"
      4⤵
      PID:2700
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 350 -Comment "NGen Worker Process"
      4⤵
      PID:1552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 29c -Pipe 354 -Comment "NGen Worker Process"
      4⤵
      PID:956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 35c -Comment "NGen Worker Process"
      4⤵
      PID:2324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 308 -Pipe 318 -Comment "NGen Worker Process"
      4⤵
      PID:1416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 36c -Comment "NGen Worker Process"
      4⤵
      PID:1580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 314 -Pipe 360 -Comment "NGen Worker Process"
      4⤵
      PID:2916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 320 -Pipe 308 -Comment "NGen Worker Process"
      4⤵
      PID:1540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 29c -Pipe 2e0 -Comment "NGen Worker Process"
      4⤵
      PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 368 -Pipe 314 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:420
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 0 -NGENProcess 29c -Pipe 378 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 0 -NGENProcess 29c -Pipe 334 -Comment "NGen Worker Process"
      4⤵
      PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 0 -NGENProcess 38c -Pipe 37c -Comment "NGen Worker Process"
      4⤵
      PID:1504
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 0 -NGENProcess 380 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 380 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
      4⤵
      PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 320 -Pipe 388 -Comment "NGen Worker Process"
      4⤵
      PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 0 -NGENProcess 394 -Pipe 390 -Comment "NGen Worker Process"
      4⤵
      PID:1312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 364 -Pipe 3a4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 320 -Pipe 358 -Comment "NGen Worker Process"
      4⤵
      PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 320 -Pipe 2c0 -Comment "NGen Worker Process"
      4⤵
      PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 368 -Pipe 374 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 364 -Pipe 3a8 -Comment "NGen Worker Process"
      4⤵
      PID:2244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 320 -Pipe 384 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 0 -NGENProcess 3b0 -Pipe 398 -Comment "NGen Worker Process"
      4⤵
      PID:1280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 0 -NGENProcess 324 -Pipe 364 -Comment "NGen Worker Process"
      4⤵
      PID:540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 3b8 -Pipe 320 -Comment "NGen Worker Process"
      4⤵
      PID:2664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 38c -Pipe 3ac -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 0 -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:3044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3b0 -Pipe 3a0 -Comment "NGen Worker Process"
      4⤵
      PID:2120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 0 -NGENProcess 3b4 -Pipe 368 -Comment "NGen Worker Process"
      4⤵
      PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 39c -Pipe 3c8 -Comment "NGen Worker Process"
      4⤵
      PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3c4 -Pipe 324 -Comment "NGen Worker Process"
      4⤵
      PID:1472
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3cc -Pipe 3b8 -Comment "NGen Worker Process"
      4⤵
      PID:2944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3b0 -Pipe 3d0 -Comment "NGen Worker Process"
      4⤵
      PID:3000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3bc -Pipe 3d8 -Comment "NGen Worker Process"
      4⤵
      PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 39c -Pipe 3dc -Comment "NGen Worker Process"
      4⤵
      PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3c4 -Pipe 3e0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 3d4 -Pipe 3cc -Comment "NGen Worker Process"
      4⤵
      PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 0 -NGENProcess 3b0 -Pipe 38c -Comment "NGen Worker Process"
      4⤵
      PID:1276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 3e8 -Pipe 3f0 -Comment "NGen Worker Process"
      4⤵
      PID:1588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 3bc -Pipe 3b4 -Comment "NGen Worker Process"
      4⤵
      PID:3012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 0 -NGENProcess 3bc -Pipe 3c4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 3ec -Pipe 3e4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 3f8 -Pipe 39c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 0 -NGENProcess 394 -Pipe 3d4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 0 -NGENProcess 3f8 -Pipe 3b0 -Comment "NGen Worker Process"
      4⤵
      PID:2448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 0 -NGENProcess 394 -Pipe 404 -Comment "NGen Worker Process"
      4⤵
      PID:1304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 0 -NGENProcess 3f4 -Pipe 41c -Comment "NGen Worker Process"
      4⤵
      PID:2248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 394 -Pipe 3fc -Comment "NGen Worker Process"
      4⤵
      PID:1352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 0 -NGENProcess 408 -Pipe 424 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:420
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 0 -NGENProcess 42c -Pipe 420 -Comment "NGen Worker Process"
      4⤵
      PID:964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 424 -Pipe 3f8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 0 -NGENProcess 408 -Pipe 3f4 -Comment "NGen Worker Process"
      4⤵
      PID:1236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 0 -NGENProcess 424 -Pipe 3bc -Comment "NGen Worker Process"
      4⤵
      PID:336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\SimHub\SimHub.BitmapDisplay.Subprocess.X86.exe"
    3⤵
    PID:448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 128 -Pipe 120 -Comment "NGen Worker Process"
      4⤵
      PID:532
- - C:\Program Files (x86)\SimHub\SimHubWpf.exe
    "C:\Program Files (x86)\SimHub\SimHubWpf.exe" setfileassociations
    3⤵
    - Executes dropped EXE
    PID:816
- - C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe
    "C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.VOCORE
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe
    "C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.USBD480
    3⤵
    - Executes dropped EXE
    PID:2168

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:2928
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezQ1NEJDQzM5LTYwNUQtNDU0RC1COEM2LUNCRDM5MjYwNDBCMH0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7QTY4NkVCM0EtRkIwNS00MDYzLTg2QzAtMTgwQjdBRTg0ODQ1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjIiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjM1MjgyMjAwMCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2796
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CB27A6B-6C07-4882-B517-55B4DFCF3429}\MicrosoftEdge_X64_109.0.1518.140.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CB27A6B-6C07-4882-B517-55B4DFCF3429}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1588
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CB27A6B-6C07-4882-B517-55B4DFCF3429}\EDGEMITMP_90605.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CB27A6B-6C07-4882-B517-55B4DFCF3429}\EDGEMITMP_90605.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CB27A6B-6C07-4882-B517-55B4DFCF3429}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2836
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezQ1NEJDQzM5LTYwNUQtNDU0RC1COEM2LUNCRDM5MjYwNDBCMH0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7NDY4NDY5QzQtMEU2Mi00NDI3LUE3RTgtNkQ1Q0VBOUFBRUMxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjIiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMDkuMC4xNTE4LjE0MCIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjY4MDExMDAwMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI2ODAyNjYwMDAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyODc2NjcwMDAwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wYzQwODRmMy0xYmVkLTQyNDYtYjhlZC0yMDZjY2JlNjBlM2M_UDE9MTcxNDg1MjQ3OSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kalUlMmJBUndwN0hCS3RLd2p2ZHU0YktoRTR5JTJmWWFjTHhoZTBoUHFHNFNZdDVZTXY4c0VhN3ZZdlJCYUo5MG5hVTB4a2JYcGlqZm0yR0t5RjVrb2lNV0ElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDA2OTYwMDgiIHRvdGFsPSIxNDA2OTYwMDgiIGRvd25sb2FkX3RpbWVfbXM9IjE4MTQzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjg3NjY3MDAwMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI4ODg4MzgwMDAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDkiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI5ODc3NDIwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI1NjMyIiBkb3dubG9hZF90aW1lX21zPSIxOTY0MCIgZG93bmxvYWRlZD0iMTQwNjk2MDA4IiB0b3RhbD0iMTQwNjk2MDA4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI5ODkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000490" "000000000000031C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000070" "000000000000031C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "0000000000000000" "000000000000059C" "0000000000000490"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "0000000000000000" "0000000000000070" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot23" "" "" "631c88d3b" "0000000000000000" "0000000000000070" "00000000000005B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7876cb.rbs

Filesize
15KB

MD5
9119cd5baff481d01564c6db9d7d6b28

SHA1
ac4e33a95cebc254d8237730f0e276c130019756

SHA256
bf199f7437ab9e480c19029e7c206c4be82e75f938594a39a48e1d5a456e959c

SHA512
613ade2b513b94c42c11845b1b8340d926240c3ab1522a55952048c7c13abda2233927c54d3142203a6e893f0950b328def61bd2efd6af72d4504fbaa85d9909

Download Submit
C:\Config.Msi\f7876d6.rbs

Filesize
14KB

MD5
9d89aeefc89aa61d1e586b8818798ff8

SHA1
9984c7cc27d120d0cb8877d941ec157ddfc3d616

SHA256
8ec58015f5952791944889199ee00e7ee0ac3b12ccae84852abfd54d6eac1635

SHA512
c90fc3eb67d5aa2ce3d7146de801d93c7ddeddeb3edb801f7caeca61c470379fd8b049490365d9edf6f2bc6ce5e5a3864656120ea326d2524cf85f4ce858c4d1

Download Submit
C:\Config.Msi\f7876de.rbs

Filesize
17KB

MD5
98e86a7f792ede5ef66806b5b36f95ce

SHA1
a0c64af33be23accd59d278c315fddf040d08e25

SHA256
0f9f7f351b809182c4eb511cc0adf39a042b97f478d16d14a3a62311614084f0

SHA512
b8604025742bbae6cf62cce86b07723bfe4deb96df0659d0bc716bceee14c743ea6d6f865aebd01b35cb0efc0dda5f2724e31e408b9dc94b546d2e67399d9b69

Download Submit
C:\Config.Msi\f7876ed.rbs

Filesize
16KB

MD5
5385e66f09b318e6504c8fbac3b16b2d

SHA1
fc71b2d8fe30e4d240f0dc7513cfeb601c965781

SHA256
6e958f38503abd1c5d3549aecf141f6cdac9279790ac8c42dccb2315ce196996

SHA512
8098f10c34321bd8f7232fad8a45c0794343fc92350383c69c75c5a402927742b690c726c559301ccf095e39e8cdd5d333700e8c84f4f561ae6423541b5ff26e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\109.0.1518.140\MicrosoftEdge_X64_109.0.1518.140.exe

Filesize
134.2MB

MD5
2351a10f63322e5c3ee8f44f4d0d6bba

SHA1
64012bc2d19c899c466b473f1984800870ec2fda

SHA256
70d496873a0a1ca14ae0a038d25856b2121b1b4b7bad9801ce639b144bac41f8

SHA512
692c0c9b9ed5bc8aaf0c751b9faf60729af79365781b51237e8dd57b57c49459d83dc2c44b093bca4092519d4c9ae712dab8073a7fe63245e405f17164b3c1d2

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2836_473694743\109.0.1518.140\Installer\msedge_7z.data

Filesize
3KB

MD5
bd70ed26e6e6f3193043ac09c58c6a1c

SHA1
d733a65e17f2851d5116598dd80533efc1656468

SHA256
7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448

SHA512
3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2836_473694743\109.0.1518.140\Installer\setup.exe

Filesize
3.8MB

MD5
3a92a61a6e01c80ecc7d9499abb901b7

SHA1
d89d05802d937f9c71ced14282b8a19623fca7c8

SHA256
b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e

SHA512
3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
9540ad83a08605ba1f52196424ce3067

SHA1
a533eb61319bce1720b55d8921691323a4178c3d

SHA256
b0b5d9eb6f4b176bdfbe4da0a060ad1b76c813186fae3d9a6e1b1dd9ee0d01d1

SHA512
bb00ee12c353c9deeb8105399b2a956343e4a1c13dd1198d0f481c4f699099a34ede80f15bb4efa9a1f68c2c12ff75da163b48bfdf30353d5ef5d4bb7c174493

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
7750d94e4719ba69f5f83213444c0015

SHA1
f2d49b2d5c3bb372a5c74513de0744f2a5f3fe5e

SHA256
1ab31694ff0b6283fbb6ec062d6eab9ffb26df9d6d1ba140cf60a8e7a4cb9fe5

SHA512
4aba2ff17870e6e20fbcfe8d31036d52d9b2ae9df1013e1140cdf321bb4da0a8f5cdbbabfbee758cd2f2bbe2a3b10f25351f9e29cc5f5d91baea6dce2c83e714

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
258KB

MD5
3fa9ae698a600ff3422995504cd088c4

SHA1
bb0b798291c7e37c514d8fce11b8c777d13a6b2e

SHA256
a8e1533f87ac5273f908fbb67edb786f231fcae44b49dd5e6ceb3c777c1f01a9

SHA512
3dea12c2f30fdd5cc4125de40ad26c9f1a69abe8505c863b1469f47349d79f2b51ab037009e500291085366abf0ee2b24d16a3eb419b715894b924af656d2b04

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
ca3b6944f47fb398e4656d7076e3d247

SHA1
592c966af88cb9fd39250d917fe4876bb213d36b

SHA256
d1d58d338db2f0f885d7e945613c2e6b98ce02534a2635c392cec04e8c8b5f71

SHA512
5be93716c178401e809aba922b05abfe4c6585ac8544ba6fde1ae16af87e571ef28d51f8d71946d5acde96370d39bef8d85349677de16b3e8009ba3f57802b46

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
27b4625745b0d9036faeef288dcdc71f

SHA1
79e2e6590a0f4b6af97796058595e8df77bc4b8a

SHA256
74fefc1ad1bca85ae3cdcb197396568e9ccdc3de9095cc3e787e6e28f9a04487

SHA512
2f4e0c4478a244c3b1632f282c7522efbe9b2f03d6a8bb600f0d833c61fd74d7bab32683b1c0e40e58b2d30640cbf6e9b28c03b179e168a6cb7bd3512bae3f2e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
07b160c1fabcf30a0e3e907f1b12177a

SHA1
c5435df1d9bc93ac87870c5d8894de8481456de9

SHA256
a78619b34f4566ff3fa834111d6f02fdeb5e82ceae2167f51a85aa902f4ad2dd

SHA512
cbf2df29701b0dda648f2e208596c691e1caf97d2e3314749b6a3ad899cc057f66cedbbed4d6362b987173a925e73ea266d238c9d985d03b7ffd5c32b0d0b3c8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
0e38b9e9fde2583f8dbb61f2522c1996

SHA1
9e6a952387380bcf54dcc9d040a2d9051a63a1f1

SHA256
ea9786491db2b6548e3c935cc4f8382fb1534b3b67dde1ed6b9aa003c9a7152f

SHA512
f17d95eff5b23d2d11f161a66ef67c61c34c0190ca7d11d8e30f4504f5ecfec87a02fd474a08061433e8a431d78ed92fa9cc087863f3f4caeb2b5616949bc11a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
ea96f65e817ac6899d6732cd880f744e

SHA1
0fde259d82e3c300ef2461e660208fdccc339e64

SHA256
06bfc34d181852321498c49fad36701a5f854ad6e5588af9e141a5cef838165f

SHA512
f79099fae7d98b9208aa5be96f28d9855c5e81cd9dcc5874ed2e41c8b720f32e54fcfdedd44e075892967768f42833f9fd99657096ee10af38d3b663d48bd603

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
4328bf6228c408cae033fb4acca65640

SHA1
011fd7ddb7c4551abe683cb005920d85cf3eb10b

SHA256
73a10a15a4be54f85e4103a994c8a628c34034d085c40627fb4f18b499379de8

SHA512
a50a74fd675ed3b791bfa5a93ca9f910c5a9052e9990de0132606779a333007d305f4fae1ac9f193335cd8207a17b00e2848a87aaa09e7900df189103fa0cd92

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
c4457c581afbf9e1903fb309d8d08bf7

SHA1
fc52fd6cc2de7405ac69674f74cbef43c92c5295

SHA256
f409b1cce73799d3ed0fbaab72c3331cc597787680e2fc9dcd9e2803f62e006e

SHA512
b8bc722dc801a9c50a972dc9ef5ebb31b43bcbc7d12cb84d0b3e64749781818963573f0bafe646160ed9edac5db5b72d7968d3e5ff908da256079e8dff4ec2d0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
4ab2b866301da9ffd1a2d9e1d2828698

SHA1
bf49d684e192f14f96ab03dd0f8d9e5817a0f1b8

SHA256
cfffd594b203016e13fa74c5382c1c6b46f7d3f0817eb4d649feaf3350a401f0

SHA512
60874a1c999e646a11217b3d0c68af03b7b2e1210f65e8e922a2cd8741bcf1e687bf74b97ffa0082962df2f534fc4c2ca9c28c4822a7e2c50474810e42de9d24

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
139d647896af07432b0c810977139fdb

SHA1
27b2f2915acfb3a740c958282deb2f418df83d49

SHA256
0f3d5ea311f13f94b8c0f9bd6c8fe8351ca85a9e92d96b3ac3a54e87a2167833

SHA512
cda3135620409f12fc7ee77c53233af4e64ea4a7e3a7b2af3534b015b410221e500a1820cd5852236236ca8820521072eba4128efd6316e1bc7863360c07baf7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
5801a2b7df808227d967d2e0d147fa4b

SHA1
dbe2844fa8bcbebc227b9817bc0ea8dcd1634b13

SHA256
cc02b8e56ebe97d640eb3241d6dfdd76c36d8ad9dc6fd70c11ed6a165f87dbf0

SHA512
b6f77f1284a05aa4d9e69b2f459691f8bb79466242c13d1bf011d4edd6a43e742b4541ecfdd4d7aaf7b6e72b3540d41ebfd6074086ed1a4b56ef6b852d91ba0e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
9cd4f750ad9c689151ca0a278c3774bf

SHA1
cbe0a7601db4ce0aded6e18c9647750a4e03a8c5

SHA256
3569e7eafe649d9b4e0fbea1db33d4a7e6c350e4031f9ac40506df4828892b0b

SHA512
38e723fbcc1ae59e50d8f8ffd53cf77fd32a64686f24a0670287c25dad7fbe4852ba968f223cc5936b2a1af453e5d2d5f3cc190e07ee0a78c55f88a0c3ecb940

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
14fcd6216e82727e0a757f0f6a04701a

SHA1
ceb886836ad9dc04b2758271d55cab0f6c6146aa

SHA256
777b0583744a3ee8e32586262d34a3d231482504f37d1b0679e1dbd1e10bb854

SHA512
e963ba587017d3e579f3839a0fa0fe5be659cb749629a5b98e7b02184e811a943ac18d66c927ab45c54869650289ec6e3a9661ec40532fc2ae578a5fb15606f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
d082255c15ca45655f999c60c7e44653

SHA1
337bb7b65c8db5305814fa8046da0d790c5cab59

SHA256
31c054f8b4c974d6ac436ee21828121f600a1dde0eb5bb8c7fb41c47ffa9563e

SHA512
662db73cfe28995149aa4a3d2f877fd7b9a027a4f322be9ee6ffb19b8aa4d97ce3ea1fcc13c85c28a9ab815aecca1b0baa69109f20cfa73a46cf8c1be586dfb1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
8355353da56dd6ba036eeedbb10ffa68

SHA1
3e20c8f35cabebd04e7162b9567fd3905174127d

SHA256
678888dd82f5cb04b5727c56699c70d442b35ac65338bbe9ac45ed8d2a32acb9

SHA512
000d0a8648ca4e8433568efc422f3caeed7c53e764878aca11f8b7405850863f8a7bea4a97fbb0076db961d3f09646a00bb3eaa0e4e3b81d949ac2aa033b0827

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
9e0645c2970492f18a9c16d053ae47cb

SHA1
c91f0ee7dc0dc0213776728b152a5c3597b8e1c0

SHA256
7bef8830bdf0fbc8d84d85946a28cafe05fc47528741bc11998805982a3b421d

SHA512
c4277b7e7652bd342dbda6d2d22acbaeeb9ec1321cd91ad236575d0c8f504220736218711e91f0984e3d2f06652101f52aee123163d7bf3cd173c7ec2d1325cc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
8b692911c2eef0d2e2fbc8ee84c39e03

SHA1
b5f558a2cbfee2dcf1cf5f7e5dd229309f5bca1e

SHA256
68ff5bb5a44f019c7c8a50cbf9ee0af264b4782e6516917b4760c0b05d247161

SHA512
6a4118eb9d1bdcb4031db82682ee919f62d575dc765ca0a65028bd31c8bdc061155bc2139318916b3be3572b6a3656d194e3a925b5711241f436267a9af1109f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
8ff46334ccb442dbdce0b04e84cc6364

SHA1
52a7dfd39529c0669d8fe72416876bb2b241741e

SHA256
47c08c6be842b50d119c4921ff860bfc1739efdb017de42c1247bf0fb5c1e254

SHA512
b23b74b2c7f76abb613630c888eff8ec2fe6c28138522ebed478f6d55e21917e658f269ef0d6014e8778225b81e2839cb965a1ff243b5639766bdbcd52c28f47

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
5d365ca4dcb28432aae57e60dfae29f7

SHA1
76150d3ae3070e10f378df87e433b1324f5f008e

SHA256
990051016c4d565d20167c62be48e92ecd840231bd0ff21838d105cbea750ed3

SHA512
f46fb26ef0ce04eb0655cd4ed769b5af055ccec0a15cacc25c9bdd6e3c3a4ca501164e5093eb7381d00ea28a3be59e69762ade995a421c7ce8b1944fd2446465

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
22b0343d2498e2a0b9d4168d480bd6b8

SHA1
d4dd3b497b262905788c7abdc791af1cdd80c6a8

SHA256
094dd4e1d9cf8114145c254372b0ac20f6593f16f7b53e02953bd21bbe26a4f0

SHA512
970fd6cb5fa68e2e12a6288b00250a3c400939963298bfe7610edced53036990c51edef7f5054c371b12eb992ce8e05b1eb7af4d9ba61e0af41096a9ed64957a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
17006114f71cb462041e1ec50a952047

SHA1
3062f6d33dfa215b18492a3e0a2d0fdf41a08429

SHA256
bd195bbeb179e478cd1dc4bab518568edd65603e3d33b11b3298ccd1995b183f

SHA512
5d7fe67bc1d6e22c9e7c13df5a5b9dd039eb77d94b991908a6e23ae703295d2c857b38799c30b40cdb2f3bf503f951de54e11fd65e6f482bc184ffab54ff443f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
e4a76fbf2d73c51f37bb96ef5b76ceaa

SHA1
5bc9a30d11fae80286f0a73db5900e9b2a94fc30

SHA256
a1c067279ba80bacdd975117ae5e6aad9923b3138340d25d08742163107d7313

SHA512
0b4751d5a7914daecc8f0f620dff0228bfe1853af901c6ec277656f3c568d916bc1e1d22bc737ee3f54107fca6ded731c73e80147e34ce3b81c276f8b6d2b2e0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_eu.dll

Filesize
29KB

MD5
a5824f125e7c5a363618e10eb166cfa2

SHA1
b9265cee687f031f52eb6cfd6ffacd728f7c9c71

SHA256
3fe2d705da261a98a8cb375d59ff98b0552b61e7c57132d46126fe4646b2cdd7

SHA512
4b2c4fc806097320a56c2547d2962f21e99e6e17a211cfd9aab1a7845dce78d958ab6a03481cb2a827ab233afb2cbcd059bc6e211f8951c1a2e3b7ac51825b8a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_fa.dll

Filesize
28KB

MD5
96e70c3aced49e26c5938bf5ec7e7a7f

SHA1
5fe35ee220c39cf8cad8d434b49ec31fa3f729ba

SHA256
5f8d8a9d207108426a3f4776786c4a7b5d70db237ded870b9a7ab191602fd83e

SHA512
af6f420164c2504a6c0fb3b62c89790dc3e08ae0b847e0a888c2c793aa6198134a8c18914fa0a5f3153dcad51698cb7125d2c90ae68de221042cbb97b7f8b78a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
5ce5cf921d0e522b8a05efa79031cfde

SHA1
a081d73ab637ad63831b0e05d0122e8e9036a41b

SHA256
6d049ab238bffbfaa0408460f3d76bc23bfd62ccf57659beaa81346e2dd69e98

SHA512
6ef468f6f6b6186fee208b3101c089a168bfc286fd7a84c220a72be085744c70b30a299cbce1bb0c25689da1f348552322a6451277be604f211017ce6d16f989

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
4bfe23c9930f814f7c9d977525cf2046

SHA1
3a6147006bd805a33d7caa647e8088a257061781

SHA256
a9a40611ddccf179b8cd342c07d947af951f85072b598b5332ca772a5ce7729a

SHA512
a235eef64580b8922e5f507f9bb2080800dcb4ea6b156150d2266748ebf38c2eb1e39342b01856ebd9e63b6e89c2104b434e444277dfe03e549293c928cb89bd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
e22edad44e45a6e1da46e0afbb318052

SHA1
d35c28b112fc386c6f4c52e4faa2ed8a56a4f6eb

SHA256
a7a163fbcbeffbfd4655e41d162817a56b8da8b679b139a04961e830ea5ad05a

SHA512
e750271aa41b402a5682f6863e95756c91afcbd5a994453280c7dac3973da3ecaf0fa0689b962cadab492ce90d510a436bd773c995b93ff6b40007371cdd2713

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
86e02140bd5ea5090460ab7ac5c5cf08

SHA1
3cc00afb1b108b2247cc38211b64bb360c1419b4

SHA256
4edd7b2ec1438f6a5d56eb0b7fcd7a42f2110eaf57439283afe85f527f9c1574

SHA512
a0e6177a3791e59aebcc960cdc2861e10b6a20e0169940f219c92cccbd4827afc47bbd94a5629d25a9f2d547e8e2094a3c96aa55a1bc3fe9b744c07436359e95

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
912713dbc1bf81366497d2c10ba3783b

SHA1
cd42a85838ef70f72c2faa5a149bc6a904f81585

SHA256
f4b3c90ab375d5f465e2abc2bdff37fc41e4a1ed44ebf8370cd9eba7408fb586

SHA512
11b2b1b726b314a725d24fa3c8b85f9c05a1643ae768adcad4b7006870b728db8688cf708f355ed8ffe2cbc24fb874dce2dbad86231c045b454dbcddfde35225

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
03cf202f9262f42dff2b35987eed7c95

SHA1
2ccf4e4b8f55d61032048101c18a4b6cc7b6a087

SHA256
6f033953fdb5ad272ddf29299577a4bb8d9a53bda4b3d8ffffd8d56c542c2c56

SHA512
c1d65b8457fa2b0998aa6500b585c14e177154ae5cbf08cbb0ff0fd7a1d82e31520f4bee4ad20badeb91784501057b1a968c7d7d8415a2f7683f1a434bbca30d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
e2bc2cb179b0758f9deda1fde5f60ae2

SHA1
71367f007ab0daf92d954b7e86eae037ec2fa8f4

SHA256
6a2342b270f775433bc77f9d48ab8f71b221c3cd60d84e893314bebff19c4801

SHA512
ff3a3afdf1780d6351306c0e00fedb59c020de68499005726e57487e9c5045636e59baffa487ffbcecc95f9bace000f66d1c3bf3b107e309e3cb522d45dc7b7d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
34b01daded37b4003b71c63712ff2577

SHA1
7cf99924ab19d94dca8a51d00f95ffc29b9f8e98

SHA256
11ffdf625eb3de49818a1a6288e9d7a60f4f3c8951b163eea84095ffd4ff871d

SHA512
6a865be6b2c5103db06dd14777833bd4835f10c2a282c5edd43325fb0c1669fac875367f4a4f3d98c26c55449682ee406e7c882c16d9f48b41f3be533d82f161

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
1b10182ad3f07c112f26fbd9f7a43848

SHA1
b9b9b4bc37a9dc1f9a9cb11df44583594d72f6e1

SHA256
381cbc579d5200ed6725a0dc149dd04703d157ae793d39be130d68eff7109c02

SHA512
1575d4f0f756aa5bee99c0b1f60ebca946abfcba08b180b13eb9fd966b05c44cff94ee2db6b5fa7025b5f0247f06d5bcec3c790a20c1086a59933aa7e5cf7097

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
e03b903ae9e8a21ab7e24230c05ff0f4

SHA1
6c9b3354c0b5a96b7f062d94bf874c67ebbe4c72

SHA256
9fbff63d4b7dc5e94958bf657321ff8f93de76394f78ed679863072d4ed3062a

SHA512
31b7322288802c58e7b287605bae0899bd4bff0b3b1c1daa2898ed32453b5e8d0d4d5b508c79c6236e924a23d61321981d80a80929dfe875bcbe6fd0b4400b04

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
c4404953c519113d70e8fb19ce4b23dd

SHA1
c01ab7651ab1e3ae24f146ec72bf53d64001e14f

SHA256
e903ef5c4ba6872159e21dc6f4afa9a20113868cd99ddb8857369637053c3b05

SHA512
a575ba69f83408b219a6b3b63e031fe37d691de67e9b069daa43091b6eee3089100c1f15d34c36f0a40e086d97568866386d52cf60f0160296ea2db745b8c567

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_id.dll

Filesize
28KB

MD5
cad5e407dc341f661f3675c821807c84

SHA1
8581e431be8308b4a0746719898f66a2e4efbfd4

SHA256
df5d8fc7010fff00081f71f3fa2f8a384f45f077caa9afb066d45a070308581e

SHA512
6fcaf91c27feef117430a185d6189bdeb4c438186e4307a6c91c43cf9584c236b93ac04fa549eeb7f63e13494e30d58fd295068d7572cbe8beb438666a4fcf4f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
fcf71fc0b6f12c6d3ccb03418228a538

SHA1
90afa2cabc9eda94a7d01689f605e59601481cf3

SHA256
a3b8c23468dec69532ad374b9a3475e552b941d965ffcbdc6de0f23d58baeab4

SHA512
ca804da85ac67fecd46a5820328f5f209ba08e3f2ef587ce1021754928de36f14f47fe08ddffd729d1d0ff64d5c7dcb0d508818248ceedc5c83fe0a6017aa031

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
8986d1d9e5fc10d99a45d00f2858ef5c

SHA1
49102f4cfe2dc62ef633fee73678a16f8c06c136

SHA256
64576a5588c0facf99197d055c9a6a9b0db9a25c5601087b94407dd79fe44ce4

SHA512
30a094bf7d0db33d54581da8708f5f19cbaabca041e7e559b849f9581e22b8d3415093461e33fe7091acf643e02847c6edbd71a107f462f0057a4e9018266f95

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
785d4681543392b616bcd95e52da7998

SHA1
d538f78f7323f50d01f2765432705ff30ce47930

SHA256
b05c9c1312c869cd6ec5682372bfb01b3e52a60a01ab2fe68afcd6fa20a8cef7

SHA512
8031fa240100e6fd6721affa3ca37e6d88b6341b51d299f03736c31c67fcb2e3c105ecd8f27a6570e69a60616008c9868da424615f035e3d25a89cf95e63e622

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
ad20644a4ef8b16c043d4c1b68a0e771

SHA1
d1bd42edd650c3141a58c6ff0aa858709b7e0258

SHA256
7f2eacecbcda9339249b386ce8e23611e94d2fbec3d90121569d6f1cfdf6f9c0

SHA512
8cf2e34a23f99bf8c37bd5727c8ff6b7666f7752427df8b05d8d82e5e7d97786b4ecded4031bde32d91e46627b169e8d31b2bdd2119c6b755731a787364c0e1f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
29bb41863ca31837876d4acac58f8a47

SHA1
04add82abba27c6ce6922709ea864ae4b40fa8c7

SHA256
20fcb7142b72803b1f74e52d434cb28eb09fa8ff2d178e5edfa7fa5885552e5c

SHA512
00d3a9c33ba5b7b995cdcea97e708fe4b9e14883e0b14f0547cbce5b1ba54c338cce7ae81b18e53ab3072152e748528710ff0bb49197970d4f1d1fc700a1ae52

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
f53a96193b592c3b5fb18292d59c9bcb

SHA1
5a218c70180f408d393397b9a9c2c34d7deb8992

SHA256
e6244f73585ae3c74a0df8e077a58da3dd7b7d914b991747686edadd6de7f87a

SHA512
4f1cf04a8f50f3c9cab562d3df52dc10cc98232a50fd99a61d4e7557a3c1cecf5cf89d7db1bccb42467f1e3ace2057f2359007ddedf9f831e4e9b16ad2c046e3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdateres_km.dll

Filesize
27KB

MD5
8cb769dafb0dd354d2b567160bf82a63

SHA1
beba881af68b4081ece5c3baa70864225c0c7472

SHA256
926c2fc5f0dbe67a1da03125ca00fe6fad055e9fe65bedfb75aa23fbea289e8e

SHA512
3905e30b1c47e4bac91ec09bd08f9c23bf1a5015f58ac843369632d58315c53372a2b87e9d0560b95803941be26b066b4b2413c9b66f2ab9288bda1d6a99b804

Download Submit
C:\Program Files (x86)\SimHub\DashTemplates\AIM GS-DASH\ProgressBar.png

Filesize
1019B

MD5
3deaa0efdc1a76e64cda5819c5bba1b5

SHA1
cc2293f57ca2ae3f97389a820b814c4abda83210

SHA256
798ab8fd87d8c613b2384aefcbcc7acbfeca4505467aa3cbdeac64ca115cd1d5

SHA512
ca27ec7b075d00a224abe1c73c602e7a5b23bed5885cefb7964a910ef31faca8f8b833983bf531c0cbd9f7b1d29eb63860f698c912a6553213414b2557dea784

Download Submit
C:\Program Files (x86)\SimHub\DashTemplates\MYTEC C127 - System Info\is-E1VB7.tmp

Filesize
865KB

MD5
af90b7e01ad08606b0f1ad4a394562de

SHA1
fafa4283e5d0eb07ac447709a19293f35913941b

SHA256
956a726e1d43d3aa58fc9f773ae38dd9c57e593035e56ced80cd92995a999de6

SHA512
f871e27dfe3b13f99710fb1c7fcfe43f81117683543e46d4c3523ace2f070e3ee86788f25f14fe12023f33bab198cc627f178457ae978e8a62e1e2615e9ce28d

Download Submit
C:\Program Files (x86)\SimHub\DashTemplates\MYTEC C127\is-5CMR0.tmp

Filesize
804KB

MD5
144d56afcbfab33a1e4e8b322a2b6a43

SHA1
288038b409734a34783042fc73f81d06237d362d

SHA256
1805db217d72ad94ec0b4a7f1a2dcef7a2154f436b5f7aa1c0f985be464bd0df

SHA512
669156de8385d90e7cdee0e7cf425e3a1f0e769faeff5e7f4f250bd3753b6209426eea476240cb0db843c8011aa9e03ebe52a23f4e4a9b5bbd1e39e5648f82f6

Download Submit
C:\Program Files (x86)\SimHub\DashTemplates\SimHub - BOSCH DDU8\is-8I5U3.tmp

Filesize
434KB

MD5
17a3bd6dd6c9239ca254cfd093f98514

SHA1
34291601ab21e58dfa3001a79d1360d643bf1bdb

SHA256
32a67df3d387d02ca4deedd0e9a329535ce82dba9aca85d275dda0e5ddf9b20f

SHA512
c503d395fc67af76d5d9f6fbb181034ac083e3d2780b5dc2e82fcdc70c55c634c70a80282318cd73b13f5030d84711cebb37113231b629a0d413482636f37a34

Download Submit
C:\Program Files (x86)\SimHub\DashTemplates\SimHub - Truck Route Advisor\is-PSRIB.tmp

Filesize
390B

MD5
04a5c9ee72d1c5e0d28ce0b3fe36c401

SHA1
73498d37913c99c768ed4716dacb3ead6985c1c3

SHA256
41547d3505e25c1f44e3ce59e0a6a9c7ba71b90ec2862ddcb002f2211997ad7d

SHA512
2635d1ba3b796622ce8da5f083bb398d27e962b7725eb15c740b87443dbc5aa5829b45da8745a7773c07d08417bbcd35c22587510a308605fdeab962758be92d

Download Submit
C:\Program Files (x86)\SimHub\Languages\is-9E665.tmp

Filesize
218KB

MD5
237415e07b5471cc765a6f217ea330c1

SHA1
13026427a7a1e22d95a1d41cee8ea452e8383469

SHA256
40ce7ea7995d25c558a20201c550c864f49e0017c70ea41627c824a67ee150d4

SHA512
bda41e5954b3eb65710ad7b326e44f4cac8051c55a5dc82707baf22e0f073ec7e86d58ddf93c11c53e085c40247eff05c87b74d4019191592aea7aa3ce646bec

Download Submit
C:\Program Files (x86)\SimHub\PluginSdk\User.PluginSdkDemo\Properties\is-8PAMS.tmp

Filesize
869B

MD5
c7e4cb0940f5e317f42a66225301124c

SHA1
d20794932e3520f93f586f879e14497053ffbfa1

SHA256
89b7a719f37fb5f05eae9ac2cfca5524eb51fa93493d18fa986dc843188ed970

SHA512
585cc61ed9bcecaba62d8815a493bdad6e75d795ce107fb9effb2043c152e8108108f693ac697f303ef83446e951cb69d80ed036f2290331b1d275597ae95652

Download Submit
C:\Program Files (x86)\SimHub\Web\Maps\is-HKUJ9.tmp

Filesize
2KB

MD5
9ad60eb2e118c08f02e79ca43899032d

SHA1
f8e9366afd97c1f51c6066edb33c8acb6e014a12

SHA256
200a2eabe5dc467a6a90b82d7f7dbefc57d1ce6b635bb4d2a89e27f07ae37884

SHA512
e45a40f8bce307d324ad3b26b88e12b77f823748289a9629dbca7c31f4101c0b8597f2b9b5b030cbb94c21415800f8c5dc4eda3de2f7d0b6ac1d4f99be47841a

Download Submit
C:\Program Files (x86)\SimHub\Web\favicons\is-THQBD.tmp

Filesize
8KB

MD5
0d938da3b9fffe5e7f432aa1ddc4a36b

SHA1
723df219d8a2454c1b07417fcc5def18e98b910b

SHA256
cdf152a353b5c68ecad6704ee35d265fdb294fbb4d7eab687f67dff94f0ae22c

SHA512
8232f8a5b11557afe68c5a889cac554e727981d8c43205f192a06ff7e1e03b8a367b95db3d34831a96989f4e9a655cff15dbad492377fd369aa5e0dcd34d387b

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_SSD1306\is-UCBC2.tmp

Filesize
1KB

MD5
66fb43118340f7cc82583caf93f47415

SHA1
865128d22f2f941292b47d3b685b3c5fe10b4439

SHA256
1f99f4614772f054a0ee4ce708932dff691c595b81cadc68129544a1c9d8e95a

SHA512
57115b1e68968d730ab0c05878cfc2e6692ccbaf98889af843a5b1926455104f8d5ff187404d0ef86be0cfed558570030456b4768f9585c40b7ca43f4a88e416

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\examples\CustomChars\is-VUOHO.tmp

Filesize
1KB

MD5
11178f695ca2164f9ad4f4abe67645a3

SHA1
9858388833f1df49050fe00e975690f6a267e5e0

SHA256
8cfd27ba18b16e8042a2ebaea8106bf18a86c5a41021ba89add3fedd079f7391

SHA512
d84772772952353c1eaa17b04ba566e8715546c6bc4b95a187d866d8cf6190c9d4225ffddc09f0d4e9f6af7da40dc768c4eee57b7f40a9ab064077a8ae90bac4

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\examples\HelloWorld\is-O1N58.tmp

Filesize
633B

MD5
fd5cfbf92deefe33d610b0e4b8260ecc

SHA1
55a2e72c20ca1dc856f8f1a6c5b8bcb7d762d230

SHA256
418229fa3cc93de2a1b6908f6543bd1be5fa9254233d5f5aeec91eeb95b02769

SHA512
1edf715cb9938d117cc04ff878c2bd5ab52b68df195bc0c27c0172dc0851bbd3683bd03e20e9f219eb3ffc68828478069c1c4baf4ce4dbba374f74ca5aa91e28

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-85O2L.tmp

Filesize
85B

MD5
5e59d4dcd20876e95889dcb79427324d

SHA1
a3f62c33c644cd380d667ce9275ea79cfae0e165

SHA256
696e65fdb9383f3536110163dd2da87918aa5bfa8e0d46a984926534ce867e30

SHA512
28d7a7c221fe95233fdb709d02a71e6bc9a94ccb542904b6975e966ff6ab3ac9182e0e86d1ed9c53d033c442039742b7e95c5da6408d19b3d01c2e85081bbe22

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-EC689.tmp

Filesize
1KB

MD5
f9e7372c40ae2155506ba101320d4113

SHA1
0e6172ff43bcfa6886c0caa7ffc66b6cd6e307f4

SHA256
875e705e1f5b5f651da926147208e6843c3bad313a46f6c0e1141c8e4a61b0b5

SHA512
aa35c5a8d3eeaa743af851d23c391f296c0f749fde638625b2648f7fa69ea11dd94940fdc82f57c3c1e68825cc71c595b7312ab0797adfad68a6f1960d7ceb84

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-FHP45.tmp

Filesize
325B

MD5
e86973fb145f7325aff9bc2ef84ae798

SHA1
78ebe9858c18e93525d7e914917283ec00b79465

SHA256
324c69979ab30b1bc2db5352c1b84048baffcc2f5834cd0cda15a3565f4412e1

SHA512
7f8039607ee17f75c090e3b336784ef17e3396e44d9231500dc2e575443ce49d3d5641a55af27f506f2ecb3c17b21e29ed771d765a07a1beca11fd6b1ca62bf3

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-IA7DV.tmp

Filesize
436B

MD5
43ff49c742974031958a3cc6c350791f

SHA1
8f52edd1bd339f155f45fbc59f54d3aca5db2002

SHA256
4e69a888af100a9433b80a0240e7591a51165d0e2751385dbb815f7df617ef12

SHA512
a4ae8dc0ee4b1284c31e200e87663664be8bb6f17021b4e3ef8a064271f43d34c535d0c1a0cc05d6318d7e9ec599a6719d2f9bb0ad3154c80522aa2e87486fb7

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\DisplayClientV2\GroupPictures\is-0ENPP.tmp

Filesize
64B

MD5
99b9e5722bd18056e953ef59525f2ff0

SHA1
b5ce0cf0eb707fc6c4ab4db9fb95952fcee2cc0d

SHA256
7a92a0f8c03cf401c3ffb04f41efe74c573c4817ea3543bd6e91210b07da3cdd

SHA512
d498d5a83a0528eff93d8589b4333c578f02070a08865175d4d395c5e082408b159f62373447e0a2fcec5ba16fbf7a7b305ff3a4f8324f5ec2e177562db6302f

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\DisplayClientV2\GroupPictures\is-MQ9G0.tmp

Filesize
51KB

MD5
478c4b58c623ca570eb9e1e6a7145c29

SHA1
dc428e934b13e7d1342e49ff272476aebb5cb99d

SHA256
881082f48456436133aa31c84e5415f5840964541c0b9a6554229dd5d4e18ed6

SHA512
56a7c3952c81a2b73c87b455e3c3269f484bbdae0499c88f549573a2c169c4a9609628227a9954fefa37ade3fe137f12399a74fb15c9406bcc04d047b3b9b279

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_MotorShield\.github\is-8O9PG.tmp

Filesize
2KB

MD5
7d61986043b9ef22e030b140a5c001b4

SHA1
652d3d481000f18a43af45188ef0026da1263c79

SHA256
79cbe99bff2e50148436f69709c034fd715fc94029b1fc57608a236831bba709

SHA512
afca534413df82681722a9bfc4c341f5a00900d9b654d06319fcfd5c9becd5f751c5f49fff67d5fa846ea8699ee8b5d34bd78d0c3362317e1d89d5bcfb05c4e0

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_MotorShield\.github\is-CRA0U.tmp

Filesize
1KB

MD5
ac878d0db90351057ad99ff2f242d03b

SHA1
b9e2d82a7bbc918f2d7559a1f6bb21522e4a4401

SHA256
04173fc3d44de8a0606fca9017be0e60d212492b2ba9a5395d43e957c9d7d463

SHA512
8239f5011ccdf9a0deeadb0d9b1e34635c3b43d927769fd2ccc6c2b23b65d86b1a6792ac4e433dad35c102ec4a70fb99f18bac40b86c4b79a6fae5cb3ed08577

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Colorduino\is-E8IUJ.tmp

Filesize
34KB

MD5
fe06497acaf4f45999925d348c2605f9

SHA1
b6a5bf31d55a76b5fa0d70db9969a43edc48b9f7

SHA256
b3d1eae7f524fc9ddd48562a4652efd2bcd848e38b03f05e388bcce943e73df2

SHA512
ad434615208807905dd2e09a4fbfbd3169dc6b46eaf08a4e849ff12a859a02786d05155403a1637faf15092231067636199cacacb6fb96a0060b96bfb796e161

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\LiquidCrystal_I2C\is-EM4KQ.tmp

Filesize
1KB

MD5
3e769fc52a7b8ffccc88317776fa6a6f

SHA1
537f1124adf64adfb4714e10ba1c0787260059ec

SHA256
8a19580dba46dbc7b73a861ab252be427a74416ff956c13ae6c937b793f84d03

SHA512
438c0a0704928d511d68f0c7d70f9689802913c677f5b440440cb7a35ae5efc2b6b9ed6afd1194497e5fc847d3aee333672f67ffa46dc811e63b49a99caae241

Download Submit
C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\LiquidCrystal_I2C\is-Q353N.tmp

Filesize
40KB

MD5
49667ff15acd3540fd3110d52e5cf68b

SHA1
6db97b26aacd9d11bb634e15c13dc23044cfccc0

SHA256
0381135dcb79324d86a81d8d591007d03f1f2abe6dd212e0ff40e2bd1a8aa33d

SHA512
041c497037504ce1d7c08b4655d7ad876db9f3feaa20a850c5f2722a0165b2d5a83b385a4092f0f442b1b969cb27d65c8e0d35889dea4e0e97db6b8914df47cb

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
819afeff29177cdaf757590271642546

SHA1
dc0ae3c4e4171bd73cf0662a8d73e8c037991766

SHA256
eb8246e9001ebbf9dc2f1ffd150ade6d9de84d40929a559348e1ea83d418331f

SHA512
f0bbf90bf8d78889b67e5de5b0080d55298f873bb460d85df980c920662a35907acd4ebc7961b329b0bb25c8ff77ebe80fa50b53566089c984bec43b2d0f69e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b65467d003151c59232b23915b1c42b5

SHA1
3acf8408ce535903be927463c37cf8b95ce18a05

SHA256
dd8f717135bac6c52c79d757f3c1806743a4eb2a2d6949e5360fc85aee20aaac

SHA512
21c6f84cc8b420ca3197075f4267767c4afc699faecd7d67b76d19413e826b930a7b80019e14fab64fc545647d8379cbc7049ea38dd95c30ef3f04a6fd7e13e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1C9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl

Filesize
2KB

MD5
fbfcbc4dacc566a3c426f43ce10907b6

SHA1
63c45f9a771161740e100faf710f30eed017d723

SHA256
70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

SHA512
063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml

Filesize
5KB

MD5
0056f10a42638ea8b4befc614741ddd6

SHA1
61d488cfbea063e028a947cb1610ee372d873c9f

SHA256
6b1ba0dea830e556a58c883290faa5d49c064e546cbfcd0451596a10cc693f87

SHA512
5764ec92f65acc4ebe4de1e2b58b8817e81e0a6bc2f6e451317347e28d66e1e6a3773d7f18be067bbb2cb52ef1fa267754ad2bf2529286cf53730a03409d398e

Download Submit
C:\Windows\Installer\f7876d7.msi

Filesize
180KB

MD5
41d7231c971401af43de5e4f16974d04

SHA1
b92336facfc5c7311ce18e11a68548acd3ef91f0

SHA256
cb7e1fbe83913dab01fae8cb0cc7a49a4ade23546afbf7ddcc517a0ca97b5806

SHA512
b504eaddf4d95db00169c61a9293d195e8bb656e26b36eb0264bd0fc589707c7ace684e0f4941c8f10438969cb3598e1d8dae1a6b74537186a8e34fa028bc011

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

Filesize
118KB

MD5
c638e306e239aab2b58422ffdc7b2889

SHA1
cb44a0e0276977e4e2d338728572f7e80720d304

SHA256
2417768d21954f574d0fb4020a4d1e19bafc9f935911c2cb3a0ee93782514f1c

SHA512
ac359283f608e1073b4a12b314d6163313707e2683b54502755d8b9a13ff9a89f96ceb8c400781132578c7606979531d926bd9b04804aadd55f4fa27d3f500be

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
067e4f68781a8f3e5ff483be916bd6ca

SHA1
d28a1cae7086964ddee3f118a1f3a396f709a6f3

SHA256
d6a148de7d8a4e269c49d0cda6fd3395ddd0027ed84e40f69959ed00a2b495b2

SHA512
153e6c0b61851aa47e49db6f310a7d2c9b200f89647f9dd1315b60407bc270f91db5783696c72e04fe444919d72db50543bb7e523518a47be4798ff84cef1800

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8ceb90fd4cf8383e87d14074fa7f3567

SHA1
81ae286120561a8ddde2eba8f7310c2950d83dbb

SHA256
f52f3e464637e822abdf4f0c9d8b045f61f01b4c10eb6b04729e2477dd8ea0ff

SHA512
faae234c565cc33f254a23438c63fa3c931356299a5e1f0ce7a52682864f5f0746fdf542f7e0090337baaf0b9a7fabcf74873b3f0fc12e4a2ac0df0c14a3cf2d

Download Submit
C:\Windows\Temp\{243D6DB9-790A-4194-A7E2-134DD7B680A2}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{FDD1CC30-1BE1-4871-B490-CF3A8BCA173F}\.be\VC_redist.x86.exe

Filesize
634KB

MD5
2389d29f633df11642dff1bf5f21eb35

SHA1
ce85460fd7cde25528142f4cdca4e6013bb4b1e8

SHA256
ab91fbaab09a94839ba839275338ac42fe2661781d371e517f9b2e4866e2cc55

SHA512
59d607112566d13d15a8de8e18be204e8bf0d2010310ebc9c8589ceb42fb8fce7800a6e58f30ffb92d4c1b3e0d17c1a2076a478de753e5334971465c52f8eeed

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
18KB

MD5
e1572c12f1af1f85a0d161cecd6700bb

SHA1
b35d571ca39f59ab80dbfd5393688a0f2fd0fa54

SHA256
0488131a818ce2fd2dfc3e5c04d2af79931a813dccaa8f69d61d38bbefb95ca2

SHA512
3dd173b27263072edffa9f5309c358ed02e52e02f5eba430deb7fe4299c729a6ef1531d2b5994878272c7b9570fd92bf8c1d7ef02b4c64b81e3cf13b4bf80b80

Download Submit
\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
11fe091ace9d03b9ada6d5a22d12c0d0

SHA1
5379ebe84500d425586904e7f9ac0393ab2a9d24

SHA256
50f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee

SHA512
0f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf

Download Submit
\Program Files (x86)\Microsoft\Temp\EUA42B.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
0bec55833f356f89b8d9d63727ddc43e

SHA1
8dcfd2b8292ab7a585a8a4e40d61b81c96b63f5c

SHA256
b360afadecb2334ba103d515c506e792cb9aeea5925a6cf85dbfd786a225ffc3

SHA512
6592f21800f91474d2ade6102a0d0d36097e5552278e5aa390e52dccc838b323f9a4b89b6c879c56621d0de84a9ef054f695a6fdc267c9142a3d234bf3a2460c

Download Submit
\Program Files (x86)\SimHub\Redist\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
2fbe10e4233824fbea08ddf085d7df96

SHA1
17068c55b3c15e1213436ba232bbd79d90985b31

SHA256
5b01d964ced28c1ff850b4de05a71f386addd815a30c4a9ee210ef90619df58e

SHA512
4c4d256d67b6aadea45b1677ab2f0b66bef385fa09127c4681389bdde214b35351b38121d651bf47734147afd4af063e2eb2e6ebf15436ad42f1533c42278fa4

Download Submit
\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe

Filesize
13KB

MD5
fe55e47d1e66304c016d2dbe93836f0d

SHA1
da658edd6a5da8bd6b361e2aacca6cb9305a2368

SHA256
d526f353df1ad22fb1d00c5d47e40988d4c26c55127da937913d3d41c0828e2e

SHA512
9cb97945895db4772688486b710eda8971d84707f7ddf6a7fb55fb33147dced14e07849eb0fd5067466d867796440fc303aa92912790abb2a82430f2f6224a16

Download Submit
\Program Files (x86)\SimHub\SimHubWPF.exe

Filesize
1.7MB

MD5
7509947901239bf8d1935e6d6b16c5d4

SHA1
4433b22066cb28526dc90eb9bfae25021e845f6e

SHA256
b630be7d9d061254e747fc68fbda8829211241693422db012eadf5284b8e7857

SHA512
9f41d86063998353344eddfdd672edc96fa76af8ea81a45c4d99829369dc93a021ebbafd6078ba94edc1fdfefefe51cd1974a5f21b5c9f9b3cbf297574d1d984

Download Submit
\Program Files (x86)\SimHub\unins000.exe

Filesize
3.2MB

MD5
9223835757f52f4d7ad821b71863be54

SHA1
650b3683d40d1df0aa8901f3ab90cf49b5963841

SHA256
3b30a8bd6018b8f1cd3f9efc041ebbf56393024f12672936635374054af3bd1d

SHA512
2d42ca484939415f7028ae7ca260cd31cdb136415b89c95cc29bf36568d37a863a016192cf56fe5ceed924cdb13418bb369aab637b646bcef0d8cdfbcc5de145

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDRQG.tmp\SimHubSetup_9.2.12.tmp

Filesize
3.1MB

MD5
133b8ce9c332a293fa76c99395532bc2

SHA1
9f7b607b164f4ebae55cc00d70b2982d633d4a9b

SHA256
b398b5700ffbfc124f28c8001c63510e47308bf777c780fa3940dd639c5f50fb

SHA512
a29d4a6f1bdada70304c8d94acec2337d3567c885544eefd4c837adab79df83f32e04f9360610575e8a7db5b0fdd4f3c4e0a0e2318f12ddf05713fb0bc168bb1

Download Submit
memory/304-8323-0x0000000005590000-0x0000000005642000-memory.dmp

Filesize
712KB

Download
memory/304-8319-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/304-8320-0x00000000005E0000-0x0000000000626000-memory.dmp

Filesize
280KB

Download
memory/304-8321-0x0000000000640000-0x0000000000678000-memory.dmp

Filesize
224KB

Download
memory/304-8322-0x0000000004E70000-0x0000000004F00000-memory.dmp

Filesize
576KB

Download
memory/304-8328-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/304-8324-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/304-8329-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/304-8325-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/1032-7324-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1032-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1032-6134-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1032-5598-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1032-5438-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1032-2702-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1256-6870-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/1256-6863-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/1256-6234-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/1272-7740-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/1272-7542-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/1540-7303-0x0000000000AE0000-0x0000000000B14000-memory.dmp

Filesize
208KB

Download
memory/1540-6172-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/1540-6171-0x0000000000AE0000-0x0000000000B14000-memory.dmp

Filesize
208KB

Download
memory/1976-2699-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1976-2-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1976-0-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2216-8362-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/2216-8371-0x0000000006CF0000-0x0000000006D02000-memory.dmp

Filesize
72KB

Download
memory/2216-8419-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

Filesize
40KB

Download
memory/2216-8418-0x0000000007920000-0x0000000007AAA000-memory.dmp

Filesize
1.5MB

Download
memory/2216-8416-0x00000000078D0000-0x00000000078F4000-memory.dmp

Filesize
144KB

Download
memory/2216-8417-0x0000000007900000-0x0000000007918000-memory.dmp

Filesize
96KB

Download
memory/2216-8415-0x00000000078C0000-0x00000000078CC000-memory.dmp

Filesize
48KB

Download
memory/2216-8414-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/2216-8413-0x0000000007870000-0x0000000007884000-memory.dmp

Filesize
80KB

Download
memory/2216-8412-0x0000000007830000-0x000000000785A000-memory.dmp

Filesize
168KB

Download
memory/2216-8332-0x00000000052C0000-0x0000000005482000-memory.dmp

Filesize
1.8MB

Download
memory/2216-8333-0x00000000029D0000-0x0000000002A82000-memory.dmp

Filesize
712KB

Download
memory/2216-8334-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2216-8335-0x0000000000B80000-0x0000000000BCA000-memory.dmp

Filesize
296KB

Download
memory/2216-8336-0x0000000000C20000-0x0000000000C42000-memory.dmp

Filesize
136KB

Download
memory/2216-8337-0x0000000005490000-0x0000000005E2C000-memory.dmp

Filesize
9.6MB

Download
memory/2216-8338-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/2216-8340-0x0000000002B90000-0x0000000002BE4000-memory.dmp

Filesize
336KB

Download
memory/2216-8339-0x0000000004F10000-0x0000000004FCE000-memory.dmp

Filesize
760KB

Download
memory/2216-8341-0x00000000050F0000-0x000000000520E000-memory.dmp

Filesize
1.1MB

Download
memory/2216-8342-0x0000000005E30000-0x00000000061A8000-memory.dmp

Filesize
3.5MB

Download
memory/2216-8343-0x0000000002BF0000-0x0000000002C02000-memory.dmp

Filesize
72KB

Download
memory/2216-8344-0x0000000002E40000-0x0000000002E86000-memory.dmp

Filesize
280KB

Download
memory/2216-8345-0x0000000005210000-0x0000000005292000-memory.dmp

Filesize
520KB

Download
memory/2216-8346-0x00000000061B0000-0x0000000006240000-memory.dmp

Filesize
576KB

Download
memory/2216-8352-0x00000000062D0000-0x00000000062F0000-memory.dmp

Filesize
128KB

Download
memory/2216-8351-0x0000000004FE0000-0x0000000004FE8000-memory.dmp

Filesize
32KB

Download
memory/2216-8350-0x00000000052A0000-0x00000000052B8000-memory.dmp

Filesize
96KB

Download
memory/2216-8349-0x0000000002EA0000-0x0000000002EC2000-memory.dmp

Filesize
136KB

Download
memory/2216-8348-0x0000000006240000-0x00000000062CA000-memory.dmp

Filesize
552KB

Download
memory/2216-8347-0x0000000002C30000-0x0000000002C3C000-memory.dmp

Filesize
48KB

Download
memory/2216-8353-0x00000000062F0000-0x0000000006434000-memory.dmp

Filesize
1.3MB

Download
memory/2216-8354-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/2216-8355-0x0000000006480000-0x000000000650E000-memory.dmp

Filesize
568KB

Download
memory/2216-8357-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/2216-8356-0x0000000006540000-0x0000000006572000-memory.dmp

Filesize
200KB

Download
memory/2216-8358-0x0000000006590000-0x0000000006670000-memory.dmp

Filesize
896KB

Download
memory/2216-8360-0x0000000006AF0000-0x0000000006B0C000-memory.dmp

Filesize
112KB

Download
memory/2216-8411-0x0000000007780000-0x000000000781E000-memory.dmp

Filesize
632KB

Download
memory/2216-8361-0x0000000006B10000-0x0000000006B42000-memory.dmp

Filesize
200KB

Download
memory/2216-8363-0x0000000006B80000-0x0000000006BC2000-memory.dmp

Filesize
264KB

Download
memory/2216-8364-0x0000000006BE0000-0x0000000006BF6000-memory.dmp

Filesize
88KB

Download
memory/2216-8365-0x0000000006C00000-0x0000000006C4E000-memory.dmp

Filesize
312KB

Download
memory/2216-8366-0x0000000006C60000-0x0000000006C80000-memory.dmp

Filesize
128KB

Download
memory/2216-8368-0x0000000006CA0000-0x0000000006CBA000-memory.dmp

Filesize
104KB

Download
memory/2216-8367-0x0000000006C80000-0x0000000006C90000-memory.dmp

Filesize
64KB

Download
memory/2216-8369-0x0000000006CC0000-0x0000000006CDC000-memory.dmp

Filesize
112KB

Download
memory/2216-8410-0x0000000007770000-0x000000000777E000-memory.dmp

Filesize
56KB

Download
memory/2216-8370-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

Filesize
40KB

Download
memory/2216-8372-0x0000000006D10000-0x0000000006D1A000-memory.dmp

Filesize
40KB

Download
memory/2216-8375-0x0000000006D50000-0x0000000006D5A000-memory.dmp

Filesize
40KB

Download
memory/2216-8374-0x0000000006D40000-0x0000000006D4A000-memory.dmp

Filesize
40KB

Download
memory/2216-8373-0x0000000006D30000-0x0000000006D3E000-memory.dmp

Filesize
56KB

Download
memory/2216-8376-0x0000000006D60000-0x0000000006D98000-memory.dmp

Filesize
224KB

Download
memory/2216-8378-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

Filesize
40KB

Download
memory/2216-8377-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

Filesize
40KB

Download
memory/2216-8409-0x0000000007760000-0x000000000776C000-memory.dmp

Filesize
48KB

Download
memory/2216-8382-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/2216-8383-0x0000000006E00000-0x0000000006E08000-memory.dmp

Filesize
32KB

Download
memory/2216-8384-0x0000000006E10000-0x0000000006E18000-memory.dmp

Filesize
32KB

Download
memory/2216-8385-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/2216-8386-0x0000000006E40000-0x0000000006E48000-memory.dmp

Filesize
32KB

Download
memory/2216-8387-0x0000000006E50000-0x0000000006E58000-memory.dmp

Filesize
32KB

Download
memory/2216-8388-0x0000000006E60000-0x0000000006E68000-memory.dmp

Filesize
32KB

Download
memory/2216-8389-0x0000000006E70000-0x0000000006E78000-memory.dmp

Filesize
32KB

Download
memory/2216-8390-0x0000000006E80000-0x0000000006E88000-memory.dmp

Filesize
32KB

Download
memory/2216-8391-0x0000000006E90000-0x0000000006E98000-memory.dmp

Filesize
32KB

Download
memory/2216-8392-0x0000000006EA0000-0x0000000006EA8000-memory.dmp

Filesize
32KB

Download
memory/2216-8393-0x0000000006EB0000-0x0000000006EB8000-memory.dmp

Filesize
32KB

Download
memory/2216-8394-0x0000000006EC0000-0x0000000006EC8000-memory.dmp

Filesize
32KB

Download
memory/2216-8395-0x0000000006ED0000-0x0000000006ED8000-memory.dmp

Filesize
32KB

Download
memory/2216-8396-0x00000000070E0000-0x000000000719A000-memory.dmp

Filesize
744KB

Download
memory/2216-8397-0x00000000071B0000-0x0000000007309000-memory.dmp

Filesize
1.3MB

Download
memory/2216-8398-0x0000000007340000-0x000000000734C000-memory.dmp

Filesize
48KB

Download
memory/2216-8399-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/2216-8400-0x0000000007360000-0x000000000737A000-memory.dmp

Filesize
104KB

Download
memory/2216-8401-0x0000000007380000-0x00000000073DE000-memory.dmp

Filesize
376KB

Download
memory/2216-8402-0x00000000073F0000-0x0000000007472000-memory.dmp

Filesize
520KB

Download
memory/2216-8403-0x0000000007490000-0x000000000749E000-memory.dmp

Filesize
56KB

Download
memory/2216-8404-0x00000000074B0000-0x0000000007530000-memory.dmp

Filesize
512KB

Download
memory/2216-8405-0x0000000007530000-0x000000000765E000-memory.dmp

Filesize
1.2MB

Download
memory/2216-8406-0x0000000007680000-0x000000000768C000-memory.dmp

Filesize
48KB

Download
memory/2216-8407-0x0000000007690000-0x0000000007716000-memory.dmp

Filesize
536KB

Download
memory/2216-8408-0x0000000007740000-0x000000000775E000-memory.dmp

Filesize
120KB

Download
memory/2264-6233-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2264-6717-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2796-6720-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2796-6236-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-7485-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-7737-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-6940-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-6877-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-6871-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-6864-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download
memory/2928-6235-0x00000000743F0000-0x0000000074608000-memory.dmp

Filesize
2.1MB

Download