wannacry | b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262

Analysis

max time kernel
137s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Size

4.1MB
MD5

001291f3278e27f43f753cc5843be429
SHA1

a6c22ac95fd0172e724b414b02a5fb2e61557ab9
SHA256

b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262
SHA512

fb4afc101741014e51a7aea68c7446e777a3d92b392873b423339d3fcef0dae0106a14834d4dfd71baac02591338f762d5f6dae8b0b2b0dc7778499f3d817bbc
SSDEEP

98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HFa83:wDqPe1Cxcxk3ZAEUadzR8yc4HFa8

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3239) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
3064	alg.exe
2228	aspnet_state.exe
2060	tasksche.exe
2736	mscorsvw.exe
1148	mscorsvw.exe
1680	elevation_service.exe
1916	GROOVE.EXE
700	maintenanceservice.exe
1252	OSE.EXE
1404	mscorsvw.exe
2420	mscorsvw.exe
988	mscorsvw.exe
2468	mscorsvw.exe
2456	mscorsvw.exe
2508	mscorsvw.exe
2660	mscorsvw.exe
2860	mscorsvw.exe
2988	mscorsvw.exe
560	mscorsvw.exe
236	mscorsvw.exe
1712	mscorsvw.exe
1792	mscorsvw.exe
1536	mscorsvw.exe
2528	mscorsvw.exe
2816	mscorsvw.exe
3032	mscorsvw.exe
1748	mscorsvw.exe
1576	mscorsvw.exe
2284	mscorsvw.exe
1668	mscorsvw.exe
1964	mscorsvw.exe
1480	mscorsvw.exe
1396	mscorsvw.exe
1400	mscorsvw.exe
2604	mscorsvw.exe
536	mscorsvw.exe
2748	ehRecvr.exe
2980	ehsched.exe
2800	IEEtwCollector.exe
1644	msdtc.exe
1624	msiexec.exe
904	perfhost.exe
2688	locator.exe
1436	snmptrap.exe
2052	vds.exe
1440	vssvc.exe
980	wbengine.exe
1504	WmiApSrv.exe
2564	wmpnetwk.exe
1540	SearchIndexer.exe
1120	mscorsvw.exe
2324	mscorsvw.exe
572	mscorsvw.exe
2280	mscorsvw.exe
612	mscorsvw.exe
2988	mscorsvw.exe
592	mscorsvw.exe
2456	mscorsvw.exe
2260	mscorsvw.exe
2456	mscorsvw.exe
2376	mscorsvw.exe
2456	mscorsvw.exe
2992	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1624	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
756	Process not Found
612	mscorsvw.exe
612	mscorsvw.exe
592	mscorsvw.exe
592	mscorsvw.exe
2260	mscorsvw.exe
2260	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2992	mscorsvw.exe
2992	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
2056	mscorsvw.exe
2056	mscorsvw.exe
1932	mscorsvw.exe
1932	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe
1460	mscorsvw.exe
1460	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2988	mscorsvw.exe
2988	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\62eacfd35f6c6349.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\TraceEnter.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3C55.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP450C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C8B.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D12.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A23.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C9C.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6355.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000908b85032b3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{9BF871AB-1159-4866-B056-2C5115315DC0}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000703e7c012b3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
572	ehRec.exe
2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3032	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeDebugPrivilege	3064	alg.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: 33	2944	EhTray.exe
Token: SeIncBasePriorityPrivilege	2944	EhTray.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeSecurityPrivilege	1624	msiexec.exe
Token: SeDebugPrivilege	572	ehRec.exe
Token: SeBackupPrivilege	1440	vssvc.exe
Token: SeRestorePrivilege	1440	vssvc.exe
Token: SeAuditPrivilege	1440	vssvc.exe
Token: SeBackupPrivilege	980	wbengine.exe
Token: SeRestorePrivilege	980	wbengine.exe
Token: SeSecurityPrivilege	980	wbengine.exe
Token: 33	2944	EhTray.exe
Token: SeIncBasePriorityPrivilege	2944	EhTray.exe
Token: 33	2564	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2564	wmpnetwk.exe
Token: SeManageVolumePrivilege	1540	SearchIndexer.exe
Token: 33	1540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1540	SearchIndexer.exe
Token: SeDebugPrivilege	2704	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1148	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2944	EhTray.exe
2944	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2944	EhTray.exe
2944	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2384	SearchProtocolHost.exe
2384	SearchProtocolHost.exe
2384	SearchProtocolHost.exe
2384	SearchProtocolHost.exe
2384	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe
1340	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1404	2736	mscorsvw.exe	40
PID 2736 wrote to memory of 1404	2736	mscorsvw.exe	40
PID 2736 wrote to memory of 1404	2736	mscorsvw.exe	40
PID 2736 wrote to memory of 1404	2736	mscorsvw.exe	40
PID 2736 wrote to memory of 2420	2736	mscorsvw.exe	41
PID 2736 wrote to memory of 2420	2736	mscorsvw.exe	41
PID 2736 wrote to memory of 2420	2736	mscorsvw.exe	41
PID 2736 wrote to memory of 2420	2736	mscorsvw.exe	41
PID 2736 wrote to memory of 988	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 988	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 988	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 988	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 2468	2736	mscorsvw.exe	43
PID 2736 wrote to memory of 2468	2736	mscorsvw.exe	43
PID 2736 wrote to memory of 2468	2736	mscorsvw.exe	43
PID 2736 wrote to memory of 2468	2736	mscorsvw.exe	43
PID 2736 wrote to memory of 2456	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2456	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2456	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2456	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2508	2736	mscorsvw.exe	45
PID 2736 wrote to memory of 2508	2736	mscorsvw.exe	45
PID 2736 wrote to memory of 2508	2736	mscorsvw.exe	45
PID 2736 wrote to memory of 2508	2736	mscorsvw.exe	45
PID 2736 wrote to memory of 2660	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 2660	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 2660	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 2660	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 2860	2736	mscorsvw.exe	47
PID 2736 wrote to memory of 2860	2736	mscorsvw.exe	47
PID 2736 wrote to memory of 2860	2736	mscorsvw.exe	47
PID 2736 wrote to memory of 2860	2736	mscorsvw.exe	47
PID 2736 wrote to memory of 2988	2736	mscorsvw.exe	48
PID 2736 wrote to memory of 2988	2736	mscorsvw.exe	48
PID 2736 wrote to memory of 2988	2736	mscorsvw.exe	48
PID 2736 wrote to memory of 2988	2736	mscorsvw.exe	48
PID 2736 wrote to memory of 560	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 560	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 560	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 560	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 236	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 236	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 236	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 236	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 1712	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 1712	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 1712	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 1712	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 1792	2736	mscorsvw.exe	52
PID 2736 wrote to memory of 1792	2736	mscorsvw.exe	52
PID 2736 wrote to memory of 1792	2736	mscorsvw.exe	52
PID 2736 wrote to memory of 1792	2736	mscorsvw.exe	52
PID 2736 wrote to memory of 1536	2736	mscorsvw.exe	53
PID 2736 wrote to memory of 1536	2736	mscorsvw.exe	53
PID 2736 wrote to memory of 1536	2736	mscorsvw.exe	53
PID 2736 wrote to memory of 1536	2736	mscorsvw.exe	53
PID 2736 wrote to memory of 2528	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 2528	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 2528	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 2528	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 2816	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 2816	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 2816	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 2816	2736	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2060

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 258 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f8 -NGENProcess 264 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 24c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 24c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 264 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 284 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b4 -NGENProcess 2a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 200 -NGENProcess 1f4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1e0 -NGENProcess 28c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e0 -NGENProcess 200 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 25c -NGENProcess 28c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 28c -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d8 -NGENProcess 22c -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 22c -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 2ac -NGENProcess 268 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 268 -NGENProcess 1d8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2bc -NGENProcess 1f0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1f0 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a4 -NGENProcess 1d8 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1d8 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 290 -NGENProcess 2ac -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2bc -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2bc -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2a4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c8 -NGENProcess 290 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 290 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2d0 -NGENProcess 294 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 294 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f0 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 320 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 31c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 300 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 32c -NGENProcess 210 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 284 -NGENProcess 338 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 330 -NGENProcess 344 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 348 -NGENProcess 210 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 338 -NGENProcess 34c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 350 -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 210 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 34c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 210 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 210 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 344 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 210 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 34c -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 384 -NGENProcess 210 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 210 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 39c -NGENProcess 37c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 31c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 3a0 -NGENProcess 39c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 39c -NGENProcess 1c4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 1c4 -NGENProcess 210 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:700

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:536

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2748

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2384
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
4b0607db3dd292233d6983e39ffa1403

SHA1
089ee617a3672bd5e09f31ed1117d9244cc6da7c

SHA256
44671bc734a04a78e3444be8992ea1cf0088502e3068b9d0c9536546c47fa275

SHA512
b0c20d835ab9d9f9374c9d3cc8567d2229a88259c918865d15d48859f1bd20324289a4b4e529fdb196c676dec33a8d96819b4af43b61b839845c08a4eb16a087

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
92a1d9a24fe551623942b08d0c62215e

SHA1
cbc3b1dfdc14745b9c44144bbcfddb77d17fdde5

SHA256
4d3524320ee2d625a4b1acd4b1b9f63cedaf1181969527a426562ccfea7b02bd

SHA512
9df3e60cbf5377f7fcad5519b10ad2fe0eae647b7ca218c433e696e634c08b22a2d73e15b50b05709a0846ea5d9b0e9118b61d7580169819b657e650e5c9ffb4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3a32125f00002d5cdf59073af6bc30ce

SHA1
3dabbb706262d7d02add7b6ba0ffd025804e65fc

SHA256
a34b520d73d9397176287328f28bba647baebd7bf01ea3df95f48b71bccb7ef1

SHA512
dd2636e60846a3f5300f3cda57cf5ff0dd560ead65bbdfb0f3e44fe4df0dfcfe660c19a4dbe0e0b463f8299bfe2ca2f6ccf6d0cd733c55c5e1216aaaba014165

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8ddd1bb9fbeb307a797ea2edd3e81627

SHA1
002a0345560ec0a03b7d47436689c40293f7da66

SHA256
ca7380ce38bc2dbad942fe0821cf45f9629cce8bd476fd01c02dbf82175a2cf9

SHA512
c257681ebd8b7ef943a466ef25eca43001b7f16b01154c2d194672ac862fa02bf5aa89952fca8c8f2f8d037d730f08a22be93d09503f6fa56ebc7f8a5bcb9923

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
dcda8501a21ea81792a2fb8ef039d0ae

SHA1
f17b138d3fff620758a63d54153134c23ead67ed

SHA256
edf36691ee01d182b2cea000209633b984e6273def76a10b9f33bb850a92b94c

SHA512
9675d30f6dc55ff8d68d9cb615f37e38969928ea64f26c33aee581bf7aec6c605e34bd4718570ada4a5ff0536f96d9047b2cd82d4c0d164f57a7268a4d5cbcce

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a003ce230acbe9329b44dcb0c8a7455b

SHA1
6ebc73aa67b478ec89ca846ccb7fa35e23ac3a88

SHA256
abdb15759a586f8fe1bf358a1c93e9458c91d42c6e64828021b4f99f8049ba45

SHA512
a8bd6c8163da05392ad6602bac827fdf84becb080223c31173286b5cd9a6206e55057c903b8deed13a42068a4c5b4147e8efe3e77e2705be063fec140cdaf944

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8e1f716d5b82daafa0a9e6b79865d3b8

SHA1
7a2b247d4ed7ec6e0bac1ff69b9777cdb885d58d

SHA256
d26efa44814462e185e0ba7788d38f423b3817492839916063bbcf7121adb183

SHA512
d0f830ffa81d8f97bccf0d50c4a5992194588c6e72c0148de4ff98366f7d3e524a8011f3e6c49de1e2475615658627227c2dc7484590a630d99fd5a529c4e676

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
eabb5588c58a942e9ea52516895a0775

SHA1
c50fb9c4f7e3ca623407868a979d3509b4a28ec2

SHA256
0814fa7c6a4052103ce545f2dc967375fbf631ccd78bb95dc1cfc77033ace424

SHA512
a0e81aa89ccdd517001df7779b626ed12605d77edce998dc8c289035eed4df8503f13e3bedd7ac295a0ef3fdc2a70f230e1cd9a1e6b238e58febe1f005265527

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5587d18c255dcbb70833e7dcd2ea37e5

SHA1
ffc3a6ac883f5a1a52918d2742e017e34c64dc70

SHA256
e4cfe0661f7b604cdb35f026721fe4180128c7342af8fc5b2ffe90045cd20522

SHA512
9cb273de1ce4f70f8659d27a6854e65a45155713f443b588f0fc249557d3ce44f455a503c20edc7d487a9ef6a1016471084e6ce7c3175b7dd195dba3b8e869ba

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
22a2c08cd84986ebdc3cc46855dfddd9

SHA1
766ef9ef32c311baf6ce66d746ebaa87a171b0cd

SHA256
50ad5e131c91e091634d4b29fc745a745a596071bdf88e71ed200a5c395ca983

SHA512
1745edf39e9edb37f5503ffebfda6d074d13d91c30852d79263d84723d8022ff2a9ca2bdeedbd96e924ae7a113f971795c43bc3032ed00a35276e95a799f3905

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0bcdfe93fab13356b7e132d3d47d4829

SHA1
bdd7f9ea1cc9c78c5d894421f4b072fe08c785fb

SHA256
80d78106a44e107d4dc6191ffc6c50fce9904bb48370e29659a61ba5c562aa1e

SHA512
55c98d1935c468e266da04df88f7d6b9ddbe2aff34a60377e7a697289446bafe081d7bfcabd91898d9c0e11927c40b4a13ad2d747803e42f1f15e8064e6edb2d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1151c078a594a669858c62d241256e89

SHA1
eaf3d7ed5f984602e398a1cfa2493ccb0aa00347

SHA256
031206c9a926f4ef2b6b79dcc2cf939f7c21f5ece5f1722f37ccfe888e0a743e

SHA512
dbc96154e2b328b5afb777da7cf6ae4a667e3709a1eff9ea83c24c3ad2efa4c22faa93e7cfbef73b5136e821b08f40ad223fdb37fece02cf2bbaf4b261af4eeb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c8c37575bd04c53b2c821b524973bbb3

SHA1
32e377ca013fb386eee2fc45ac7124b6ee78dd1c

SHA256
4eb0e97e35368e3b69dc493a227bdc5f0b88b8f4aad3db21cc9c0e65426eab5d

SHA512
0534fc701d5c9824e6da3dc1227656a020833644d2dff319c4d6df96f765ff4512999aeabf1b116b4ed52f60117e5ac434b7784f8a86e1e4e4d1d1fb7a7178be

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
a129e5f715fb899e42d24053369fd667

SHA1
be83be209b6d2f6b7acdd747b541ebcdc60b7324

SHA256
bfa8f53304f4ed6a48810b25b4641e59c4dfc7bec307df90e19f6b7df64259c6

SHA512
b092189018156702b292b43877c1b10e05aad2835ee582f6985e819a2dfe3ee344428f2006826f3fe5904e623b554ac8ffda37851c387aa4fc9184456b537ae7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
9aea572770e7f6bb9c8609ba97a69c46

SHA1
c542ee962c46834d753de05cd7a227d859fd5fd6

SHA256
609be9b4ae7c13579f78897b10ee2ff25a20aa82f37d0cfd2e51527b0041bf2c

SHA512
20d27220b27a0f001fe5006d972ed2a678a2ef2256a3dc66dd0631bfb2cfffc17fd8046c3de6238ef1a99b1c5dc951a11bac669c8a1bfe576d0abcbbdee38ad7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3419ae7c734e56f796fa8f65ad3f5e63\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
b2a8bd455b6aacc47f7cab99dec196fd

SHA1
30c208585a40232196e0828463b361ad00a6e618

SHA256
a0b5ffda2d22f954482707d56097d5ddb63d816719b99953b8b25ad1d1434547

SHA512
c00e3cdeb331406b3706a62537ead01784e1ecaeb328839d5b51c1c435827c399f9894b1fbea659b4d659cb72dde643720f4a11add46132275e817a461b5a85a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d263c1fcb8b328ac57f5e9ec48d560f4\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
f765c6f95269785ab871ceb234debf18

SHA1
8d50938defe355de1ee9a6f7c8f6ae73ea9d5eb9

SHA256
e409bc0e82c228e6c9365c742ca9fd64f2c3f045d3d6cc8aa1b6a70826bd3266

SHA512
52750583226b57bf40ca1e235ca2f4eb8ac67ccfb6fc301ec438e272648882185bef767b74aa3dc1f37a3478b65d8c5362dd949c246ecec7c3bd12a2a9c778a8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e2690bb5c8ab6993eeade9e85f9f25be\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ae13a9f5b7385f51218d4f2fba7a431e

SHA1
36c7af3bfa2b2bcb6070e14fe008768646c18de5

SHA256
16f5cdf0d7c5e6363e9c820da2c60dd70fbb1be676ca636fc0bd5c49f16373a4

SHA512
e464c87afba3f7516cd5d29a4c2c0fb68db777103cb2e53e4761969af80437a85f4a9ecc2876fd4f2fc771617383d986a24bbd1f8b8c7d57f31d7247394a8a6d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
bddd6c1145f0aaaac1ec22086400f9b4

SHA1
0d069ca999b813150a8706f9a4e3ae7f3bae1eea

SHA256
7bb1dc53459ba52e54ef030dc774465cce9860afece4f41e29d5091372f40b44

SHA512
4cd58300eb0ab57f8cd47f4b1ba5eec22fa35eaaebacf05dd0f93f76eeb3cb5918b5102c4252093049251d9714934a84db80563c48c73dc01e9e2d1744b2a14e

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
26aecd5aed51ffdfeaad23eab75c828a

SHA1
9f4e9a661560db9100c644f58ed3c3d619c9c389

SHA256
fdc6a55d16ec302be91617a3a55397e416b322a30308a49ceee1c71ac5d44cba

SHA512
f0bd0919f139ff0fcb5a78c75028a2d6da8763a5e814e64a2a6588863fcb55608a1a2012f0d7fd84905e6f14ebed36a4cef07768b4b452a28300693dd76e6a8d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
5f1cca10ce9f372dd5a0ef9c901e3f57

SHA1
467c543d6d19e8d81499ce41dbbda9d9ba8dad20

SHA256
642e051e611c2d0b9a5c803456a069f0281f17397760f4878b986079455e4d67

SHA512
3b7b2226ad9edc83570616f5349c56fcb6f5cbe67c1c4c4c12c3d05e578460394769b6890f9f250b0be51d2aafcfb32dd89eac0f5df1da5e4226299492a5780e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1b2a3cbae32541f451091a41522afa09

SHA1
f7c4066f7b709c0701017ea67dbe0d53c1634843

SHA256
f9698b4de2b7cb36eb7ee7c82c664f4f15a9904e5574f8dd01f418aab0115b33

SHA512
03d56558794433be6c2e68c8b3f0435e78d92e4a07e13823368ffa71560ab4c9724365493c1572178fc7f93df55df5712ffff20d66104a253eb0c6c961d1d4be

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
fa2c2d5e7c0f92f53cc1d4948f9d5d1e

SHA1
b6219d806b07e95cc7de684d537160031c21f196

SHA256
933e81e81fcc4bd39a2dcac91e093d022af5a8282386f32d98317e2efead35cc

SHA512
d6b7689a0a5a61d503fbbd2d7a4846aabe4daafcc51e9addb595214f6df31f723b3a01eb8cd16dd73fe01e31208ca76c177f02941e2c40024b187435cb490ab4

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8047d963799d746fedf8d19aaa04aac1

SHA1
9b5c3b03c5ea630aa2c7a3afef114e9be293bcb2

SHA256
4a388e8728fd75c0c1d7a313c994acd211de5c0f3ae225633e15efe0b3ae44af

SHA512
ffd06ce31ee4d72cb417620d6b3147a700bbe66f6c2092fa51a29cc5f5782c657683adadc861ce663dffadf0a6ec3f27f961073d56c1815fa5e4d48599a77bb4

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
2850d5471f4557f6fd029bbb2bb209fc

SHA1
6f9590847cf0ad6de2b07f4a22bf77497a743b70

SHA256
1f2187ac066ab96da459ec5ff03b2f9c765828cd957f6f77a0c2706d8f8beeab

SHA512
76621849b82d9fb2f4ef35f6d4644c324a0e60219907c0471feca582be41414be24764fe795d95f39b64437d05efcc1d6531793437a63dafae4f651857e9c533

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6030dcd746410547b371735ea6224e9b

SHA1
78195a6cad5ad2420c73485411a560cc38a1b2f2

SHA256
d3fed4530948c660049a0c759f61d22f18d9e8bf65642ad2b680a8491db0388c

SHA512
96ef4267e7fa0fd6b57b507049e67155f93a9fe56e7c97c12ad7c3803502e57d78451cc4173536b35d3105f0136d89bbd112601fb22d8df46b48a378e22175a2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ef832f469fa952dce1c9ab25bdfc9556

SHA1
37b691f789cdfff8c6b9d9d71e5169c95c6f7fa2

SHA256
14d5332c9a4218e4b6500cb5261eec57a867c5ad9a703ac34e7fef2f988bdc6f

SHA512
bd2f1bc49c1da032457539a2d433a6a64425267e66febdefe4d879339fe3de71b319bcbde5f1d657ec30aa1e3ad94e535f551b914a2607bcf9352e497da76794

Download Submit
memory/236-416-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/560-413-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/700-113-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/700-105-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/700-118-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/988-289-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/988-322-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1148-76-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1148-68-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1148-74-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1148-272-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1252-342-0x000000002E000000-0x000000002E1EA000-memory.dmp

Filesize
1.9MB

Download
memory/1252-129-0x000000002E000000-0x000000002E1EA000-memory.dmp

Filesize
1.9MB

Download
memory/1404-277-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1404-256-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1536-452-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1576-518-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1668-541-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1668-530-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1680-90-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1680-83-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1680-84-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1680-288-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1712-437-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1748-507-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1792-448-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1792-435-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1916-100-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1916-95-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1916-103-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1916-318-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1964-552-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2228-44-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2228-50-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2228-51-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2228-215-0x0000000140000000-0x00000001401D2000-memory.dmp

Filesize
1.8MB

Download
memory/2228-37-0x0000000140000000-0x00000001401D2000-memory.dmp

Filesize
1.8MB

Download
memory/2284-529-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2420-273-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2420-293-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2456-343-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2456-353-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2468-323-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2468-334-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2508-366-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2528-470-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2528-461-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/2528-460-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2660-370-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2660-363-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2704-30-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2704-24-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2704-127-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2704-206-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2704-32-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2736-851-0x0000000001FC0000-0x000000000215E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-55-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/2736-852-0x0000000001D40000-0x0000000001E2C000-memory.dmp

Filesize
944KB

Download
memory/2736-853-0x0000000001D40000-0x0000000001D50000-memory.dmp

Filesize
64KB

Download
memory/2736-854-0x0000000001D40000-0x0000000001DC8000-memory.dmp

Filesize
544KB

Download
memory/2736-855-0x0000000001D40000-0x0000000001D64000-memory.dmp

Filesize
144KB

Download
memory/2736-856-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/2736-857-0x0000000001D40000-0x0000000001D6A000-memory.dmp

Filesize
168KB

Download
memory/2736-858-0x0000000001D40000-0x0000000001DA6000-memory.dmp

Filesize
408KB

Download
memory/2736-255-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2736-846-0x0000000001D40000-0x0000000001D4A000-memory.dmp

Filesize
40KB

Download
memory/2736-847-0x0000000001D40000-0x0000000001D5E000-memory.dmp

Filesize
120KB

Download
memory/2736-849-0x0000000001D40000-0x0000000001DCC000-memory.dmp

Filesize
560KB

Download
memory/2736-848-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/2736-60-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/2736-850-0x0000000001D40000-0x0000000001DE4000-memory.dmp

Filesize
656KB

Download
memory/2736-54-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2816-483-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2860-391-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2988-390-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2988-395-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/3032-42-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3032-495-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/3032-0-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/3032-8-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/3032-7-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3064-94-0x0000000100000000-0x00000001001D9000-memory.dmp

Filesize
1.8MB

Download
memory/3064-21-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3064-19-0x0000000100000000-0x00000001001D9000-memory.dmp

Filesize
1.8MB

Download
memory/3064-20-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3064-13-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download