wannacry | d890d18330633c58ed654ad28cf81660c6a318cb1b86ec3398264ce869c0974a

Analysis

max time kernel
131s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Size

4.1MB
MD5

63d71088662bf0d08b3e35045acf73d1
SHA1

934e412d80ad21609773534ea340ae9b4434c1f9
SHA256

d890d18330633c58ed654ad28cf81660c6a318cb1b86ec3398264ce869c0974a
SHA512

d5cd71fdc32b9d2b8659106f647bb26a3a59b59c758ddb2888e9fd561e2a9072c4d1cc253ea97f17c57b23cec948b221614590afab020aae99d367c932b668c2
SSDEEP

98304:4DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hvbx4uR:4DqPe1Cxcxk3ZAEUadzR8yc4Hv2

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3095) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2648	alg.exe
2872	aspnet_state.exe
2700	tasksche.exe
2792	mscorsvw.exe
2568	mscorsvw.exe
2364	mscorsvw.exe
836	elevation_service.exe
1928	GROOVE.EXE
2652	maintenanceservice.exe
2260	OSE.EXE
1704	mscorsvw.exe
2688	mscorsvw.exe
2368	mscorsvw.exe
2640	mscorsvw.exe
1620	mscorsvw.exe
2532	mscorsvw.exe
2092	mscorsvw.exe
2796	mscorsvw.exe
1532	mscorsvw.exe
2900	mscorsvw.exe
1636	mscorsvw.exe
2240	mscorsvw.exe
900	mscorsvw.exe
1968	mscorsvw.exe
2492	mscorsvw.exe
2204	mscorsvw.exe
2116	mscorsvw.exe
2000	mscorsvw.exe
1908	mscorsvw.exe
960	mscorsvw.exe
1184	mscorsvw.exe
1672	mscorsvw.exe
2620	mscorsvw.exe
2888	mscorsvw.exe
2980	mscorsvw.exe
1728	mscorsvw.exe
2112	ehRecvr.exe
2948	ehsched.exe
2232	IEEtwCollector.exe
1164	msdtc.exe
776	msiexec.exe
1216	perfhost.exe
1500	locator.exe
3036	snmptrap.exe
2044	vds.exe
288	vssvc.exe
1068	wbengine.exe
1932	WmiApSrv.exe
1884	wmpnetwk.exe
2756	SearchIndexer.exe
2216	mscorsvw.exe
2328	mscorsvw.exe
1700	mscorsvw.exe
2696	mscorsvw.exe
2428	mscorsvw.exe
3028	mscorsvw.exe
3148	mscorsvw.exe
3360	mscorsvw.exe
3460	mscorsvw.exe
3608	mscorsvw.exe
3704	mscorsvw.exe
3856	mscorsvw.exe
3952	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
776	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
748	Process not Found
2428	mscorsvw.exe
2428	mscorsvw.exe
3148	mscorsvw.exe
3148	mscorsvw.exe
3460	mscorsvw.exe
3460	mscorsvw.exe
3704	mscorsvw.exe
3704	mscorsvw.exe
3952	mscorsvw.exe
3952	mscorsvw.exe
3116	mscorsvw.exe
3116	mscorsvw.exe
3236	mscorsvw.exe
3236	mscorsvw.exe
3508	mscorsvw.exe
3508	mscorsvw.exe
3780	mscorsvw.exe
3780	mscorsvw.exe
4088	mscorsvw.exe
4088	mscorsvw.exe
3188	mscorsvw.exe
3188	mscorsvw.exe
3356	mscorsvw.exe
3356	mscorsvw.exe
3364	mscorsvw.exe
3364	mscorsvw.exe
3988	mscorsvw.exe
3988	mscorsvw.exe
3128	mscorsvw.exe
3128	mscorsvw.exe
3220	mscorsvw.exe
3220	mscorsvw.exe
3160	mscorsvw.exe
3160	mscorsvw.exe
3264	mscorsvw.exe
3264	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f68ac7bd5f6c6349.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8A07.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8768.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA8EC.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E3D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8121.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8343.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FC91993-FEF2-4AF3-A604-884C9D2E3A8F}\WpadDecisionTime = f034a1e42f5cdb01	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000305db729305cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FC91993-FEF2-4AF3-A604-884C9D2E3A8F}	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0c68a2e305cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FC91993-FEF2-4AF3-A604-884C9D2E3A8F}\ca-5c-bb-df-80-0d	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2244	ehRec.exe
2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2324	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeDebugPrivilege	2648	alg.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Token: 33	1960	EhTray.exe
Token: SeIncBasePriorityPrivilege	1960	EhTray.exe
Token: SeRestorePrivilege	776	msiexec.exe
Token: SeTakeOwnershipPrivilege	776	msiexec.exe
Token: SeSecurityPrivilege	776	msiexec.exe
Token: SeDebugPrivilege	2244	ehRec.exe
Token: SeBackupPrivilege	288	vssvc.exe
Token: SeRestorePrivilege	288	vssvc.exe
Token: SeAuditPrivilege	288	vssvc.exe
Token: SeBackupPrivilege	1068	wbengine.exe
Token: SeRestorePrivilege	1068	wbengine.exe
Token: SeSecurityPrivilege	1068	wbengine.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: 33	1960	EhTray.exe
Token: SeIncBasePriorityPrivilege	1960	EhTray.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeDebugPrivilege	2836	2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
Token: 33	1884	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1884	wmpnetwk.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeManageVolumePrivilege	2756	SearchIndexer.exe
Token: 33	2756	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2756	SearchIndexer.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1960	EhTray.exe
1960	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1960	EhTray.exe
1960	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2144	SearchProtocolHost.exe
2144	SearchProtocolHost.exe
2144	SearchProtocolHost.exe
2144	SearchProtocolHost.exe
2144	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe
1104	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1704	2568	mscorsvw.exe	42
PID 2568 wrote to memory of 1704	2568	mscorsvw.exe	42
PID 2568 wrote to memory of 1704	2568	mscorsvw.exe	42
PID 2568 wrote to memory of 1704	2568	mscorsvw.exe	42
PID 2568 wrote to memory of 2688	2568	mscorsvw.exe	43
PID 2568 wrote to memory of 2688	2568	mscorsvw.exe	43
PID 2568 wrote to memory of 2688	2568	mscorsvw.exe	43
PID 2568 wrote to memory of 2688	2568	mscorsvw.exe	43
PID 2568 wrote to memory of 2368	2568	mscorsvw.exe	44
PID 2568 wrote to memory of 2368	2568	mscorsvw.exe	44
PID 2568 wrote to memory of 2368	2568	mscorsvw.exe	44
PID 2568 wrote to memory of 2368	2568	mscorsvw.exe	44
PID 2568 wrote to memory of 2640	2568	mscorsvw.exe	45
PID 2568 wrote to memory of 2640	2568	mscorsvw.exe	45
PID 2568 wrote to memory of 2640	2568	mscorsvw.exe	45
PID 2568 wrote to memory of 2640	2568	mscorsvw.exe	45
PID 2568 wrote to memory of 1620	2568	mscorsvw.exe	46
PID 2568 wrote to memory of 1620	2568	mscorsvw.exe	46
PID 2568 wrote to memory of 1620	2568	mscorsvw.exe	46
PID 2568 wrote to memory of 1620	2568	mscorsvw.exe	46
PID 2568 wrote to memory of 2532	2568	mscorsvw.exe	47
PID 2568 wrote to memory of 2532	2568	mscorsvw.exe	47
PID 2568 wrote to memory of 2532	2568	mscorsvw.exe	47
PID 2568 wrote to memory of 2532	2568	mscorsvw.exe	47
PID 2568 wrote to memory of 2092	2568	mscorsvw.exe	48
PID 2568 wrote to memory of 2092	2568	mscorsvw.exe	48
PID 2568 wrote to memory of 2092	2568	mscorsvw.exe	48
PID 2568 wrote to memory of 2092	2568	mscorsvw.exe	48
PID 2568 wrote to memory of 2796	2568	mscorsvw.exe	49
PID 2568 wrote to memory of 2796	2568	mscorsvw.exe	49
PID 2568 wrote to memory of 2796	2568	mscorsvw.exe	49
PID 2568 wrote to memory of 2796	2568	mscorsvw.exe	49
PID 2568 wrote to memory of 1532	2568	mscorsvw.exe	50
PID 2568 wrote to memory of 1532	2568	mscorsvw.exe	50
PID 2568 wrote to memory of 1532	2568	mscorsvw.exe	50
PID 2568 wrote to memory of 1532	2568	mscorsvw.exe	50
PID 2568 wrote to memory of 2900	2568	mscorsvw.exe	51
PID 2568 wrote to memory of 2900	2568	mscorsvw.exe	51
PID 2568 wrote to memory of 2900	2568	mscorsvw.exe	51
PID 2568 wrote to memory of 2900	2568	mscorsvw.exe	51
PID 2568 wrote to memory of 1636	2568	mscorsvw.exe	52
PID 2568 wrote to memory of 1636	2568	mscorsvw.exe	52
PID 2568 wrote to memory of 1636	2568	mscorsvw.exe	52
PID 2568 wrote to memory of 1636	2568	mscorsvw.exe	52
PID 2568 wrote to memory of 2240	2568	mscorsvw.exe	53
PID 2568 wrote to memory of 2240	2568	mscorsvw.exe	53
PID 2568 wrote to memory of 2240	2568	mscorsvw.exe	53
PID 2568 wrote to memory of 2240	2568	mscorsvw.exe	53
PID 2568 wrote to memory of 900	2568	mscorsvw.exe	54
PID 2568 wrote to memory of 900	2568	mscorsvw.exe	54
PID 2568 wrote to memory of 900	2568	mscorsvw.exe	54
PID 2568 wrote to memory of 900	2568	mscorsvw.exe	54
PID 2568 wrote to memory of 1968	2568	mscorsvw.exe	55
PID 2568 wrote to memory of 1968	2568	mscorsvw.exe	55
PID 2568 wrote to memory of 1968	2568	mscorsvw.exe	55
PID 2568 wrote to memory of 1968	2568	mscorsvw.exe	55
PID 2568 wrote to memory of 2492	2568	mscorsvw.exe	56
PID 2568 wrote to memory of 2492	2568	mscorsvw.exe	56
PID 2568 wrote to memory of 2492	2568	mscorsvw.exe	56
PID 2568 wrote to memory of 2492	2568	mscorsvw.exe	56
PID 2568 wrote to memory of 2204	2568	mscorsvw.exe	57
PID 2568 wrote to memory of 2204	2568	mscorsvw.exe	57
PID 2568 wrote to memory of 2204	2568	mscorsvw.exe	57
PID 2568 wrote to memory of 2204	2568	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2700

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\AppData\Local\Temp\2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-01_63d71088662bf0d08b3e35045acf73d1_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d8 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 260 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 23c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 290 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 260 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f8 -NGENProcess 1d8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 25c -NGENProcess 214 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f8 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 26c -NGENProcess 278 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 278 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1c4 -NGENProcess 2a0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a0 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ac -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 278 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 1c4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1c4 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a8 -NGENProcess 2ac -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:3452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 280 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b8 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c0 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 290 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:3224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:4060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:3532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:3620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:4076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:3716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:3700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f0 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:4060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f0 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2f0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 308 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 30c -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 37c -NGENProcess 308 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 374 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:3976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 37c -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:3244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 2f0 -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:3720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 390 -NGENProcess 384 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:3732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 38c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:4088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 374 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:3236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 374 -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3a0 -NGENProcess 38c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 38c -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:3352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a8 -NGENProcess 390 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 390 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:3948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b0 -NGENProcess 398 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 390 -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 38c -NGENProcess 3ac -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:3904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3b8 -NGENProcess 3c0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:4092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3a8 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c4 -NGENProcess 38c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3ac -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 38c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:3876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:836

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1728

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2112

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
b1353335fa02de9c8fe8ed1ea9c94b30

SHA1
f0a86290c78d1d3b31700959412fa881e3d473f7

SHA256
f8dc48e7ddda0a6bb82e313e36de7f1b8a7bd078e12c6791d89f2c2d4989a1c6

SHA512
1ba62d90474b42dc9cb3ef29c2ba75375c9f44287cbc558e9903e894b83c8a8d65cd020ab071d2c0137b514d5db4cfe856e6030c54518e7c361e5dd6cab6dff2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
834ea0be9e586ecdfaa1f44332a6f2b1

SHA1
54fcdf09f584481e406ddafedb54202af8d90030

SHA256
b54761d8c9401dd79d0e599088b8256e1821341d6e7d2b78cc237f005894e1b1

SHA512
346bcbef893d2d4e3f06e24c7b4b229ce199cbf96737e12b81a3e5848f0e9263c93f4e9e355caac10140c077216d31f5aab5d4940ccc3a1fd0fd664659170101

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
575883fbcf07f41df4801da65495ccb3

SHA1
f4e2f2a1a7b50dd8fc0e6cd3eb2bbd04b0fd802c

SHA256
5f3acb952833c335234b6c3eb825ff4b643d2a47511226afc565687b4ac37800

SHA512
39a9f7b571300451c53e8ae6472bba085e884f11e0f5fd90a1dd92dde9ed775e7bea22e8fdfb26c11cf36cd3beaa6fafb5bc091baebce06fb69ae2eaced59832

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f01fb41c8fbcba77e591a7e71a449a21

SHA1
57fb447a8c0837a517c45e2c212ddd9f402c5c28

SHA256
906db66da882372e3196c475d08bdb1993a3d30d686678c3b2b146f52809062b

SHA512
34a83780c07d81d4c3010460657f568297da7110f4d5907bfaab1982c91426d86a098c1ffde5dd2023e492c49b752012d0b76145b7ecb9f1cf5afff030299ce9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f601928a602c8adbf1e4db1238ec5dfe

SHA1
39e2482bf5bda81bbea8caf6ed8f1e343d0de399

SHA256
39c8b13db38e1a2017a2434f5ee771585e80bbc9a4f5e43b90c1b5ab27d24aec

SHA512
d6ba8677bb97c236686b24e1ed5bbf170df770751e5876b3e3146c6df257287d23bbfd2bcfad9af6db464c8d5eec79e120403c75a81ac62d3583154dcad944f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
362ff949aa4d97b3abb4cbbc4e0d8af9

SHA1
508b4aca566dd0f4bb4ba72a4fa50be9987a9065

SHA256
0724f9acf172a8dbdd60b04281ca91de5e4de745c82b98db707af0578b22b92f

SHA512
34c782656df65e26d28b7bd325738aaf1bdc54d27084125138f7908821dedb1790934f100638e0860ef1e176313f1af5f206cfe3d767c20516c5fcb3e416ac7c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
91cbc76a19feac1d705c08000a0e711d

SHA1
c8f2d7be039a97c150bbc492326791e725265aed

SHA256
43365c6d9285c990efe125589403b4b3a3da50532f6a3143590d3c3a43ed3a1b

SHA512
1160a895a4e05c2ae5e80f4f4744d3b8cdfdf422ad5777d8cd412e91efec0fc072d86dd3f921f89582ec47d15e91259ec9d5deb3f21d0e0718b37a527b5ff698

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ba24d6fac32048fb36e6bb4c63e9eb9a

SHA1
9ec5868921700909b51e425ace84c479db9c4590

SHA256
026d29dca8b149726e76b03be82298b0b29a51d376d6fcfb91c93e75ccb18000

SHA512
d6331544c66d72363eb8234672dcdb8a2ae86d0979e14b25d3aa406e3a1ceb2e82fc324e1fb214c662306b595eed454e91f2619110d759fc460a9b959a846018

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d82e2f9b68fd7170d3241c2a7ab43abf

SHA1
823e90a11a7825adb30b01781b7a52e4280df403

SHA256
1d6b793882fa7a736c9a0a0683be39f9859dc070d739b317cd64418b1b6229c5

SHA512
30026a4d276f0321e077844d96b2e60486dfcadf1b8b72345f2851eb20d22790c95a36f608766b04cac206d91f776f79bc13d5ee371adc97ce8d9663053d0121

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4a1fab2845353dfbe4b4c8324f3591da

SHA1
8589d3aff3bd1d110c1a335e635a8b08c1e16bdf

SHA256
1a560f09d32c5466f6991c5968be3c90d7afdf0af3741ee94a4d797fe94c017f

SHA512
53183129cc36227867205dc76d05fb147162fda3816a6f69dc4380b1bc6c22055a232f25126fcb680770b56410f52a840fff9c2bf000c9e4f89f8fe59511be25

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
313f53fb30c02f9394194a265dad7f5b

SHA1
83221ddeaa46cf27ae4d5c89e7d03621efe13d2a

SHA256
025928c28a297e8746e231daf36a3b73302610a35a5ad21ba52e9ee087a6d8d1

SHA512
bca9dc72eaca2a89e4827d9128db77f3cf2b7a8f59f240484b670c89aabd52348f8a2c975c213e7adc36f2064c1fc6ba91ee757df31edb8515a4f066a475625f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
8e31730431560b97979b69b45fbdfc98

SHA1
b1ff0bd6d8c623a80b522ac2531d6e715d298cd8

SHA256
2995819cf5ca019731f553963ad6625febba0c42101e379fad5e18c741a4ada1

SHA512
3fa112bb373fb974ed84d5f3d671e2ce05a914af4d2dd5ccb2192231af89f1ef42377e2ec0a28d9eadfda7b53da3c2ed2f2480a4f96929d0b9a8b4267a1bc3a0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
49462aeae492ed7e293d427c35182e56

SHA1
acaac3eeaac08c0ca0623dc56be5e9257da95b17

SHA256
fa4c6a864132541c5d359fa5ab7703bc142364b1f00db8e8cc53bbc4728d5500

SHA512
e12ecd139b8f6729e9582471cca9eb59afe193bdf850ac732b7af444760ed9c3a3a83e6326d099a0189252870b5beb89f561a697551781da78c112211e64e90f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\892dc2e569c75e7f14771ba4ece6f3e8\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ec2cf11dcd9a5c4771f71baccd4c6a96

SHA1
9acb2d6f8f70403b94849e99b5b99c318d05a44e

SHA256
05c9efe096caa30e6054aea740057aa2bf1b6f966dfaca44790796cd3c609959

SHA512
3a4d72fef8a0de42185574204e1a9fd804ccc5dd072338a7239f584f109b42339c39fbdbd7892c8a858cfb11ec373da1dc81ff6db6ba4a740b3407701dcacd1f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d91000ba60ca0ec053eff5a68dc2de7c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
a5385e12eaf390cdc804a9b9484c9d29

SHA1
51d97977e13013e9c76c7bfa9da43ebdf42cd53e

SHA256
a76cbe48edf047371b3f68cd7293b5a2656c9a1530a56aaffbb442afe5f2e6ba

SHA512
b32096afa9ee50fe436adbd8033d53af6ff5c2af4ed82b4c43f44954cf999a108da9140e42ecc4c0854f8443f5fea8a3e9579df129e25a8d5f143a9a4a0e6bb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8768.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP88B0.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9943.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll

Filesize
187KB

MD5
c6e91af5f148b7bfe4ef7b5e252b93e9

SHA1
4365932081d4b2eda98e08a0a4264e038460ab33

SHA256
8528915419ea08da7ef64da94b704be9c79395c298b46c375eac48f5a430517c

SHA512
55413e7c4177502ebab40e4040cf223e8d8cba59f0e26fc9df80dc843f04735613a16bf7f71aa01d566477facca6928fe000228303bf4b909ab8a6a2d3ca148c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
df2a64d244c168ed9d52d75f620bb45a

SHA1
8b915b6d633d69b973145cd9810cd6610456f7dd

SHA256
7939e48e3ffde40295ef38152c2fc06fb2d70e8e31c6816d7cbb2efc82dc92ba

SHA512
6b1f6f3714985bd62146b59c8a84c6d44029fd9e5b222910cda1fe4a92a107d7becd58bc40550692882dd76d050fdc88fc4f28309d8d160a992cb13205d68827

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
bdf8f4f5d1bcde41a3fda92c3e925c2a

SHA1
30458abd9d6c0b02d67a87ec95b4501ed604dab3

SHA256
80648c06d38db5b95d31f4eece3fe62286780f50a3149df43077679ae871d962

SHA512
b78331fdd4d537ac1e67ef8163baa258efc5b1c440dc03014d57559a949758147f9af74f48db5552f72bad96be694b3a35bb7e0459836da39ef19b6293bcc08b

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
af185f9e9adcd78446a7c3feceb027c6

SHA1
95d9f687067e6d250287d56a28da097042132c3c

SHA256
43eb078268752eece929912517a495ce856cbb7d46e15a71f49a58b43a5ec716

SHA512
d31fc3e92cedaa46d504eda00c276cdb8fe473b700c7064284a142243aa0d8d3da02a9d7e4bead6064aa874c67dc875f6ff2c8ba9c1a4dba7f3ded341d39ce97

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
f2238d2b845bc9f53afdba60d43b55e5

SHA1
80244a17ddfb92d71c96d432f415deab2dca6ef7

SHA256
bd7a23f39499d88d522df2bf3098032a12b71955ee5d73693232b466042a8b66

SHA512
a0a55b144a07157f270b51d0a338c9172f047a43fa908ebfd3c51dbb23ab682c604c4d2e8ea058698b634a7539d989c62c902c8582332dc1e98b026d73a58c5a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
ae83e2093a8946120734d77cb2216ef2

SHA1
57222852286b64b413628b71d342712d26171124

SHA256
0587ddfac99d4bfeaea1a5de08019fbe0f30f9dcae2910c09008fe2a119ed506

SHA512
d1e5a84c08f37bc78d83252abecb51d4a71633a4b4c9d20f0e204d519d3f6be9e89cf1ac07221a504894de486543eaffa388666f6268289d1be25568a2f5ad4d

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
a4f9232ca7a4e283f757835ada431e79

SHA1
c0fadb00fa2a28964be7dc97099e3bcd4d0a9833

SHA256
fa3561dcd1255bfb171886ab78416cd3c4c7bee25df1e880948ca388e13a86a5

SHA512
230b12fe6fc71310ae6b3ce0cd195e1893d65f328cd34cdd2b5556faa420e3f25a1fd8b16185ba8a954f94b0930706ed5a752765f28f2496aa5911fbdfba2909

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
ee5f01e79bcde9457a331cb7253b77e1

SHA1
ce59d745b2e2faf675357cacf689c2491130b2d4

SHA256
b35048a750f51d7799f6689a6f1b38446d632f4b99969167b81babf0487d7525

SHA512
a79d29cd4fb79f9f9d2285d28507b041b537727f20a7784b48c8e6d7a1782bf94bc83bb37a2ae0966c437993310d61ccbfebe897ccfc84e8d4b8e9896511567d

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
128f09e7bb4cbec7bba6092a97df0479

SHA1
a897c7e9a28a0f7aff204e16a59c259f54a585b8

SHA256
9143a94dd5cee06721ba7f15cb91db548ca7a8f5237d14e4b54a4700b61bf692

SHA512
d9a36b91c81e38521c9076cc4ea2588112cee044212b5a8f39dc38c4283cd7e31f427b104e68e96592a419a5463e02e29cc1c8b4902d43a07819f2bd0ed10106

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5173b7bf9bcd47fe30140ad076b552d0

SHA1
fc4178d6b8f736ab78ee7f1ae9241ae27d02ca44

SHA256
cbc2b75c87003f081ff74bf01b10cc0cb07f0138ee5edb9d72e85d213e216360

SHA512
ac506b8ab2f525b4fda90ef6e22d969ad033f88f14b33cb6f755a86f17a889d13e60042509920d35c317b559fd339077190dd8a7d3580c53a320e5366b4de922

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
13f3aded36ef2ffb77c874dc0f91d610

SHA1
915184af582331a22135e1985cceb9362e93e96c

SHA256
6f0ba4794ddd65c484aceeaff7a01a6d6abfb7fde199c0677ff0dd55c649e83c

SHA512
02d48afa5449e5a9be9daeead95edf4f57c393263f793a2a416f491c09f7009e295ed161e0105927203fd0a8c7040cf4c3d0857fcd6acec688d5a2fdaa5a33bd

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
94763a2afb7030a8825786b4588b5252

SHA1
5fce7c79fb213276efba8c43ea237352aa8df1f9

SHA256
e9297896b0c096c88f9afb00ac4fc434192b101113d0c7587cca2c1e7db109e9

SHA512
0cd3484a7daba9ab35ca7915b9324db05eeea16a047babc596cd931e9b2788b9adc2bb208c6522f062ca694c516d249fb6345e97c215d605a50d97d4474e6c25

Download Submit
memory/288-723-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/776-767-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/776-778-0x0000000000560000-0x0000000000612000-memory.dmp

Filesize
712KB

Download
memory/776-660-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/836-100-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/836-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/836-93-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/836-182-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/900-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/960-532-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-743-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1164-762-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1164-648-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1184-537-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1216-779-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1216-676-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1500-785-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1500-687-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1532-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-290-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-313-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1636-392-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1636-400-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-549-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1704-192-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1704-163-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-616-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1728-597-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1884-765-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1908-521-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1928-112-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1928-110-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/1928-105-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/1928-260-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1932-746-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1968-450-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-510-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2044-710-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2092-349-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-722-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2112-607-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2116-499-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2204-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2232-635-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2232-745-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2240-399-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-419-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2260-132-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2260-263-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2324-7-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2324-8-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2324-45-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2324-0-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2364-81-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2364-74-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2364-75-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2364-161-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2368-267-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-261-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2492-463-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2492-458-0x0000000003C50000-0x0000000003D0A000-memory.dmp

Filesize
744KB

Download
memory/2532-339-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-310-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-64-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2568-878-0x0000000001290000-0x00000000012BA000-memory.dmp

Filesize
168KB

Download
memory/2568-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-150-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-59-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2568-873-0x0000000001290000-0x000000000137C000-memory.dmp

Filesize
944KB

Download
memory/2568-874-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/2568-876-0x0000000001290000-0x00000000012B4000-memory.dmp

Filesize
144KB

Download
memory/2568-877-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download
memory/2568-875-0x0000000001290000-0x0000000001318000-memory.dmp

Filesize
544KB

Download
memory/2568-801-0x0000000001290000-0x000000000129A000-memory.dmp

Filesize
40KB

Download
memory/2568-872-0x0000000001E90000-0x000000000202E000-memory.dmp

Filesize
1.6MB

Download
memory/2568-841-0x0000000001290000-0x00000000012AE000-memory.dmp

Filesize
120KB

Download
memory/2568-862-0x0000000001290000-0x0000000001334000-memory.dmp

Filesize
656KB

Download
memory/2568-849-0x0000000001290000-0x00000000012AA000-memory.dmp

Filesize
104KB

Download
memory/2568-856-0x0000000001290000-0x000000000131C000-memory.dmp

Filesize
560KB

Download
memory/2620-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-264-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-294-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2648-13-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2648-21-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2648-20-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2648-103-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2652-115-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2652-129-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2652-125-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2688-187-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2688-233-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2756-768-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2792-46-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2792-90-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2792-47-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2792-52-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2796-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2836-36-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2836-124-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2836-29-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2836-34-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2872-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2872-122-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2888-584-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2888-563-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2900-393-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-734-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2948-622-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2980-587-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3036-848-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/3036-699-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download