wannacry | 8196752e9a340a78fe1461f38b2aa2fa5541ec162dbde4c7bdc189293dfbb7d9

Analysis

max time kernel
136s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Size

5.0MB
MD5

b8755ef6ad476b5c3d5d801af554d6b2
SHA1

41937fa0343af2682b4e40c0d3c48a01f0f552a5
SHA256

8196752e9a340a78fe1461f38b2aa2fa5541ec162dbde4c7bdc189293dfbb7d9
SHA512

09b5878301985c41a5fe519a44331fd221869447e347ebe91ee8aae8cd193f7a834f59e133fbff602689877d4f4c9fb97edfa7286f1df5376a304084f9aaeba0
SSDEEP

98304:G8qPoBhz1aRxcSUDk36SAEdhvxWa9P5xD527BWG:G8qPe1Cxcxk3ZAEUadXVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3186) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2804	alg.exe
2776	tasksche.exe
2648	aspnet_state.exe
2664	mscorsvw.exe
2488	mscorsvw.exe
2652	elevation_service.exe
1368	GROOVE.EXE
1880	maintenanceservice.exe
1988	OSE.EXE
1264	mscorsvw.exe
2520	mscorsvw.exe
2864	mscorsvw.exe
872	mscorsvw.exe
2252	mscorsvw.exe
776	mscorsvw.exe
1044	mscorsvw.exe
2688	mscorsvw.exe
2532	mscorsvw.exe
2060	mscorsvw.exe
2576	mscorsvw.exe
2468	mscorsvw.exe
1688	mscorsvw.exe
1760	mscorsvw.exe
2164	mscorsvw.exe
1744	mscorsvw.exe
2696	mscorsvw.exe
2952	mscorsvw.exe
1892	mscorsvw.exe
2244	mscorsvw.exe
2084	mscorsvw.exe
2968	mscorsvw.exe
1096	mscorsvw.exe
1712	mscorsvw.exe
2040	mscorsvw.exe
2316	mscorsvw.exe
3024	mscorsvw.exe
108	ehRecvr.exe
1536	ehsched.exe
2368	IEEtwCollector.exe
1332	msdtc.exe
2244	msiexec.exe
2028	perfhost.exe
1560	locator.exe
2252	snmptrap.exe
2700	vds.exe
2396	vssvc.exe
2228	wbengine.exe
1784	WmiApSrv.exe
1340	wmpnetwk.exe
1616	SearchIndexer.exe
2408	mscorsvw.exe
3028	mscorsvw.exe
2880	mscorsvw.exe
3164	mscorsvw.exe
3276	mscorsvw.exe
3428	mscorsvw.exe
3560	mscorsvw.exe
3776	mscorsvw.exe
3868	mscorsvw.exe
4028	mscorsvw.exe
2840	mscorsvw.exe
2880	mscorsvw.exe
3260	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2244	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found
3276	mscorsvw.exe
3276	mscorsvw.exe
3560	mscorsvw.exe
3560	mscorsvw.exe
3868	mscorsvw.exe
3868	mscorsvw.exe
2840	mscorsvw.exe
2840	mscorsvw.exe
3260	mscorsvw.exe
3260	mscorsvw.exe
3344	mscorsvw.exe
3344	mscorsvw.exe
3736	mscorsvw.exe
3736	mscorsvw.exe
3992	mscorsvw.exe
3992	mscorsvw.exe
2924	mscorsvw.exe
2924	mscorsvw.exe
2596	mscorsvw.exe
2596	mscorsvw.exe
3372	mscorsvw.exe
3372	mscorsvw.exe
3836	mscorsvw.exe
3836	mscorsvw.exe
4040	mscorsvw.exe
4040	mscorsvw.exe
3980	mscorsvw.exe
3980	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
3424	mscorsvw.exe
3424	mscorsvw.exe
3576	mscorsvw.exe
3576	mscorsvw.exe
3376	mscorsvw.exe
3376	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\486d0efdd264f17b.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP189F.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE64A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFCC6.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE8D9.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEC14.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\WINDOWS\tasksche.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE38C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF8A1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFEB9.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{623A254D-6095-496C-8BA2-7C1BF8770B18}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000b6f6c579f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0d58ec879f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2288	ehRec.exe
2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2064	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeDebugPrivilege	2804	alg.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Token: 33	2204	EhTray.exe
Token: SeIncBasePriorityPrivilege	2204	EhTray.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeSecurityPrivilege	2244	msiexec.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeDebugPrivilege	2288	ehRec.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeBackupPrivilege	2396	vssvc.exe
Token: SeRestorePrivilege	2396	vssvc.exe
Token: SeAuditPrivilege	2396	vssvc.exe
Token: SeBackupPrivilege	2228	wbengine.exe
Token: SeRestorePrivilege	2228	wbengine.exe
Token: SeSecurityPrivilege	2228	wbengine.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeDebugPrivilege	2764	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: 33	1340	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1340	wmpnetwk.exe
Token: 33	2204	EhTray.exe
Token: SeIncBasePriorityPrivilege	2204	EhTray.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeManageVolumePrivilege	1616	SearchIndexer.exe
Token: 33	1616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1616	SearchIndexer.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2220	SearchProtocolHost.exe
2220	SearchProtocolHost.exe
2220	SearchProtocolHost.exe
2220	SearchProtocolHost.exe
2220	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1264	2664	mscorsvw.exe	39
PID 2664 wrote to memory of 1264	2664	mscorsvw.exe	39
PID 2664 wrote to memory of 1264	2664	mscorsvw.exe	39
PID 2664 wrote to memory of 1264	2664	mscorsvw.exe	39
PID 2664 wrote to memory of 2520	2664	mscorsvw.exe	40
PID 2664 wrote to memory of 2520	2664	mscorsvw.exe	40
PID 2664 wrote to memory of 2520	2664	mscorsvw.exe	40
PID 2664 wrote to memory of 2520	2664	mscorsvw.exe	40
PID 2664 wrote to memory of 2864	2664	mscorsvw.exe	41
PID 2664 wrote to memory of 2864	2664	mscorsvw.exe	41
PID 2664 wrote to memory of 2864	2664	mscorsvw.exe	41
PID 2664 wrote to memory of 2864	2664	mscorsvw.exe	41
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	42
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	42
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	42
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	42
PID 2664 wrote to memory of 2252	2664	mscorsvw.exe	43
PID 2664 wrote to memory of 2252	2664	mscorsvw.exe	43
PID 2664 wrote to memory of 2252	2664	mscorsvw.exe	43
PID 2664 wrote to memory of 2252	2664	mscorsvw.exe	43
PID 2664 wrote to memory of 776	2664	mscorsvw.exe	44
PID 2664 wrote to memory of 776	2664	mscorsvw.exe	44
PID 2664 wrote to memory of 776	2664	mscorsvw.exe	44
PID 2664 wrote to memory of 776	2664	mscorsvw.exe	44
PID 2664 wrote to memory of 1044	2664	mscorsvw.exe	45
PID 2664 wrote to memory of 1044	2664	mscorsvw.exe	45
PID 2664 wrote to memory of 1044	2664	mscorsvw.exe	45
PID 2664 wrote to memory of 1044	2664	mscorsvw.exe	45
PID 2664 wrote to memory of 2688	2664	mscorsvw.exe	46
PID 2664 wrote to memory of 2688	2664	mscorsvw.exe	46
PID 2664 wrote to memory of 2688	2664	mscorsvw.exe	46
PID 2664 wrote to memory of 2688	2664	mscorsvw.exe	46
PID 2664 wrote to memory of 2532	2664	mscorsvw.exe	47
PID 2664 wrote to memory of 2532	2664	mscorsvw.exe	47
PID 2664 wrote to memory of 2532	2664	mscorsvw.exe	47
PID 2664 wrote to memory of 2532	2664	mscorsvw.exe	47
PID 2664 wrote to memory of 2060	2664	mscorsvw.exe	48
PID 2664 wrote to memory of 2060	2664	mscorsvw.exe	48
PID 2664 wrote to memory of 2060	2664	mscorsvw.exe	48
PID 2664 wrote to memory of 2060	2664	mscorsvw.exe	48
PID 2664 wrote to memory of 2576	2664	mscorsvw.exe	49
PID 2664 wrote to memory of 2576	2664	mscorsvw.exe	49
PID 2664 wrote to memory of 2576	2664	mscorsvw.exe	49
PID 2664 wrote to memory of 2576	2664	mscorsvw.exe	49
PID 2664 wrote to memory of 2468	2664	mscorsvw.exe	50
PID 2664 wrote to memory of 2468	2664	mscorsvw.exe	50
PID 2664 wrote to memory of 2468	2664	mscorsvw.exe	50
PID 2664 wrote to memory of 2468	2664	mscorsvw.exe	50
PID 2664 wrote to memory of 1688	2664	mscorsvw.exe	51
PID 2664 wrote to memory of 1688	2664	mscorsvw.exe	51
PID 2664 wrote to memory of 1688	2664	mscorsvw.exe	51
PID 2664 wrote to memory of 1688	2664	mscorsvw.exe	51
PID 2664 wrote to memory of 1760	2664	mscorsvw.exe	52
PID 2664 wrote to memory of 1760	2664	mscorsvw.exe	52
PID 2664 wrote to memory of 1760	2664	mscorsvw.exe	52
PID 2664 wrote to memory of 1760	2664	mscorsvw.exe	52
PID 2664 wrote to memory of 2164	2664	mscorsvw.exe	53
PID 2664 wrote to memory of 2164	2664	mscorsvw.exe	53
PID 2664 wrote to memory of 2164	2664	mscorsvw.exe	53
PID 2664 wrote to memory of 2164	2664	mscorsvw.exe	53
PID 2664 wrote to memory of 1744	2664	mscorsvw.exe	54
PID 2664 wrote to memory of 1744	2664	mscorsvw.exe	54
PID 2664 wrote to memory of 1744	2664	mscorsvw.exe	54
PID 2664 wrote to memory of 1744	2664	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2064
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 24c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 278 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 244 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 24c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 28c -NGENProcess 260 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 254 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 230 -NGENProcess 218 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 264 -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 23c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 218 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 244 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 218 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 258 -NGENProcess 240 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e8 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 240 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 240 -NGENProcess 1e8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2b8 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1d4 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2b0 -NGENProcess 1e8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1e8 -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 1c4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1c4 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 260 -NGENProcess 2b8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b8 -NGENProcess 254 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2bc -NGENProcess 254 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 254 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c4 -NGENProcess 260 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 260 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:3856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2dc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:3220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2ec -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:3548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2ec -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:3116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2ec -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2ec -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:3592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:3744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:3724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2ec -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2ec -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 304 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 308 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 308 -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:3444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 378 -NGENProcess 304 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 370 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:3828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 35c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:3700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 370 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:3684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1880

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:108

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
2f00d03641e8f126c2434b2a28f82f0a

SHA1
e220fe35cee44ab46f718e6ec20977ea50f62f8d

SHA256
647520d98b15144b083f12054c7b406a44fd0869a62b66cb98b3c4244d4df1de

SHA512
9dc9278be67d6cdbd0ac7f996b1f298c7b6d56c42d718d7f15294045420922d54440a5ff29764ea9e00712207c9ba552d637386c66f9797a75b007a96dc632de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
24ff2d929a6739d61ba1374faa17f8d1

SHA1
92250ea73f7810e22edaf07b5fe9d2642d972dfe

SHA256
b05eac9d791110b8b3660c494ec90ec93dfa59caa05247e67edf1438cf6647db

SHA512
f05dd5c4ed3c06684f2c0775b3514cc6532fd5d8228bcbdf0546a7d575d42dbd5339443ff5c07f91cb528622a80ab5d594b225df64e77f6057b4d85ad7e7b903

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
abca5db1d092016b911e00a6887caee1

SHA1
ae120b059806ac29089510f6748febec0792839d

SHA256
026793d4d34c864f11f8c4a451671b02cb17bd3df78376367c6d7668fb821988

SHA512
efc4b4ec1d2bea99a5e96aa4d55896922d7c9ab4d185b883f4034ccae34fa24eafd3dc0c15ae949c3481b19a124bd18b696e1818122cd976ed7c1b06b98fd260

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cc7a906e1bc5aa06131c0806d6b57854

SHA1
4c939cd9d1f3dea07e86dfcff0080d1be0e2edab

SHA256
775b05d79482069c36fd40d545eac606b265d22055e9344375e8813d1b754502

SHA512
98aa532af1070274685ac3e2f31dc0fda10a7607193fc42a1ec891df20dc7553e68f1a5b7b98c264f1025cf6b835ff97bff2b2115f539e18cd00275cbb38298c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7b7c08289837ed522cd0d7200b3b243a

SHA1
5c3dc3a4b870007b22311c4d9872dad418c65eba

SHA256
6a674398b46772261ea903e80d992b71875d773a656be6ceab2ace7f2168c241

SHA512
ff555394ad943e37a1e30cec9cbe07cfe399b5535908102b906880903df4f7d6c70dda81876c0d5e1fa5b6158c7a62ac2649a6a8b9945975e3158a3c3a557d64

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
75e83a81bc0bb75ceaf39d09746297af

SHA1
66ed777b3244e51588f1089a02583b550fb9e8b3

SHA256
206a83d7d86440d04f60cc3b030ea7dcbf102371e74a93d0857a7b3924c6b34c

SHA512
62d9f0bdf791f9ff88ffcd6ccd05e379a469891cb7c4c150e1767a23feb3d93c07ca419fe62b09a7fbe285e8ae7154fd858b91fc29bdaa803b8919334dfde21c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4bbf5f6a8dd65c4b7936842a0d17d9c6

SHA1
0060e2045e90000e77b9ea2a235c989589b9aa3a

SHA256
edd6654925096df4cf2883fced1ee4d57b6f9ac2c03cbe4aca71c9d6ea98330c

SHA512
7645ae7be0248c902e5aedeecc9045efa6fe86fc39a005f67ab038c9cbca65dc3973475fa73088026e73f5ef2d42de8a71496820087c6939612540cb053702cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
343c74b535a96d2a729463a470262262

SHA1
d7ddc042eadfe03693b5fd3c2dcd92de9c76549d

SHA256
beb7fdfe3685de34c2954bae411a16620d51cdcbb34c38ef85f4be6816d22c4e

SHA512
afa80267599e6904557fe4af7a644c7bca37e261c29b61743ae2274c007fc45ecaf27d56faaa08a718a98628c8926f403516ad84f8de7938f34f1ad119cc87e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
123671d58eae43f6cc1749e032de299f

SHA1
1cceb5f2f0a04e30ba19d00132e26eb96e45f98c

SHA256
6d9f65ca3ed318317524dc3f87e8e814e7050a77fdd5a07af93a9f5d99e6157c

SHA512
8c5969f477c3c70e33609650ff1c3f582de806db4d5a175a91440fee8b9deb0d448c1b6bdbf504f871532208aa588b3c2284e24f1c50030fabf365d5a60d0562

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4847280440aaf25315f49f93fa814fdb

SHA1
8cac398443935b7ff33bebafdf224d5a69a4e636

SHA256
17b5864b733e0ae8294bd2666184fb46b3f6e56a40521e27788be69a7fb47d24

SHA512
bd7f4b653c2a543e1b8cec161e098c13acd66a33b420f82798cb999e3f3d70b3c16817fd54efc528ec013100c748fd8cda001c8c1789b055db77d024749b522e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7c409469ae3f581eec960cb01bb72861

SHA1
00be3ae0d80b7d614c1bfe0d3513dc5fa6003f29

SHA256
8d0d0d8fb39591ddf0c16412d08913226f4e0e0ed6ec73044fd3adb3e17c42cb

SHA512
d30cf99e687db09b82fdd507ca76119fce06d0bf4748e95353a859587431ac379cd145c7f5e0fa6c45a47cac2b75d967b8d6620b922b861ae2576ae5ff196355

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
a529f73ef56f827ba51d3b567cf6ba2e

SHA1
ff2a69c8bc137cc86034631f963319129ea3711b

SHA256
c5a8d6006109483bf3758863ea2af8a609783ba240a2f48ab1693cf632abfcb3

SHA512
f116b5b6d8e76ea4b180240247a43d9f4f996f111de2f6a255a9cc52afc177110277f764761756c3495205e5b82ce4fa0c56297b556a861074fde678241d9bcd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
b8a1b09a8a88fcbd774d8d42f15260d2

SHA1
fb3607a0febdb0cb9fe7c084be8ec6643801ce56

SHA256
012ef12568b4eddb851c021d589d2764f00b88c47097d10bcf4e42f5d894e057

SHA512
1a0762702e47e4ca30bfeef51ed11dc92731c2450fff79e1ae9b6a3f3d41f94395167f1f00b46df935a506643c9001f48eab29fa892da695203191aa228cc34a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\020999f6671267703f6e11b6fbe1a170\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
f155f86c90ca2216177727302d5ea4b5

SHA1
c77c0a1542f6ba92f56574d2727f97eb5e8a033a

SHA256
c833790214afef318212fb4079cf057096c2380c7f29e2ac561010487d778289

SHA512
d08ef9eece111ec9c5af1929611a2b0be683ac73f9793633cf5b0016ae86d15a2fd2ad2a5828ada5541d4cc8030bba54d5ff12562ed3dd1281d54c8561929fef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1fa4c663eb7f4f3f5e7547c8d2849c90

SHA1
7a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f

SHA256
3febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166

SHA512
3a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7ca700f82568e9e8681d153433633284\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
f6edc5bdbe9179f98278bb4ce2655d8c

SHA1
9fa2863c8cc376404dc60b5c7265a1a9022de234

SHA256
da7349320b05c1531d6ae4436ac0ad91f3b03e273ca88f39aed9b7ed7982cd3d

SHA512
2905b0bd17a190777cc9f9c97420adffc6d498905a73dc64d39fc72fca5624208d46cc993187974fbb96b97c4f2b613096043b7cfe88ebaf4de27ef1e08b36f4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d7b29d7797fefd80a8f77c98eebddc11\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
a03c831cb51ed63213ead308a53d7354

SHA1
4f6a9189d8d56bf2449235f23cc2278bf5132b51

SHA256
130ee203551dc5378ec6c5f3a6408aa0c9f2b03e8b31ea980926f645344d939e

SHA512
ba28351932abfb7d03e01b81a6face909a573335850846507fe274b48a0ead697c71cd4743ebfa4acd8f5809ef0cecaabc43b0aea45c6d9d29fad836e5965bc0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEF9C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
962d4291a5dfac935ca1eff9b1e21d62

SHA1
4f68907deb3cbfeeb5133c44f12ae58d1c20b338

SHA256
82d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c

SHA512
6bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
692ab055a7c35a10d6fd3d753d3bb871

SHA1
a2ed55f7675fb53794a45783e95b29f6398cb36c

SHA256
3690b739b70c26ebe5a8c4ce545ba2093be89169075609c8f1bcb6d05bd45c3b

SHA512
32d141360ebb5693c3b0a18088dfcfae226ac0c8c2e6e564484f06e4a83dbb038407768063bf12ed4fd79b96c14080c29050db1958c0a58390d8ad9b5a004ef7

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4a440149a6c38a95195ef6a172a83ced

SHA1
3ed6d74cd15f0b68a87901256d9bd11a4dcf84a5

SHA256
1aed24e5ae6613d9c6f7e0427a734157b11b0186a27364c589705fb93ad5a557

SHA512
801ca4abb75e06b8f6faf484e586658c114967b47ee2850a8c7061ab8755037fdfce3b161fdf2ab8f8f1de37f3500e46bd83ff3214d1b81643480e5c3b8e2dea

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7f0fa8c46108aa5dd0fc5613dc4d8593

SHA1
b0ece2dc3726086e9267008859441c58ff2dc5b9

SHA256
b378b71a58e6bafd5d2427ba72f6340f4128bdd4b4db4bad088d9350f67349b8

SHA512
fa260c1aa849e959490165ca0ae87c4c810ac723f45701d58e4bf4bc5a8c81f28d4396e68704abc88b19e0d5930a2948ad6e7cbae3d82b84c172f0fa19ac8ee9

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
efd44d08564cded612abfb70d5100a17

SHA1
916210c4821f51187fd32b8121da008c5e23d386

SHA256
bcd44950fb95942339a2fe4746ac40dd756c9731af3c558d1ffe1c03db9f6b93

SHA512
3f92b9c83a9f26c3508694c8bd3b21905343ed469006510ee5dfbd6a5515233d3aba2c2d9de29da0d635858cf2584db35fc7d42351d8277bb7d130d6ba4b95c1

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
274c6fddfe7c8649ecefe055e563786e

SHA1
a8f24805ed2199a6ce0c5abf78f9b13374146e75

SHA256
6835b953d977d5877740cbd2512e9872ab95bbd3371b9d30288004a604f7ba10

SHA512
7299dda34f7b7be24af6686f4bd8915d962b363946f534bc29365f150cf6fe43fa1b9fa47040781c41e6b87db0d474ea2e25376e164f78c11aa42bdb5b969f25

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
00f8f29f9e85ce785088cca8a6b25a86

SHA1
20310e4849e67ecd4c1b279c7f012f3ec15f22b3

SHA256
a36a7c631581867cfe2c61865380d1a6e968b4f7e391eb387a2e2ab20ecd3bfc

SHA512
2db181b002e2cdac24aa866e534b0e6ef28e6bad9e600053ff27d4f09e68972627f96f1cfb8a69de5a8aebdc7fcb3ee77ee30e4afd9785287355bb5e1c0990f8

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
602712bad5e7d751e5207a32ee409598

SHA1
1883a6e9fedebe0bb6ee384638920dc75e6722d1

SHA256
dff5951e07a5ad693c92825c788ab4f250eb54c99d86c534a68297e160fc7ae9

SHA512
03484d91d8154fd3cc46d0bbb027b3fbe97e34ace2f57934d64122ca2927bbb13886830cd68a329ecb48b68e390e6d6e31dbe0d21f08e4ef6a911f2f50835c02

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
450765142a0817b3ef30af068994b2bf

SHA1
0a5203c3d591332f94d6dfa2f34bdb5b6c82a698

SHA256
327d835a22bab60235bb56624ea21d7b7f582be785222e71549d784dc489d0db

SHA512
b377b8afe5452f9d03b003d6522b519dd5874e309c979a46e78caf8dccf49c8c311fa610af290f3f62d34537b597f8214abc853c5984f10f9d1395ad458b16da

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
638365fc4357ed70aa2c11f7cf4d21d3

SHA1
71ebbb388f8e08e6c6560abf387226e9bb04ba6b

SHA256
e8b342cb02394b7504e00b8bab3440dba6478e0c1f21f6a3bef7cc3f925fe886

SHA512
5bcd31bcca1d4299a69a3180baf812bbfc58aad28f0e73c66d2b7e9086940742b360e188bae8552e3a02d470a48ec98dd72b4937f79c3c23f18d94fcf7abb658

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b5ef5cac00b9cc4a9043f7e5457e5f91

SHA1
12871a8c6ce3f451142238ad3e9614d1d6cd756b

SHA256
660939986272f156356f606235b310f2fc8eb18f36abb4e6a320add3c8806a2e

SHA512
05e1d95855408da4c3577c0ee1d2991dcf64da1248fe0ee7ff7713c670f6ac2c62e9e53215b9a49f404df1a19fffa7fd2618a9d5727f444554f2f4dc96cae7a1

Download Submit
memory/776-279-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/776-314-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/872-253-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/872-270-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1044-311-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1044-329-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1264-154-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1264-191-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1368-252-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1368-86-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1368-91-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1368-94-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1688-410-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1744-465-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1760-431-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1880-106-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1880-110-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1880-103-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1880-97-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1880-109-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1892-497-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1988-265-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1988-113-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2060-368-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2064-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2064-1-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2064-8-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2064-40-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2084-519-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2164-434-0x0000000003D70000-0x0000000003E2A000-memory.dmp

Filesize
744KB

Download
memory/2164-439-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2244-516-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2252-287-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2252-267-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2468-370-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2468-398-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2488-174-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2488-65-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2488-67-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2488-59-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2520-219-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2520-183-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2532-357-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2532-344-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2576-379-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2648-42-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2648-127-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2652-213-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2652-83-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2652-80-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2664-45-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2664-700-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/2664-731-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

Filesize
104KB

Download
memory/2664-733-0x0000000001430000-0x00000000014BC000-memory.dmp

Filesize
560KB

Download
memory/2664-713-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download
memory/2664-752-0x00000000023F0000-0x000000000258E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-753-0x0000000001430000-0x000000000151C000-memory.dmp

Filesize
944KB

Download
memory/2664-46-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2664-756-0x0000000001430000-0x00000000014B8000-memory.dmp

Filesize
544KB

Download
memory/2664-51-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2664-765-0x0000000000DD0000-0x0000000000DFA000-memory.dmp

Filesize
168KB

Download
memory/2664-766-0x0000000001430000-0x0000000001496000-memory.dmp

Filesize
408KB

Download
memory/2664-764-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2664-152-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2664-762-0x0000000000DD0000-0x0000000000DF4000-memory.dmp

Filesize
144KB

Download
memory/2664-755-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2664-742-0x0000000001430000-0x00000000014D4000-memory.dmp

Filesize
656KB

Download
memory/2688-335-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2696-477-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2696-464-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2764-23-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2764-28-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2764-93-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2764-105-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2764-32-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2804-21-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2804-81-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2804-13-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2804-19-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2804-20-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2864-255-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2864-215-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2952-491-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2968-538-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download