wannacry | c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03/01/2025, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Size

5.0MB
MD5

a709d7df28f649a44714d72be0a82062
SHA1

e22bca2840cae46ef9bb615c1be931e531df9f54
SHA256

c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f
SHA512

7961125036699f546edde26f5c6a645a3a2bf01858c6dd72645dbcd687f833650bef854c59a403d14d43698a730523b145830c6ffafff650f9e4a00c9369a0bd
SSDEEP

24576:rbLgddQhfdmMSirYbcMNgef0N/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rnAQqMSPbcBVNLNiXicJFFRGNzj3

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3188) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
584	alg.exe
2960	aspnet_state.exe
2272	tasksche.exe
1316	mscorsvw.exe
2276	mscorsvw.exe
980	mscorsvw.exe
520	mscorsvw.exe
560	ehRecvr.exe
1208	ehsched.exe
576	elevation_service.exe
2364	IEEtwCollector.exe
3060	GROOVE.EXE
2784	maintenanceservice.exe
1408	msdtc.exe
2740	mscorsvw.exe
696	msiexec.exe
1572	OSE.EXE
2780	perfhost.exe
1592	locator.exe
3048	mscorsvw.exe
2908	snmptrap.exe
1304	vds.exe
608	vssvc.exe
912	mscorsvw.exe
2300	wbengine.exe
2072	WmiApSrv.exe
2184	wmpnetwk.exe
432	mscorsvw.exe
2428	SearchIndexer.exe
2144	mscorsvw.exe
1740	mscorsvw.exe
2560	mscorsvw.exe
1492	mscorsvw.exe
836	mscorsvw.exe
1236	mscorsvw.exe
2456	mscorsvw.exe
2284	mscorsvw.exe
2056	mscorsvw.exe
2108	mscorsvw.exe
2240	mscorsvw.exe
2136	mscorsvw.exe
1108	mscorsvw.exe
1956	mscorsvw.exe
2580	mscorsvw.exe
2916	mscorsvw.exe
2444	mscorsvw.exe
432	mscorsvw.exe
2104	mscorsvw.exe
1236	mscorsvw.exe
2052	mscorsvw.exe
3020	mscorsvw.exe
2904	mscorsvw.exe
1512	mscorsvw.exe
888	mscorsvw.exe
2272	mscorsvw.exe
2992	mscorsvw.exe
1236	mscorsvw.exe
2112	mscorsvw.exe
1080	mscorsvw.exe
3000	mscorsvw.exe
2572	mscorsvw.exe
1164	mscorsvw.exe
2848	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
696	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found
2272	mscorsvw.exe
2272	mscorsvw.exe
1236	mscorsvw.exe
1236	mscorsvw.exe
1080	mscorsvw.exe
1080	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
2992	mscorsvw.exe
2992	mscorsvw.exe
888	mscorsvw.exe
888	mscorsvw.exe
2112	mscorsvw.exe
2112	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
1320	mscorsvw.exe
1320	mscorsvw.exe
2272	mscorsvw.exe
2272	mscorsvw.exe
912	mscorsvw.exe
912	mscorsvw.exe
1360	mscorsvw.exe
1360	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2544	mscorsvw.exe
2544	mscorsvw.exe
1712	mscorsvw.exe
1712	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\30f2957d5f6c6349.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8E3B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7262.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9463.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP76D5.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030d7677dd85ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009015fc77d85ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\WpadDecisionTime = f0b97a5ed85ddb01	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2288	ehRec.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2976	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2976	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2976	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2976	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2976	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Token: SeTakeOwnershipPrivilege	2960	aspnet_state.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: 33	2704	EhTray.exe
Token: SeIncBasePriorityPrivilege	2704	EhTray.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeDebugPrivilege	2288	ehRec.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeRestorePrivilege	696	msiexec.exe
Token: SeTakeOwnershipPrivilege	696	msiexec.exe
Token: SeSecurityPrivilege	696	msiexec.exe
Token: 33	2704	EhTray.exe
Token: SeIncBasePriorityPrivilege	2704	EhTray.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeBackupPrivilege	608	vssvc.exe
Token: SeRestorePrivilege	608	vssvc.exe
Token: SeAuditPrivilege	608	vssvc.exe
Token: SeBackupPrivilege	2300	wbengine.exe
Token: SeRestorePrivilege	2300	wbengine.exe
Token: SeSecurityPrivilege	2300	wbengine.exe
Token: SeManageVolumePrivilege	2428	SearchIndexer.exe
Token: 33	2184	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2184	wmpnetwk.exe
Token: 33	2428	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2428	SearchIndexer.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeDebugPrivilege	2960	aspnet_state.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeDebugPrivilege	2976	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	980	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2704	EhTray.exe
2704	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2704	EhTray.exe
2704	EhTray.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2572	SearchProtocolHost.exe
2572	SearchProtocolHost.exe
2572	SearchProtocolHost.exe
2572	SearchProtocolHost.exe
2572	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
1260	SearchProtocolHost.exe
2572	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 2740	520	mscorsvw.exe	47
PID 520 wrote to memory of 2740	520	mscorsvw.exe	47
PID 520 wrote to memory of 2740	520	mscorsvw.exe	47
PID 520 wrote to memory of 3048	520	mscorsvw.exe	52
PID 520 wrote to memory of 3048	520	mscorsvw.exe	52
PID 520 wrote to memory of 3048	520	mscorsvw.exe	52
PID 980 wrote to memory of 912	980	mscorsvw.exe	56
PID 980 wrote to memory of 912	980	mscorsvw.exe	56
PID 980 wrote to memory of 912	980	mscorsvw.exe	56
PID 980 wrote to memory of 912	980	mscorsvw.exe	56
PID 980 wrote to memory of 432	980	mscorsvw.exe	82
PID 980 wrote to memory of 432	980	mscorsvw.exe	82
PID 980 wrote to memory of 432	980	mscorsvw.exe	82
PID 980 wrote to memory of 432	980	mscorsvw.exe	82
PID 980 wrote to memory of 2144	980	mscorsvw.exe	62
PID 980 wrote to memory of 2144	980	mscorsvw.exe	62
PID 980 wrote to memory of 2144	980	mscorsvw.exe	62
PID 980 wrote to memory of 2144	980	mscorsvw.exe	62
PID 2428 wrote to memory of 2572	2428	SearchIndexer.exe	63
PID 2428 wrote to memory of 2572	2428	SearchIndexer.exe	63
PID 2428 wrote to memory of 2572	2428	SearchIndexer.exe	63
PID 2428 wrote to memory of 1660	2428	SearchIndexer.exe	64
PID 2428 wrote to memory of 1660	2428	SearchIndexer.exe	64
PID 2428 wrote to memory of 1660	2428	SearchIndexer.exe	64
PID 980 wrote to memory of 1740	980	mscorsvw.exe	65
PID 980 wrote to memory of 1740	980	mscorsvw.exe	65
PID 980 wrote to memory of 1740	980	mscorsvw.exe	65
PID 980 wrote to memory of 1740	980	mscorsvw.exe	65
PID 980 wrote to memory of 2560	980	mscorsvw.exe	66
PID 980 wrote to memory of 2560	980	mscorsvw.exe	66
PID 980 wrote to memory of 2560	980	mscorsvw.exe	66
PID 980 wrote to memory of 2560	980	mscorsvw.exe	66
PID 980 wrote to memory of 1492	980	mscorsvw.exe	67
PID 980 wrote to memory of 1492	980	mscorsvw.exe	67
PID 980 wrote to memory of 1492	980	mscorsvw.exe	67
PID 980 wrote to memory of 1492	980	mscorsvw.exe	67
PID 980 wrote to memory of 836	980	mscorsvw.exe	68
PID 980 wrote to memory of 836	980	mscorsvw.exe	68
PID 980 wrote to memory of 836	980	mscorsvw.exe	68
PID 980 wrote to memory of 836	980	mscorsvw.exe	68
PID 980 wrote to memory of 1236	980	mscorsvw.exe	84
PID 980 wrote to memory of 1236	980	mscorsvw.exe	84
PID 980 wrote to memory of 1236	980	mscorsvw.exe	84
PID 980 wrote to memory of 1236	980	mscorsvw.exe	84
PID 980 wrote to memory of 2456	980	mscorsvw.exe	70
PID 980 wrote to memory of 2456	980	mscorsvw.exe	70
PID 980 wrote to memory of 2456	980	mscorsvw.exe	70
PID 980 wrote to memory of 2456	980	mscorsvw.exe	70
PID 980 wrote to memory of 2284	980	mscorsvw.exe	71
PID 980 wrote to memory of 2284	980	mscorsvw.exe	71
PID 980 wrote to memory of 2284	980	mscorsvw.exe	71
PID 980 wrote to memory of 2284	980	mscorsvw.exe	71
PID 980 wrote to memory of 2056	980	mscorsvw.exe	72
PID 980 wrote to memory of 2056	980	mscorsvw.exe	72
PID 980 wrote to memory of 2056	980	mscorsvw.exe	72
PID 980 wrote to memory of 2056	980	mscorsvw.exe	72
PID 980 wrote to memory of 2108	980	mscorsvw.exe	73
PID 980 wrote to memory of 2108	980	mscorsvw.exe	73
PID 980 wrote to memory of 2108	980	mscorsvw.exe	73
PID 980 wrote to memory of 2108	980	mscorsvw.exe	73
PID 980 wrote to memory of 2240	980	mscorsvw.exe	74
PID 980 wrote to memory of 2240	980	mscorsvw.exe	74
PID 980 wrote to memory of 2240	980	mscorsvw.exe	74
PID 980 wrote to memory of 2240	980	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1740
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2272

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1316

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 23c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 240 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 298 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 23c -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2a4 -NGENProcess 24c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 200 -NGENProcess 1e4 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 254 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e4 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 248 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 230 -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 200 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 288 -NGENProcess 290 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 200 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 290 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 200 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 200 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 274 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e0 -NGENProcess 258 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 258 -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2e8 -NGENProcess 274 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 30c -NGENProcess 258 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 258 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 258 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2e4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 258 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 258 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e4 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 348 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 334 -NGENProcess 2e4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 344 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 348 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2e4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 2e4 -NGENProcess 358 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 368 -NGENProcess 348 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2792

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:560

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:576

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2364

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a85c0c7e0be6a91b5fa0d5ae11b4cd16

SHA1
0dc88aae776fe01d102f7d9ae14d24d84169dcb2

SHA256
5b40ba0385bfcdf34765256fe0cb19261afd4111d437998c7a6fcddab307a29b

SHA512
493e35d80a2a7a49b544d0d37aa91d26c86e702b7df8f3887d13f52ad48275cbed448bef4f40b1d60e5f7dbd7c8e24ff8338944336791f2b1cea284a3be9b291

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
08e50db5a83b52abfc4c4256076293d4

SHA1
51e2bbc0e1219f7fa6658c1a2eaff367ee0f0972

SHA256
82ada8ff965003090a581e9ee813e9738c0ea18ef7414c7167629b913ffc4e4f

SHA512
13bc3acb15e757a6badca38956d7347a327d776355a136e5d6fd142f80331eda8ff1038136f226e6775bfadc93c340ac687fcd7300f58e796ccb5bbdff9f95c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5963bbabaa00d638a3e928e5579e449a

SHA1
b3c2aa6e6b987efeea10ceaf5d9380a0a1aaaa8a

SHA256
8170f6b0245767e99519321144a3b8eebecef35a1bd8ef1443023b98338a8496

SHA512
3ab492e95258a3cb1d184a2cc7bf7feee1518d11184d2d551544d1261ddf94d2deef9ccfade38fa4b15f2c4b5739748ddf0fdfaecbbf1f8ea0367c2145266399

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cc6b38c0bce3e5a4beb3c2ca6214827c

SHA1
a3456174d94cc89b00c6afc7a7336d971eed1da4

SHA256
6ee26f860a30ee309ac127322dfdeeb346598271102d65e8dcf43ae6fb4121de

SHA512
2133677882ab773a1dfea8a75228645c61e0ee2b7df5bc01ee8643ff6f0a55c9059f6763a3f93f3e70eb9977d6f709388cb8722acc7c65ff3f644209465ea551

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
1962ad8d277bd6565faae3c7efd31688

SHA1
8c7a06af42b2f85d450723321c928e815a820729

SHA256
217255b751cc9b822037598e5229a2ca5f11fa5bb421b429c4b2ca0a14f00c2b

SHA512
9adb3b0fece63c3aa58616f04390adb8ddbd4c6fbd8551d61b1644fe17402ef25fc66994737d26c15bb1d8b8fdd700af94e8a1aeed03040ac13c86a279fb156e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a93108672043a5b478741734db687418

SHA1
8ead5a00f0b9e884a55e36359c9d00e1bcd954fd

SHA256
137c074e77fcb4113b407a4871338d4c637bd610c10ccabda9c80f1b7453d430

SHA512
ee1e924081325b79d5fe48412e74606552431e77b13dae68b1d8d430d58b3ed824020e977e5a953ccfd6b47c03a1713a91c10374b33d456b360fca4962ce1232

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fa247235ebc2269080928a1e9c12e4be

SHA1
abae1a849d0c16c0287c1c847529f7aab39cb1ea

SHA256
b83d6b9d6f97a1a257a654ee53b60db46e71a29ba3f814315f80fd7f954ff16b

SHA512
42b28cfd7f076aef21ea122df8cea2b6d475dbdf339f8f858c1d9cc0698447a5702d6916dc8b6411e25895fa090b3d9ba61c4cd7fc88cbfcf4aa2bc30844e0fc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
21b8951903185cd8c8d23dae8728cad9

SHA1
000f74796cc06c5742a8f86dcc37213f243d1a67

SHA256
c046883c856732be842626b8a771d13aadec9926786b73b7c911c1f96ea529a6

SHA512
316c71f42a0c3b4784cff3db1484e353b806839e1d84147b66b9d2cfa7a599900a9c2ce99e38dd9533794927e3ef6c02c1589add13385f30e48e1f6305128177

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
52863b738fbf98572c843514c135688c

SHA1
87be419bd95ec3ef8d46e12545d64a2de37144dc

SHA256
c4a445b28896ee58f694641650c4fc2dca3109878c181f13e2c33904c1bdaa7a

SHA512
b73ba6bd35ae2e210910a7e34d6a7b89bd02f041d14c2f9128bfbff8cc70689d0c5c2a64752358424699377b807c1c09fbcbd623583b0a4de4124cc4bfeea2bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d5ac962ba4196f2fa94b61a06b51dc09

SHA1
479cb3a8c6999ea73bc40d54442170335d9af5d0

SHA256
6bacd7269a4c1be9b1026f5f73fc8e0489c86b8fcdb746422a3af980d955ae2f

SHA512
66f471cd41f6c5c14ff062bb1b2fe81cd6f082c6303219d07033268c468361f1b8418a6e54fe38916386371d4624dd692e88099d89e088dc7363f83032df32e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
81da681f8aa2f4f2117c2f549c798de2

SHA1
616c7e4498167debcea7bc18beddb05af7952deb

SHA256
1d800d4531712c2692e097b819c45a6a91b3f4f4123f48fdf543ffb65328e84a

SHA512
3ae0dd0297d01a0d7134560755fb8daf1408c813fa374fbd33f6e22b1b11ca160b9643b4b7a7831099ea43a0d62d675082e934fcac7740cdad2f30fb54edb6e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
81383d2d818aab7f9981b9fd655239b2

SHA1
c6adaea0b5e3aac43284df4841f939f7ff9122db

SHA256
bad288816e7c1ae5acde13a25fa5a6ddb4ff5de66b4919ab8c4554724a79628d

SHA512
c09a9e33842623f032508f1da6bf4bea95ae970395e5a287dfd9b333ca73577fef637714b4b79bc9bb44eb39f62176fa943703f129518415c986e600bc08c6c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5685572f39170768e79249436a26fcab

SHA1
2f16fd0cf22279c8980bd556016d63f1bd857f48

SHA256
afd0602ea4f9e88cd481c80a513de4976f666dc4431b02da33dc3aeee6d2f91d

SHA512
977ad2faa1431600d3719f5a3edf2d67e4e72d8ad090b1d7adf14ac8c10149aeb78d3b089123650d070994b79bcf76d5d2565cde3bff616de0b02dd8190c3a65

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ae5adfa27d7d17293ddfa961eaddd28d

SHA1
de2ec9626ce3ca29a3db0234962b464b347bee7c

SHA256
d2c1ae5be8ca931a20317d69ea53ca7e82f72daaa49222b6c4f435d9b752fccd

SHA512
6968b584d7181ec75099938e2ff422dd457416a74b8ca823e67be08269146460f72435880b7489b9e40a764d23d268225cb60b7136fbdf9c1967a17a249cd37d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
41d629d2f818f15448798347b54b3f92

SHA1
eb37cdb9e769bec948b35733517ba7af8bf626dc

SHA256
82a0bc98f466d9dc9564cded90c80eeb7cd63c88b30f41f0c748fe2c1249f2ae

SHA512
c4aaf96ec89ae417b76e4a2b08ec7dc44217b57e4b8f43fbfd879afddb56894bd53d2a37817bad772e4d94d749d858daabaf18971762fbe8201fcca194656807

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
e7ebd6b078df3cd6e2917e43c9a1a980

SHA1
19c43a07b6c4faf98042f51faa4358058b096840

SHA256
900b8e8f92ec9b1c504356f6f984ab227d240b7d6401d186356f896a8dfeec28

SHA512
4c97cadf592a22baacd38d7d3babc659164b2da5d952f88f75fbadbc7e18bf94a6c7a3d02d83ddb5d9ad5f2999e15c93d732a78774731b4b72b0f3edfc69c485

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ba53b10a57cd2dcf1cb5c6dd824f826b

SHA1
845ecf55a92256b8041d154aec6827b9e0b486a5

SHA256
f265c9e20796d0bef5bd787ac1b2d9842be66d9b913987556084071983aa3bea

SHA512
2abbfa241aebf87faaf68b8679917cbf5053dd60df6ff6154f133c535fb6b536921133e732e90083e89c689e9beecccb606e1647c6fa2e364d2d9cf704330883

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
63971469e7c0ba38b250ce1dbd5f2b49

SHA1
12def4e358c68207947bd0e99c805b378d975c2c

SHA256
83f8d3efdbd0ba13edb3a6557c90c701218120d4aff1510cb38747f1f44531b1

SHA512
bc87566a375cc448c9dc2a971484682e60420ddbf3be3edab01bdd7630f5900a97dd9b3ff752a8afca9b4e123d2fa21c1b0149db0167328fe2651e275671221f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
673781233b21a2793db5b08f94db78f4

SHA1
298d2206834f065c25261aabf79d43ccd39cf006

SHA256
d291503e6e066bbe70869c7bbfd457df200ed4b04f9ffff27acb0c033f29baa0

SHA512
3b39a7ad9e249fa37a09268c2ca060f9bd8b1abeb67301523ee4615fc4dc0b14be85f0b733d60d93c508f7306dc7cde7e558bc66fc3d75fa9e58ead5f1dd51ae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e0e3a3b3a9a5ecd7992fa2a38ee9b32a

SHA1
e32dfb42d8fb9d6742ad305af447fd0773224df7

SHA256
5adf6524a84ef9cec87ecfca2a84539f51818f0ba7c4125f69dd4f55b4f3d1f8

SHA512
6c6043085a4edc537f594052ed950f4022fe1782fad813c23394ba2c98e7387119a7d552ba50fac21855903e4b0c85120aaed84dc4c6099670ac4b6f357498fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4305de9742a40d9395fa1659df9c3f00\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
aa752831fdf76915a0bfcffb81dfc223

SHA1
46e734776cad3fe37b3d4217218c0f504b143e97

SHA256
3f4ecf96e0e4a582045acfa5d6d95e5dc8b8b621f684a5aeee945cca1fd30aeb

SHA512
5b7238662eded7bc8b43725bc4154ee3cc4b9228ebe6c77984bf93fe0e669b7688edad03cb735710b846ce95d4eaca7b9227dd197671b263255f31d8f52af5ac

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\952ede05f03f8e49e4c4acd4a8064c3f\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
fd49f76f160b520a0b0c23cccd734643

SHA1
9d20f4ed1ffe27fe76e2b2328e3aa213bbdbc4f7

SHA256
9265926395c7e5bf87059501a2268c94bd566129e4d9bb361745dbf5eb7d2acf

SHA512
767b072bb4f52e47522f855238541598e56f3e819ec5852f3bbe092c00747fa6823d113e84716e6ffad88b55f5ae2715446359aab158693ec32ac01070b03bed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\956c6aa7bc2c755a222fa812b31923a2\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
0a568b577127f2b5e4657413f9b60f2d

SHA1
07b991d7e593c12641a87b44e0f0239397d81538

SHA256
4347d4ad99abe4753a546fe78183ee75bf602790a3e0e4ab12a32ad8b482ffad

SHA512
c86e948917e0cad3d3db485f32d3945ad4c1e74d097712a6919c87c8ead544961e59e76c2f1b39ad3d87bb0a60a90f56aaffa495c3c17b3f73d6a099a392ba2e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9900a3dfba598a4745de9b1a0be6dc9b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
123d41de2fb2da87b73e482ae3faf858

SHA1
6542bf4cce5cd2cb350035de6d641ed209fa74ab

SHA256
ec3215639346b143e06d36596d5dfef97ba96d01a66f5431c7d33b3c91804ccc

SHA512
a0893ade30ccfd658f07326431db460703361d4f07f5af767f4fc51af7ec1ec8607285cf15550ea683cd64c94b8727d143774af0d959207c0f2b3a523196df5e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a376b33169cb2bd169e62a4893d5daeb

SHA1
eaeeca0604fda0f3b45bf83d6a630402ccbe1a2d

SHA256
dbbdfc40f2228e5b1a42bc35ec6e270c927c62c129279c31710daeeb83668940

SHA512
3619c4fbd194711c7f2436ca8084416ac9bf8370eb7dfad32144ec18d44d85787fd2135538fe59141dad89e5175bf673cc89962d98515ee844a56fc36aa963ac

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
29402e7909d194e2342b8f327dba20c0

SHA1
9454c3fb64072482b40b7329d09803ec9c85e6b9

SHA256
7475d664a3e9c5c2cdb9e95917f5e0e211f8f4e8f3bc8536ab5b96de1b44dad8

SHA512
de7668bf300829a6ff4d3453a041d23ee4212514ca7e786b7e83900c1c6bc7f0fb632cd6941b28f27c92a45b1353a6bbc9f353e9b957323e2d2a48afe2577788

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
849820a9cc65a80892e4f4dfc64ed263

SHA1
c8e58a59557523445dde952f04c075c2d52dca7c

SHA256
b4c83d12b48b49b5b7900490fbaa2657cba6e5e4a8e1384e726a002156c0093a

SHA512
156e0f0fbcd99b20423237c1372acab4363d024030fcd4447c299813d01fe7a6fece212aea4f24e052530d498388b64fdcaab52efb508860bd6749d9925f106f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
10bb263966381c920b04c8dd3dcee17b

SHA1
9ff30d8dc83b74ecaa9ee18b388f02776a87d331

SHA256
9b92582a24be3d97257e95f5d651fdf7ce506f816cad85dbbc45b5bceb38e143

SHA512
1556e8e8ed1ee122217562a0a9a4bc392fb67daa705103e184cf070c6a69530fe579cbe7ea4dbafccaff6918b59090794e7f43d9aff2f4bf6a19e5d0d1473e43

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
cc1accaa6a30b63844deac41b18ef556

SHA1
7f0f11eed5d5a7d1a02943778d76772a8824f538

SHA256
0a5283afbfc85fc1c7b3c5d24f8c8f7477d29fa50242fd8944e2be2059a7221f

SHA512
4bfa4222f2c866b8f9c22e7780b4e421db145e1e66bea541c10c841bb234086c5fecb373bf1676de80604977121827dc7e49c9ff5161a9a34855511fb5341d36

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d99bca33133424c92cdc5ee1afbe5bbc

SHA1
6b6888c07e79f8c5e8d6606f42023b115c36e4ed

SHA256
b6e809f3c95ff01c198e1fb53047875f2e67c8c5b938c6bee237ea6dab5f406c

SHA512
f3f2081d49cd13db2b2a62783ed0aef10fa6eb7fbfc89449f1192f3328b5deb497b7bf0ce4419830cf8c15a6bbac25512ed7a7214050e3e8c3af1cfa7aa96bcf

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6f352347f93b21b5145f981c3aacf4e3

SHA1
45a05779a0965b9a7edeb96f185da21fcbadd636

SHA256
31b7d5a6c12b191433946404e23f8ad5c4c6d5dd7684be26960812fbe68e7cf6

SHA512
a39b671daf34be11ca2606a946e86bbe8394676356a487e38abda8e61dfaed204d4a1f5f4a578d7c9a3168116d784a36a3b40394f57cd2a1c4bd13b11aee927b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
5d691c0db033d08e9fbeaabf32557bcc

SHA1
940f3b1901428514722207c14bd7a7defe3b23e7

SHA256
489a2415c457bbc209ab4bf17e568a9e76538e4d1ea14dca40ee461ad82bb6e5

SHA512
47dc7d01ab47743844d4ecebff4880afc4d8a7b6d7706cced2af5b3dd7654057fb00ee828f328f7c6b6ae8745deda43fd74d010b23e3b9d73db3690faeaaf44e

Download Submit
memory/432-302-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/432-316-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/520-82-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/520-88-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/520-90-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/520-163-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/560-104-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/560-169-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/560-122-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/560-123-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/560-106-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/560-98-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/560-815-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/576-127-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/576-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/576-133-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/576-126-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/584-61-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/584-13-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/608-255-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/608-343-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/696-192-0x00000000005F0000-0x00000000007F9000-memory.dmp

Filesize
2.0MB

Download
memory/696-245-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/696-189-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/696-254-0x00000000005F0000-0x00000000007F9000-memory.dmp

Filesize
2.0MB

Download
memory/888-919-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/888-917-0x0000000001870000-0x000000000187E000-memory.dmp

Filesize
56KB

Download
memory/888-918-0x00000000018A0000-0x00000000018AC000-memory.dmp

Filesize
48KB

Download
memory/888-920-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/912-293-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/912-266-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/980-68-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/980-159-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/980-62-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/980-63-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1080-1015-0x000000001AD00000-0x000000001AD16000-memory.dmp

Filesize
88KB

Download
memory/1080-1013-0x00000000019E0000-0x00000000019EC000-memory.dmp

Filesize
48KB

Download
memory/1080-1014-0x000000001ACF0000-0x000000001ACFE000-memory.dmp

Filesize
56KB

Download
memory/1080-1012-0x0000000001980000-0x000000000198C000-memory.dmp

Filesize
48KB

Download
memory/1108-674-0x0000000003DD0000-0x0000000003E8A000-memory.dmp

Filesize
744KB

Download
memory/1208-110-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-594-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1208-116-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-120-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1208-180-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1236-971-0x0000000001880000-0x0000000001898000-memory.dmp

Filesize
96KB

Download
memory/1236-972-0x0000000001A10000-0x0000000001A1E000-memory.dmp

Filesize
56KB

Download
memory/1236-974-0x000000001AD70000-0x000000001AD8A000-memory.dmp

Filesize
104KB

Download
memory/1236-973-0x000000001AD00000-0x000000001AD16000-memory.dmp

Filesize
88KB

Download
memory/1236-975-0x000000001B260000-0x000000001B27E000-memory.dmp

Filesize
120KB

Download
memory/1236-980-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/1236-981-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/1304-246-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1304-330-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1316-47-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1316-79-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1408-177-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1408-239-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1572-269-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1572-197-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1592-224-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1592-279-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1740-0-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/1740-44-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1740-8-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/1740-7-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2072-596-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2072-275-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2112-999-0x0000000001B00000-0x0000000001B0C000-memory.dmp

Filesize
48KB

Download
memory/2112-1000-0x000000001AD60000-0x000000001AD70000-memory.dmp

Filesize
64KB

Download
memory/2184-635-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2184-280-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2272-935-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2272-933-0x000000001A4F0000-0x000000001A4FC000-memory.dmp

Filesize
48KB

Download
memory/2272-938-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2272-932-0x0000000001870000-0x000000000187E000-memory.dmp

Filesize
56KB

Download
memory/2272-934-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2272-937-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2276-53-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2300-270-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2300-563-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2364-138-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2364-195-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2364-753-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2428-695-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2428-305-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2740-181-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2740-238-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2780-218-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2780-274-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2784-160-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2784-184-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2908-242-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2908-304-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2960-25-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2960-17-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2960-18-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2960-81-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2976-124-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2976-36-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2976-34-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2976-29-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2976-118-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2976-43-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2992-958-0x000000001AD60000-0x000000001AD7A000-memory.dmp

Filesize
104KB

Download
memory/2992-959-0x000000001AD80000-0x000000001AD9E000-memory.dmp

Filesize
120KB

Download
memory/2992-957-0x000000001ACC0000-0x000000001ACCE000-memory.dmp

Filesize
56KB

Download
memory/2992-956-0x000000001A950000-0x000000001A968000-memory.dmp

Filesize
96KB

Download
memory/3048-235-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3048-250-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3060-149-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3060-194-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download