wannacry | b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Size

4.1MB
MD5

001291f3278e27f43f753cc5843be429
SHA1

a6c22ac95fd0172e724b414b02a5fb2e61557ab9
SHA256

b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262
SHA512

fb4afc101741014e51a7aea68c7446e777a3d92b392873b423339d3fcef0dae0106a14834d4dfd71baac02591338f762d5f6dae8b0b2b0dc7778499f3d817bbc
SSDEEP

98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HFa83:wDqPe1Cxcxk3ZAEUadzR8yc4HFa8

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3187) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
2556	alg.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
264	tasksche.exe
2268	elevation_service.exe
3980	fxssvc.exe
4040	elevation_service.exe
1636	maintenanceservice.exe
2620	OSE.EXE
560	msdtc.exe
1824	PerceptionSimulationService.exe
1568	perfhost.exe
264	locator.exe
1480	SensorDataService.exe
2772	snmptrap.exe
3708	spectrum.exe
2052	ssh-agent.exe
2656	TieringEngineService.exe
2312	AgentService.exe
1476	vds.exe
1096	vssvc.exe
3632	wbengine.exe
312	WmiApSrv.exe
1224	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e277474e5a029dd.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaw.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000381ed90d2a3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f38ea50c2a3adb01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
684	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1456	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeAuditPrivilege	3980	fxssvc.exe
Token: SeDebugPrivilege	2556	alg.exe
Token: SeDebugPrivilege	2556	alg.exe
Token: SeDebugPrivilege	2556	alg.exe
Token: SeTakeOwnershipPrivilege	1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeRestorePrivilege	2656	TieringEngineService.exe
Token: SeManageVolumePrivilege	2656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2312	AgentService.exe
Token: SeBackupPrivilege	1096	vssvc.exe
Token: SeRestorePrivilege	1096	vssvc.exe
Token: SeAuditPrivilege	1096	vssvc.exe
Token: SeBackupPrivilege	3632	wbengine.exe
Token: SeRestorePrivilege	3632	wbengine.exe
Token: SeSecurityPrivilege	3632	wbengine.exe
Token: 33	1224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1224	SearchIndexer.exe
Token: SeDebugPrivilege	1968	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 612	1224	SearchIndexer.exe	123
PID 1224 wrote to memory of 612	1224	SearchIndexer.exe	123
PID 1224 wrote to memory of 4608	1224	SearchIndexer.exe	124
PID 1224 wrote to memory of 4608	1224	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1456
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4848

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
87990e18639f3d5d8155f5d8b11ee8be

SHA1
19cfa46237748162ff2bd33a13d5982bce7b9819

SHA256
e6fee2ea068009026397acf3d24143743930d955feab5a06347599f45e52e312

SHA512
240c8cda1fc98908225747d20ab7cdfffc9f1a4c767e1c04a3e15d1dfb3e6cd68f98b48dcda899324429ee9368d1f5dc23c94caa96cf7111237d60cdd8b56d42

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1f16708132cb2532d903ad7a14eb2db1

SHA1
7284de8904561a96dcaaf566e6f4b42a7fb94f13

SHA256
3bcab2048dc966587192b04c5590e67bdec7fdafc96bc7c37e9af5ca752ff9ed

SHA512
b4c089a71011d4047d4dc968ff2c1eaabd96a2700159e2452899666685d4f7d18f8c3d0f16d3cf4779a60270bb5cba210504bb871613b5057fe11a5ad41118dd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a768471d2f88a68e8287e5a5891adce0

SHA1
a45eacd156c869a58fad5e7eb5532c8033777c93

SHA256
cc6c73423f2f657a8dab1104c4eb9c90b023e2ec13f4bae67e9203f469b3e2da

SHA512
99254618bc64ac6c7726a7d58d3fd45099b7f584dec5430479277d7027f700c8a2173b16430137a8269d929e4bfd27926197d0bf8511946367c309bf9642be59

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9f0faf7fe3b9758c63647bfb79d077f0

SHA1
ee092a25a9fda989c740a4e2a3e3ac0e55995c69

SHA256
53e37992f6c270acdffd9f9cd628787fc86afc99a7e238ae703a36652d5c0a74

SHA512
36b87a6811cb63f427c45d43c2105995235c2a5d3970faee9390b8316d889d8b54be4cfb9fd8c64f75aa2231c8bd4bf13f7e96480d59c6e7776ffeb2072c5788

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a4040de78e220cbada8fe21b33489f16

SHA1
acda02a3286cac8fc415e5bf2dbcb4aa8bfdd8b9

SHA256
5fd9c6a561110cafa424af8be7978314cf388902067080d40d6bdb73b8ebac8e

SHA512
d32e3028df269a80cd7cda815bb45a55fe7ae891a4118a1a390cadcee13d90f224d286f0b9f3ecf3bda5819193a0de3fa16747528eeae055c2e55082eb402c57

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
363fb174a954c6c754689e6c6a2d1dfc

SHA1
c86cb93bb00de3b0c94bccd9f4d46cb506f8bc32

SHA256
7fbd8dae8a2d98a64613a5ae56d7a4a12f862b315ebe73eea442e68cf24238cc

SHA512
5de4f3be8446032f279972b84e0a82bd5085349bff089d919589ceef47d878e706c6c975755fd49660925cad468c92d2cc080e7f9b9ad8300daf46157ac5ed3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b52549140e52ba26f2cae571135ab8dc

SHA1
171d654b032f4ac90dcbd70f2f03f04abb951a1f

SHA256
3a13a00dee946bfa2bb2a6f684e32d7591e0d64ce74ec26bec9e33ba54043e6d

SHA512
95a1aa7c3e22511c6e386ac0ff430fc8ff6719d8d93df818dbce720afd356b73fae454e010a65317823100d7d5de03d117c660e24a028e07582502af2bc8b636

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
94891ec158f19c287b8d97b7449ed5b0

SHA1
af87a94759d3b324b6c3d4f409c98b1f0f6e0619

SHA256
0ea0042163f901ec5e6441e027972308a7f894263c97375c637c9dbf23338e43

SHA512
9ef3b1570e3cd2d8e6b2c39cf442e2ff1796d9099db282cd1bf53388468bef041fe568ceb9e0e415edd8c5c20d63dfdb47b75254de2d87ea0425326191acd588

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ff9dfe6b999202f183dc65ec25419dd2

SHA1
85ca4504ede0ae8d7b26e0193ea16e75e19e92cf

SHA256
af7a9232ffc56ca53bc959fadb2b59684161a1babc624b3e79c11604d373c7d5

SHA512
af583457425dcb19b00e6502c225a037750eb2de2d93240cce1ba406c803fb42ed2ee54f4299eaba6121e8d142d21bc9704f86f4729da970d5d19efd0d7e7d70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b8cafcf9e61f8917206d41fb91d3a76f

SHA1
82d9228774965e9d00ce980396cfb0a90979d530

SHA256
7955f323bcfb38e72fa3105a099a2354195bfda1a486ac73dc2e66b25e032188

SHA512
533c72568729037f31e6d67de2457a13a830089ecc9abb6cebd5f04aa581d2923f616b2fe4b21921f21007d0f8797ccd5c51ba32bc8216402f0062e1e0e60588

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0bc51ba15ecd2f9391cb6480bb3631cb

SHA1
6771bf5b885a3575f83b217980934988dd7e7186

SHA256
fbabe14a87a17497b0d7f19ba52503d24777b7fa758a3fdde56b4ea0b5879a49

SHA512
1ba0939fc2ba38ac1160faa84c79c2531202a5efaf0189159957fefa00ebb2bd0bf373381b593f988673192a07e73656d15e610ba5100ebe5a35e38c0ab2f75a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ab72f3b4a1968d7a1effd226f4dfc3f7

SHA1
d12957c7e808896779c9abc0d590260bda732e4a

SHA256
f6e5d6f2bc1eb378464ca807af23ca580c808c88b8dc6cb8f4f231fda878028a

SHA512
3013f1376ed077c5572d380174d5cbf4f8322954a3dc7eb2250c67093e642291f1c756f94088349afa0e475b537f2d22b342739100a455748fe3bd19ebd10ad9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
377ade701732295df025f6e9d9aa260d

SHA1
d9b647d0f885ff063f679d1c8604201fccd04d66

SHA256
d16cc4b3e5464afc024bb7ca0df1427954c183bfe473b8eb9ee839af2501f7e0

SHA512
3e823c49a11521b6247c5341f1ed4d28817b74e76a4c1477981329facdd9607ea4e5530dd9e4084aa01f48624f16245c3eb866a6ec7e04c5578225b66182dc0a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
ef36cf61a19799d49607ee5439b9cad7

SHA1
a613a5384cb22d1937b7a34e1e799c4d285ff6e9

SHA256
93f181bc36651a5c0ee265029d312687e94769141c8110695ecb2eca81021b34

SHA512
05ce64d209a6cc4fbcfcd34674025c8b2d07a0bbd5db8a3e70aaed92234b4b5ed27737d7d9bf02ed74613d6f497e84cacdd809c2019034709207fa26e51b5084

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fdc0e1a3d5320200081825c91d01596b

SHA1
fc7142f6ab6041fd08a31d45efcf478518c2fb5c

SHA256
d0bb6444ecc8e0b34e53d6cfa62c1d496e6ad138bcd0d40fd6b5af92fe9ac065

SHA512
23e7c72b36c8f73454b28298dfcfb5776b20b7dfea02287373ad7585ebc6b0b3fa9e0c6aaf88a2e5c0b2fab5af4b2e94982d833a79c243a6a4b6d0bcc9206c8d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
92b41af583058300b396cb84755dff57

SHA1
bc85741a53aa94f1f21c387864700ba8fb5ffafe

SHA256
c3c93c6bd9dfa76238d4ee6779dfd43b232a04a7f00375e9f43751344cb83f93

SHA512
db0a96d343c77e3105e1b2c8d6b0b94d48206f6eab46225ec52a67e3b148cafca47a561f88bd58e23434b04685eef4481de22796e64ea3ac5090976b0720695c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
164d88083e61d97128ca49dc5007531c

SHA1
899f3ae31b77ff4c831075694e1fc323c9f7f992

SHA256
8ee5a015a429d4a9751cb9d1b3df5f323c7afef5eb35ce3624d695b2a745accb

SHA512
75bcc6bd4d4f1c1bc2162e79bb2d270e0d8f832a4c60efb85c1ab7be15f0a00dfebc03a210f85bebf9c2ca6a97309f166adca46ee95cb88c216436e28ac1e7b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
cca1a3428a8c853e9965eb9c3a64d7da

SHA1
ff2c7d36cbb10b17526a6f479649db2b819d9136

SHA256
3fefc4277fd91689245ddf60c691dffe92babb851431865bffb628a9581b5c86

SHA512
977b26fbcd570dbcd712f6ba36b720c582961f1f8fe3b62740053e05bf09454af224d240aeb5af2cb133bca0be1e80bbae52591d8b23ebb700643ff119692f31

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
253549f34f1a0db279b532998f2c027b

SHA1
a911e48631b044b95e480e76a69b983949a216db

SHA256
b95f4bd957dfd80ff6b442a232dc7112ae65648f637fcb740afbf5f24921b4f5

SHA512
cca17c2b4b5e0f643ac1575575547e1fbd4945a8351e1832f4c34608d917a018fe6fd6b0836ca2b6cae592d863efe98b8bc474a0d09d761c41b24c9fbcac7908

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e86583d5fe49687404d0dc076f4f59e4

SHA1
21f88b54dc6b872d63366d1352caa707db139c52

SHA256
46814b9deac9dfc0bcc0c15b4e722a783f0f05e9d765a8af6128473ca2c982d0

SHA512
8d25ed5e9a2d9937910d6b3d30a4c0ea5458e1da90e2f4db0d049fa6201cc7b4f1e6b7c561114611e900ede2a6a7091d9bf2b7acfdd442b3200eb6734e5d8a02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7ba34cea6418cf9198be5665d5244458

SHA1
c70734baf643eed7d2b65a8b3bc777df5edae162

SHA256
ffee55239a525865375e0c584ec1c3cf84c39404f5065a1f56006dcdb4b808eb

SHA512
87cf31d3a8942cbf80f805c077fdcc0426102005568f46b08207abaa382a89990b61f6514d3cde7f7d219131bfa8b5e14e08ceda868e0b85a28d7b95b12d1273

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8b59d811f666e4ee087cfb18731ba7ed

SHA1
e527752e025669b56f7fb43173e0d76af008e782

SHA256
1e4b84e9b2186de5f4531a12aa27ef0043d0cf9c05cff7de5776d722780f6926

SHA512
e434b48d3116e6dd1844d146dca403ea827fc1350c93dc61064520feea214b2fdb447456994866cbe5a6507f8e54c10a8469af0303455aa3281ddd6d371af8ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
86d3ea60f983bdcefd258ddf045ed7a0

SHA1
e6185c463c65539668c6199f436a5284c6208cc4

SHA256
a43eeda288ae4783c5aaa9bf836ea9f48cf54e9eeb7b053271f2d37b02ca644a

SHA512
c871a0f3a0490db5bdeb61047655928140b3c4842cc6aa3cf306333298ee6f586284860ca345ed25c371c00e6a91a36f5eb53fe010fbfe2bf6e0703b7df38910

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
c3497329209d61654c244f96ad30f2d3

SHA1
9983cd0a2e818c4152f73e5df11c250dcecc69fd

SHA256
3b21c4e6ee0deff377a5f7e82891e3d7d218a98c097db9c89362a879e0891fa3

SHA512
5263390a01f27d29c6d54dc8c7e1911fbf19c1ea774b28de0983c4a036db280ccd6bef77777c3b50430bd89d54e2f4b71c6641a6dbdce2d86fa7523f91a79611

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
65d9e451efb1aac8693975c695b9c62a

SHA1
76e884cc564b87e5d8af2ed254e988fa9bcce3f7

SHA256
34cba34339b109c0a09bab6cc705058595a08074da9ae479aa1841764198daef

SHA512
1754a5361b7d992513f0bd4981c8dabdb79b3f364f0782003b6c37d022970e4d184fb2228be2f6d7c60f8c7d7864fdc11837ebb518ffa41b04225778f63094e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9a2e5bedab572cff4e6056af4a2a88af

SHA1
2a76f666d04efc71c2a523f9b2a0623917b5afb1

SHA256
1066c4692d6a0bfbc9d75eb572c5777bc5b949cb1d5f667e465a7bc773711f2f

SHA512
c7bedcc57cf638d2a6d0f2f936425c9cc43c9d229abce3fa2f3e61202507a3f709e9e3e042e8e15a132254a5f4ca1487bd5f9ce45427f707f2e624ef2dd4cb78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b29b4435bc64597b679ed303ad5674aa

SHA1
06f35dafe9e8ce44fe6efde2f8d58ab5c3266e32

SHA256
800a0705d91a3a12d93b0832169f155484eb4a50c66b2d2159ceff8536ac4772

SHA512
3199fe20c527eb3b4c51f222fc130cc011816d5637ae0201039ce9ecb993137d3ab57a69ce576c0ef893868d3ed03ec6cd142ba306ba59ab9f1bdf4d395c9b90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
557e06f7a8cf3969556df9a2342c5f7e

SHA1
b715ef5ae4edabc1ed6d2aec7093a6ecfa998f4e

SHA256
54e6616cf5a765456369139f52f8d16090641f1e4465ae3969ed8a857968e0d1

SHA512
551e8a41b2cfc7c56a53caab9fc1ca0ea57cec87d7b72b8950c33d389154626c69fb1822c50191abff266f241029b638cd4dc7df7062d54b085a1311d3b554ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8e0e69e86c2a261fcc3e756ca2d46433

SHA1
c4620db5807f60cc6b25fe2a53d2593fb63c9752

SHA256
5397627d6d4c42616aa453c5bea16a3f47c7eb7d42590373f6e46b9408590451

SHA512
d312f9e873e7f26b0c0299fce45069dbbfed06bde05b751bab5d58481696365158273e335bd208883b18872e300ec55552c24931cbe663490527e843ec446206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
85bccdf6f48f713e314473ba60f8020d

SHA1
8ed2bc3c58cb99ea12a3c19f8d83eed37c8401e7

SHA256
956ce5c8a3b9db2fd51b3c25f3bc03fa09835d6cd4122920993de493699147fc

SHA512
d466054d0fe72eb40538d49227b112317fdeffdbe3da9a9bd3a421d8cbc5ce5bf4bcba75a92bc316d6ed245a01ca2ec860f1967150a7a648acc8d515c5bf9d4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
014647f39221ed6672337f0ac5aaf773

SHA1
0b79169274a5c583731d0c6e1833e9d23093397b

SHA256
c237f9a5f2b42c8b65f0f6d698dde35a4b95f7e34485059105b782016baed4c5

SHA512
3629da3f3457e7ed61d4cf2d461f534a8b6431e0b7fbc0cf02572ae66871a4641775061403587ea4bd6d5ee720068deaac3a50875c1484f5a7bd77ed6923be77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
bd02fa99fc9da08b5840e281414b47e4

SHA1
71b4b700f1c558f34b94f6055125bb850a8b0550

SHA256
429a6d7c58ab16702c0eabaeb538a86f6297851d1f3929ca339663a197d2e747

SHA512
daece7d1dc3f13a618ebd8b579f99e85dd49f11e14333401fc89eb9584ec205326fa9090a4fb29c4c5eee8ff61a3dc9847e357687772b51b0b76e212d5662416

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
eb7dc73c055c4a2534e5e8f0a0953076

SHA1
f9cfa426cb264d857faa2bf942b36dcbd05cee52

SHA256
651dfa076e019c840e0a1015fd27a70fff18e46d6fb8374093f14e5e150f1a0e

SHA512
787d35daf912c3e2dc831e23c8e4e9aa74c7a2a1ca4e31f138cb55117395eb771c4b937825c28d1ab286d48915b4d01568fdb2e2939aa021b39cfe9a9b6a3ec4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a8279389e40a4204ae4ccfe8d73d98a8

SHA1
7c8056c21384868134972948def6f36cbb91a9fa

SHA256
f660b0e04382f95e93992da8a8c0d766b5aa637a567125ca61247aa68548afcf

SHA512
8f6571313f90b5b8c5c5269650bec21a0998776d58c20567f1f02f8ec29e910ff547fda02bb8c0398482a4438d3e377af9f2d4892d43afb0d9a0a4ee27e4f875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3783acb3da556d457e357e190c614f8e

SHA1
f95ca6e074a3afb125832e6c1257dbfa1ad884c1

SHA256
cc67b21577d38c66e94577962da9c4afb9b9ba2912f82032afccf1a01d13f931

SHA512
87aae4aff1a46ad62855cfb0f0de3e2c4be406a696233fa1c438327c112c048ffac0353a6dd32d0f6dd2f374b1462f04edc6958b8087aec17a895774a97176fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
eaf351978b387765431837c011a60f60

SHA1
fab3cb581922cb47e6b84e440fd47cf7f8736cbe

SHA256
64159e86ea5a93f1c73d6933291cda7ffc48eed8cc32eaf564cf1d48babd7904

SHA512
301bb475599a02c801bd99c50d4d4f23726d24400f7b22a06988c03edaf056324a3d27e686986d8459cb695c59209fce0036151339322881baeba401f8392703

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f878c08c940580fdba5122037b50046f

SHA1
042f26cc65a1fc0408542e0d20dd7814d2c89415

SHA256
b89323919d8b1f8a6fa2f573e90f9ee8e6e69561aa30be70f8cd503bbdf962fd

SHA512
67c4e2aa76427594e9726fd84887021b356c3c954f2b85637c0e59fdf16334f523d7b6ae6e615106a8205768e964522ff7dc85bc91051387cf1af6069afaad45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
b6f957618563c958e9ea8baf0c06d1ee

SHA1
934d9f35566eb1fa9a37278ba0296d9c088394ad

SHA256
da90a29b65803c42148a5eb52e9176131f0c04bf54648e9d963bab5645da2174

SHA512
e8c70f25cdaa82c64a40805c45a2f6b0fb2190f44eb0632e073799336599055a7fc4d64d502b221f0b8ae93decec0d811a03317ca0dad1b9d39a351d7d7afc91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
b47674d6abc0dd9b50970a871d6768e5

SHA1
c58169aa5a0f38100e6cc4290f7799cb3819ce6d

SHA256
8792edaf31e61cf3ef957876967b40af7f54a733a537b495a009595b31629509

SHA512
0ff3b9ae9c586a16e795c480e20b83767b36515a4665213b1ab7c52b841efc7c9d8ca7aca5bbee1d49705d51ae7dc8d291c354eaef7d324c4dc9c39901019c58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
1e033d90058ab4af90f1cf67b468037c

SHA1
82be1264f1d753ae1c3b65063031e08ecce18ac4

SHA256
c97e90e98186c25d9c97b8472ee640aec9d117abd4e6f2ccc87c7f15a543d242

SHA512
6ab7c29e2e931c4823501b82630f130e0597439d19ece2b7a88f1400bb7e417b2eeda9fd01b08b55e06dd4003439d465c8f8d8fd2b5e1a8144e20b42ecafb0d7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a493c8fe1cc94f5595503667d757cacd

SHA1
76773b5b91c460c5431014e32ad7d994b22510f9

SHA256
207a2704fe02170ba4354887d0fa3306986a1667e28dc78c62eae4713d06121d

SHA512
d02faecd22fb01f5cf607f0f67a2b690742e093eb744feeb674c543d29b4034d97dc143a20e370104b36c5dfb24e3f3832912b901d0115c126c3b4e415a125c7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6af7bb60319d2815b9de89f313393a14

SHA1
0896c7983b333daaa8b3329fbeb13ff126558a01

SHA256
ca290dbfa977eada3e5d0bd2c34b146d24c094348aa9f355acb93f6a8b839f80

SHA512
b9d95053f6a6125796b2cd1f604a7f9d3327927a9453b7cecbe175102210692598d45cb70c13c81a78bcd040a9cd54b668a05c34fd8536980723b110a657b34e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cbaf67422d06c29bfd566cc7ee318ac7

SHA1
0949c153e301608d0f5e3f06aef339be67beea80

SHA256
1e35e8336452fb43bdcafe5e1d0b5b5c94bf699ad286f68af73eb28a9aa3f12e

SHA512
6f5c9ddefbc402d4cbae5482fcf58fd50ff2278d510abbe9087e2c75aa1f89bc9b4f42a40db0fc755adf70d0217d30508e8a4c33b45cde9016a5ef952c28d89c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
8b84c53a34a89c182973d25a6bbe5346

SHA1
f24b2ad2d8e3e7eefaa879abf4e8efe31677f371

SHA256
2a4b0886ade58c2cb91421c17f8605be4a62de72fadfe943ca5dd00feca3088f

SHA512
106c3bc374ec7b958dac07a25a31c8a5baedcc76655236392f83218d91abc2ec1db71ad219a3137f94cc0c78ef043effc6531a883c2d33d1370edbd7b7d29eef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d1a080828189cd19921d9995945e028e

SHA1
f8e2436222e2968379feda32f4913df123e9700e

SHA256
40b48ffcdbd9681323d0bc3c43b7a42bc29f0ab3ac92b63b8b1acc78f45d392a

SHA512
6ae948ecd95281b724f357c93b394463b1de866b7f52cd72a33965de6f3d5fa9663b033b534419908af375d93e708d0d0cd4b554361eadc49e52e5c358ec9234

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3a3e6de495b0cc8a8a6712e5f5eecf3d

SHA1
b5675636cede972c59e532ac687de19058e2428f

SHA256
90eb7fea28b0c49b966850e96f7e5ec78bf65df81ab5c2f3155357c0e910d791

SHA512
d9fc6c515c40cae9d6b34d97d952e6e94eb93bec0c570c34e46c64179da87a56851f514dc0ce353318089395a2c204d57fae562781a3fdee1a804e53e4400f1e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e3ce5767ca0fcb2e27c88b7fd8ba35b8

SHA1
b62583e879460f4d65efd5aae7a2f213f936a940

SHA256
d6cf96a5c1476dfbc8544dc8bdb58fcddb88a0d2b07f6a70cc1f0641463ff122

SHA512
42b0c1fe3c026ef76d1f9224215c2114b65656c26843cdea491ca81b8bc60a7bedd04ff88f09708293d1c2ce7bfb0749dc38a48b34e4facfa1c76cec04fd5af8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28379335de76b4e65ea7d6f419f59449

SHA1
f0aa8eaafc50058c9e6668161f17258b39103f3f

SHA256
ac5958e69fcfcfbf09de6956ee1fea467610c492936a103fd0ec53727b0453cf

SHA512
46fb80addbf7d6a530ec0abef10b4683a4379f4013c5737cc908e20bb457983dbe53c01ebe86c262168f46cb730e7e11f9891397aa6993be06329d272f18f0bd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d3e551eeefd1477ae57cb69d8cc49698

SHA1
45653f0a33f97e6966225a55779f439db7c4f0df

SHA256
6ad36bfcc308cca314a879f4465709183e6a08dbfc0ca39aa6bbda522a74e08c

SHA512
b329b19b212dab9f3cc15b1da7de239d2581923d2132d7d50d3542533bd827168c99fef592ed46f5d7b1ea41c6e2c2fdc0471e229820a0168b198b25999bb742

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
90c135517731507253d7bac7454f24f6

SHA1
06afdde7ccc5cdfe7a65a3691845aac1a0aef720

SHA256
bf258dc1ae46848f540d0ac6f946c673155e78339e80fcd2cb3f0184261f6573

SHA512
9789eab5df8c924b80264b74e973aac64dd130433b97a33ac9c9ae005a68e9602421503203bf8bc8c2476074e9d208189815b5b9169c007735c79817b29045b0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d0039778e6e26adb5dd61d469cb09336

SHA1
92d346a8371522383c331ee4c75df03b622ba872

SHA256
823cb06bdf37a9c988e4e137b005a178defdc8811c42b3b103d4067d29387596

SHA512
91bea2dded9e2e68fc739bcf68b2d6cde6730079446ddb553814bd4b7e5b180bb09fb6b006bb147b2ed2ead3b6d8e5d9448ace594f2427e6175f28e465045120

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dfdb29e1368dbf3dcccdae22c39621a9

SHA1
01d74bf3ecff597036b416093ec600bfacafd988

SHA256
00ba6fd08ae98adca30ea6cbeb3fbaa7debf8581fbe63deb71299c76af0f9dfb

SHA512
ea9e00819b7daf4398be48325bd9aebb90bb40881402a02028198f68be26373deb9d42faaa3fb7547a8297d18b108ab8a8fffe239f6d97e4822cbafe23568c6c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0606e0ad82847fe1b81ab2caeb1e212e

SHA1
adecea53159a24fa4e04a3dac260bb5f62fb5a3d

SHA256
16ded8e7475edd0dd54f4c247351aee09ed6b9a0f0137e03d9d2f4b900f48faa

SHA512
a9d41718943e6c8e6df064defb0e7780130f8060e1a67fafa6fc034c86785e1becf230c7293dab08e37c32207ecd1c60a8ae3ef713c10cdb7cd64e574625ba09

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0d10cc8b64fbed3e628057e860504cee

SHA1
2592d47d90e86fa753c1c0297e02f691aad2ade5

SHA256
68234598806565c44d790e75b496e543fb25f7aacf70954a842749fb8dea4eaf

SHA512
46928c40de94aec7c8164356fdb5c44ee1e7ad852a72e8a82928d03b12f82d01e478c3d2a05312637cc45d62ff078a4e3eaff13af644cc695843cc840e71390d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c63b4d8e71eeeb88ffce80c1bb0a4cc6

SHA1
a6be29ef60ef758352cfac791e38eb23525ecee3

SHA256
b551e33f190acf98f161879bd214dc302c6dead4508a616f7b6ba738a03115d3

SHA512
4575151cfd6dabfbba4df1f4598c91bdb51b72e585a03330f8c090d6e115482baf9bb36192188a1852f5e96128b8f2aa5c765d7c25890aa78467dcd70414b541

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6db82ee20b7aebce8362052064efb63e

SHA1
1b8acbf82fb66ce00333fd7741865f91ad73ee88

SHA256
5d2cbe42a49ac4c14b12cfc8ff7a100da8368b31ca658a6b0f4e6655bde76995

SHA512
7bc2f5777d6dfcc6b7ac01f1261943115464d2c1badca4936896834731351c2aa729a83d3bbf65979cac779a59a32b9982d084f00fdc5a7a9f49f856df70373e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c46598b91d12f4706aa2cb6d81211626

SHA1
9feac543fa4d0142059870d2e875304be50b0d24

SHA256
f9b068d104a6a0834f37c61a202ac6de035045e51bc4b183cf6685fb768d70f4

SHA512
c1d5277e1384cc624de08bc9db727828f3918c6cb751000cc7cad48c154b14fc7e2feb16d40cb4df10a247d57f7c6c4b92caeafb766df723f2d125ea2671f18a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dee415a1c5da3901ceffd4fc32a62eda

SHA1
845351d8e283c047b18ffb4517fb7d3393a44844

SHA256
74b8785b8e166d91a912295eb0e98adede98945a13ac4ac5900af7fd99dbc1bd

SHA512
a15fac553439e068fbf7368fe0b538e041af5465291fc8aa0e7e53064804336838f91148bd37047970e65e840f8b415a641c9420e709557945912a4776e248f9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7f8d9c521a17c6b8543fbda5407e5daf

SHA1
07f62d730ca338f760e2b9945d674ec0de09684d

SHA256
c5f5dad08b4bb2b75817c5dba9606d6a6294213ecd72edbe87d375d92384223b

SHA512
d0941b473c17a29b2112830f303c297a92f93af0402dc6155d2a5e90f3af68c1bb9db7a12f796087d1288669012d8201213c1afe4a06d4d915ddeba5dedce4c0

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e4cc1cfc1409945b6c7be4a8f6628ade

SHA1
f980dd50ac4bc253250f2d676a904732ac31f3c7

SHA256
928b725326b4a6e387b9ecbf9487c6ecde67c6746a7c54e04e88962aa3badc0b

SHA512
1e93ffd5206052af287eb3e8e4beb9585b3f56d2758c141b4a3f84c2a6d36ebd1d441db6ceb0046faea2c1bcb4299e2d9d332fe1c03d4093b2e394991f29537f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/264-317-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/264-435-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/312-655-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/312-436-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/560-399-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/560-281-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1096-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1096-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1224-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1224-656-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1456-8-0x0000000001060000-0x00000000010C7000-memory.dmp

Filesize
412KB

Download
memory/1456-51-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1456-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1456-1-0x0000000001060000-0x00000000010C7000-memory.dmp

Filesize
412KB

Download
memory/1476-400-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1476-604-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1480-448-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1480-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1480-540-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1568-423-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1568-307-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1636-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1636-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1636-100-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/1636-95-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/1824-411-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/1824-293-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/1968-267-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1968-32-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/1968-43-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1968-27-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/1968-47-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2052-533-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2052-363-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2268-63-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2268-61-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2268-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2268-272-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2312-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2312-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2556-18-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2556-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2556-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2556-110-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2620-274-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/2620-111-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/2656-382-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/2656-536-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/2772-340-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2772-529-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/3632-654-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3632-432-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3708-532-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3980-67-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3980-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3980-73-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3980-120-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4040-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4040-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4040-273-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4040-84-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5072-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5072-40-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5072-26-0x0000000140000000-0x00000001401DE000-memory.dmp

Filesize
1.9MB

Download
memory/5072-251-0x0000000140000000-0x00000001401DE000-memory.dmp

Filesize
1.9MB

Download