wannacry | e63f3fe8cd43ef2bff362253b4b0273f2b46b8364fa00fc25e31aaec980eed4c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
Size

4.1MB
MD5

557c1c30ca9e5495583181eb81d57c7d
SHA1

85baedea5e68da4e1b456dfdbdafbef7ea0f47a4
SHA256

e63f3fe8cd43ef2bff362253b4b0273f2b46b8364fa00fc25e31aaec980eed4c
SHA512

1370890690f54e77ca830121974d76126873f0179b1cec20b475abc87aa94b4ded21d63727e105ef610d7726c9191a2840b282b5b1c960b56b24f2f44b08e251
SSDEEP

98304:qDqPoBK6SAEdhvxWa9P593R8yAVp2HAa9CUEbet:qDqPJZAEUadzR8yc4HAakUae

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
3948	alg.exe
764	DiagnosticsHub.StandardCollector.Service.exe
3460	fxssvc.exe
2460	elevation_service.exe
4376	elevation_service.exe
3684	maintenanceservice.exe
2944	msdtc.exe
1660	OSE.EXE
4552	tasksche.exe
3824	PerceptionSimulationService.exe
460	perfhost.exe
3952	locator.exe
2788	SensorDataService.exe
812	snmptrap.exe
4412	spectrum.exe
2852	ssh-agent.exe
1520	TieringEngineService.exe
2284	AgentService.exe
4768	vds.exe
2608	vssvc.exe
3660	wbengine.exe
5020	WmiApSrv.exe
4332	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\48a02b073e6c0d63.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f2d8e4d9550db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f625294e9550db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1f4544d9550db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002da6654d9550db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069b5b64d9550db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b0a2a4d9550db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1f4544d9550db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bddf7f4d9550db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d45254d9550db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc9aa4d9550db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
764	DiagnosticsHub.StandardCollector.Service.exe
764	DiagnosticsHub.StandardCollector.Service.exe
764	DiagnosticsHub.StandardCollector.Service.exe
764	DiagnosticsHub.StandardCollector.Service.exe
764	DiagnosticsHub.StandardCollector.Service.exe
764	DiagnosticsHub.StandardCollector.Service.exe
764	DiagnosticsHub.StandardCollector.Service.exe
2460	elevation_service.exe
2460	elevation_service.exe
2460	elevation_service.exe
2460	elevation_service.exe
2460	elevation_service.exe
2460	elevation_service.exe
2460	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5036	2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
Token: SeAuditPrivilege	3460	fxssvc.exe
Token: SeDebugPrivilege	764	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2460	elevation_service.exe
Token: SeRestorePrivilege	1520	TieringEngineService.exe
Token: SeManageVolumePrivilege	1520	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2284	AgentService.exe
Token: SeBackupPrivilege	2608	vssvc.exe
Token: SeRestorePrivilege	2608	vssvc.exe
Token: SeAuditPrivilege	2608	vssvc.exe
Token: SeBackupPrivilege	3660	wbengine.exe
Token: SeRestorePrivilege	3660	wbengine.exe
Token: SeSecurityPrivilege	3660	wbengine.exe
Token: 33	4332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeDebugPrivilege	2460	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4080	4332	SearchIndexer.exe	135
PID 4332 wrote to memory of 4080	4332	SearchIndexer.exe	135
PID 4332 wrote to memory of 2284	4332	SearchIndexer.exe	136
PID 4332 wrote to memory of 2284	4332	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5036
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4376

C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:460

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2788

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4412

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3032

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4080
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5ceff5abb2e0b8a0fdd8c3691792a8b2

SHA1
888d284da3aaa1d115035b73d9dd8d896a92a9df

SHA256
e0004a28e50dd4871ed0635e9a025c0e9715248cf7696db8bfef0178043fc4e9

SHA512
2250c5e256c45cefa8361c61733feabf7832a40cf6f13648bf94587aee0daa1b92dab6a8eecf1fc4890886fdf97d3449c7d565366ba2f9e6ba0f8be278658c7d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fbfef64a42d37f61e141a68114a079a2

SHA1
2aff9647e5285f96d18d8b02e3a7e84242a6df00

SHA256
2d5cf6bbb412a700f29044634375bef68685ec73af004da01d3fe009be8652fa

SHA512
55144d5cea1d54831a29262386510d452682a963deffaade99b7b321a849f60463452883c05581874373791ff5967d56daa764d6e062061681f96975499991c3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
de2542d6008e9860919f65fb37432e76

SHA1
3464cd5769775669e8aa5f96273687368f800f8c

SHA256
9578a658c649afe41424f6a438914e37abf3e0a6e03d5b827156a88f5bd1ef25

SHA512
359d144c9cb17266d82afda170f4fa1c38c4df62cf7c8b1320038a140d758561bcc1b7bd34c7a7a1b48cbbe7bc4b9df65542d9905f29c178c3764b5add07e516

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
68441c93c50cc373401631939185eb13

SHA1
be3f8b75208571a7006a7b3d7645e0e836361601

SHA256
8806ad38b51a3c4ab934a06575e16fedab299ea02f8cdf76956a11d02e6c8a2c

SHA512
65e8b6b79ca5824f111db4ce3d227d8e780f5bd37134e0fa85bc7e1586889d690a80d7fd440fdb54e09042d8192b252e38d3dab593fa921a288cc133826fc399

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
79a5f6eca337bbe8750792d3651f671f

SHA1
0f39efb7dfb3d39b83d946667b8f0d62d44bfe3f

SHA256
8d863b668f6e1ba56d2fc9a3c5108259d387a2de2d54e3ea6a0602dee2a84e4b

SHA512
fc3df6eadbb9737d4ad8f5b4734f2f7f320bbc29986514c5314cdbfd2aadedf32524faab9d201eab3c106285363647cf9daeda6520c3930f8ea7c94f44a93e65

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
75054016709bafc0fc2c1cb4b7b23d20

SHA1
bbb657e7e67f05c6156dcec05fd6a600ed2951bc

SHA256
84ae7dc2cf39de33c138823c6f5ddda85b3854eb2e088fbbe5d7c8111a4f32ca

SHA512
983765b9a4437e203a59a51b205b9effe6b90e7894cd03f2a69080af86b124accd916af5626a37decc70c0fb7f488c4c69e0c41c42c7f3965c5fe29610e6159a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
40ea02c50f0ea51230e1885fdc43d550

SHA1
a2abe424f0daf2480a19687b75a63afe81ed6309

SHA256
8d32adadf28f6ec390d48155e90894ddd7dead8fed7fe21a98c29fd3cfa54ca1

SHA512
a830499ee681769a9f389e95eedfce4b5deb9b69ed3f1644c8e5c56e4ea3b0157f9ddd8afd5ff5095ae53ff9f3640d1ca34e7e05f9ba4e4b70e09bc4ddde64ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fd7dd9c5e6538cf7977e410657cbb6b9

SHA1
92914d774417aea5c7ee606337dd3969f154bf99

SHA256
0c46eb0305c660dc6f020791437713fc86a40d5111ee180c1c6c97b839b3d5a3

SHA512
545f07fe2eaf04997befd0056a5124cf475c8b09d0de8c402f2a58a3829073fffe9419592efbb350b0657c88f29cefae090aa9bb0eed5036fba45e86bdc5ab44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
fefbec713dac551b7d296c42e138d341

SHA1
64d3c09b02703b5797c640160f430c31ec39d300

SHA256
28d180be00133735e147d76262f884ed66fcd18a2a3275fe33c6cf710a6b642a

SHA512
2343d128b1b4e622c6dc2d44766db40068263358ad8a252ae6a6f8e1d39613330d08f6a2ed9dab85c08772f33f1972ce18593ac5baa7f343eeb169133f26e19b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
96eb87f1ec0aa9d79915b0d72171dba4

SHA1
144f12528ca44f8783ad491c75d5214b91756977

SHA256
e0dadea5e7d8717176724a541b18d93e47515c6e555fa8f887be6ff84c2f52f4

SHA512
ee42ad30765b978571098665b19be3a2f4146d55789e78122f560e61544e4953818355db9a98ee80d1c003d890b4ac7989b5c371f8620462fd53becba7fc85dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
35235a5fcf8d8a80a6669d7bef3de041

SHA1
4f2af4fde31067502c9424fa9f0ae4d82ba437a5

SHA256
713b2ae152da777514ef96f33c8408f330eb8ca481739eb75f14ad6951dcb3f9

SHA512
a9eeb984cac9c9f5d63b99feaf896276b9dd4de21e3f88ef5849a847a4a4f92b41a08e68a8ed1e9c96a574191a0e104d2feb1e5abf1bb44c834a725dd6a92ddd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
65f76b76ee8c69786c6e63fcc7f44af1

SHA1
ceb3c2197ce0a526d2bdd35ebf0d828965cbd751

SHA256
ba0794fffe0f578e9c44ec837bbc5f499434ca3b0f322e47e4f143d8b9ad3fbb

SHA512
d64af39971ffd1e35de560281cd8f99b3b5c0b4b7c079520b779331bc954b9fb514c1b5833ab329890b9ddb80b00dcd2157ad07da22604aff3485353c35d5a4b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2ea38c65adda65113ca5957523bb1b45

SHA1
83ca577316caa17a9f11e00402467deffa3273cf

SHA256
047cb9c4f895110fe10df01ef096ed927ba1a5ec4d2ea99d81768a59ef0bd129

SHA512
1c5e0075693b7b257693c9f15dabe31baaa940eefc53e0c265cfed61a28cb8679098be6436fc388bde76c7578b3314a9e3e6dad3877213a7c134a0f7b7ad5553

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
370909a4eeea00a8f2403afc7d40913a

SHA1
2b3214ea0e9dd81fb41e80242eb0112a8aeba375

SHA256
5f62777a76096fd0e01104daf24f27058a07e5d32af6bda14e77c9409fec01a7

SHA512
8f3ee9cdb1cef6c9436188fdca527adb8953822560765c1ac019810c2ab6524fa33c5dd8d8244484fa8d4c9e561ac247df996533d189c9c9d90da2058e07c2c8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9e6bbcb0348d02eb18bcd48220df1443

SHA1
a50dfce0c94227afe606cacfbf796c08a97e943e

SHA256
67777edf7f54fc78105ee04e02b73d5725426efef45fffcf248b6eda96719651

SHA512
397af067dfeeef0b8d01ef2b7f7fc48b744a8b28fe699ef62e8e4b466598202d2cf7520cd80d6a7a9643e9560cbebac1c57965a2a29b7ab3fed3bb95fee215aa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ab0b5ad29cb70d8235c6627df78926b3

SHA1
0ed2ffb109cd9f65512881f990eb1778f186314b

SHA256
b78d57e372702be77f8ec78fae1a6cef0edae89a558018ce5e7f7005bb20b5be

SHA512
4c196d40ba89507c0c08681d2dacd5b447b8c5d1ad564f97128bb1e0af8b09a827c400e441b307b11f9cc7223521c38f89888d059d73fe87d5a392c838dcbfed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d7b651f09ad66896bcdb83b68650ab84

SHA1
544bb08feca5fb99436a7994a7512be2bffab86e

SHA256
1c2eee08ead4dca736a5c8db30c7643d3422846efc73e1c2bb962bff48ef4584

SHA512
852852d504294edbdfb1c562c7dd43b8c50fcf2c899b92693b1269fce0faf649ab66b02f8a3c2470bdf8484ebaf74d89033b8e8fa46fdf9c164643b18e4590a7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d879477305df60811ac04608ec421adf

SHA1
ceb274f27ccdf1d8a1f036cd22693569d7bf326f

SHA256
7ddabb1bd75aaee259c303f05c6b4993b395964be74361b097687d12cfeeb6ab

SHA512
b8386160d7ae06ac2b6195155262acdfd8fdd9ce2750417d754d6ba94ed64644e178f41729c1ae9f79ca5d155cc5d281112113771548a3c5b6e428acbb6d9ada

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
354403d099a26d25a4b99afa8370a277

SHA1
189157a0a0f63ac1cbe8a830d3f87f447f1dd4c0

SHA256
ab747e40c7ca7408eeaf49c5f66bc76d8a4e9921e3dac961ee82300ca35b3099

SHA512
c457e8d60ce21177ed26443a234dbec52cbf63c751323e72a09645c52c7cf3c988d956bb890f0920c58fd992998cc47ab7419c688f0eb3c6d50a3b6ccb4416d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1a2c94554a0e56129a4c628129d42f6b

SHA1
b8bda7ce34d187440d3eb630ed614bbf7f7b1c31

SHA256
8f8fbd6e1d9cec5b975b0620f2d10a61f98a1fcfcc914386ebdcc449dfb5c4a8

SHA512
54c677184beeceff16656d5ec396f4dab6185f7ae2cdcbe7ce62bc6d981ebc6196dcf902f5482d3e468bf9da1073d81cee3d5dd10b7a543125022813ddee1a77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
004c68c678ad2845c011943f3acc13e7

SHA1
9ab6d699f735c5ece6834e4c2d5fdfb8e1c7d80f

SHA256
36f18a886a971eea504b8501b43d6423bd61302dc9cd417528edffe7456eaa6e

SHA512
b37da265883105831c0074fa27377cd0d37d972d9dbfa48becc7c831cc16d69c2ffd6e3188aedd4add141c833f55db4178a6dd5a330d9919c9c57a7289514a89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
de4fd902ceacdfc85783e03b7335a683

SHA1
688f58634f418117ae8b25dd5be4fd8d1e6a8de1

SHA256
4ccb6a3b46d0ac2c2f108ba1e584d9e5d402dd7b718a0e87e20ee185d0d5772d

SHA512
5f40df79ddfbd5a2e13e03ae031452d1f828bc76b921591ede0f44ed9731206845d569f4333863d7baffeb479779162d60b8a683ec9e0c2c7b2e9f9c9bf82e47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6c92dd342a9dbcddd0a349ec84ea7fd8

SHA1
6cf108e462f6b5668527579d99f8bf5ca3f9c4b4

SHA256
41e929da4f5f004d3d4e9c6db8b910821dca39b70ade2dee8c67fee3bd887f2f

SHA512
05d6b33a7ca28a9f59e612034748d1c7e799affff788c00e4d69d2baccfea03cf04e8ba22ffd3f563d40596497543a2163e025be9e2c99f829167d1183eddd94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
81cf267fdc7f7338024eff9b8664925b

SHA1
0f585a36cfa6b2d41f88837adb6d7f6e2e080bbb

SHA256
b3f68bc21e1045e93c92cdcbef35d736652cf2502d0e3472d220d8e77f5d31af

SHA512
8970c79bfcb6266ed8255aa996f443e26f16ed40405a6dbf3118d0df89219d241f455d836182ed9b38d39a7b77e48b07b1e52ad16d7d2b21e88add96b6370a68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
bd4200ccda2250120767ec48803d4705

SHA1
4d7b7dce1cfe8894a8916dc547390353825ef3e8

SHA256
b63be2f1711a6d6d6b05c6ff89c0b52f05bf597ce3b2ca106aeb15b6dc11184a

SHA512
2c36abc7fc28ab222b6140199d6fc800f8dcdb42dae5428c4267c6691d23a8b0c3fd65bc561f3d24dd8682b60d0bb4a0e9b110b86653619d6dd8dddd4fa9f9e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2cb6c5a80ed64663cbd8e7a1ddaedbda

SHA1
116f6c8ea87c4fb12e4169202ad19e2098ed7410

SHA256
bb9c7e0f7f8088fd74fdf110b43e2c4050c02a0bdafd9d88acea2b5e6baecc5a

SHA512
c222cc557ced32af8666793c754ca4d5199a72badc71f88ae113fb92d06f8077108964d50ab9eb9da3aa923e0db51b04144a2baec7dd0c51772517ce50bc0cf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b799c28960b6af2d8a196c877a671aaf

SHA1
e5a9b04eaff0807c101ef42844c610cf059f3656

SHA256
f6b55510929e9e9232f9b0d47920ecddbe8f874ea6a5f58b16771eafc1b7386a

SHA512
ce0d2bed8ca4d53bf30647e0d48c7e0aa39b92060118b21465527703796fb19fef40ef90f015cb0870b7b3d2d4e7a54e083f12108657b10935d377c13a6ab759

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
3390dab13e5d03571c69791a8e79cad0

SHA1
d1eec6d8f2f3482e50ba6c2f5a509972e94a369f

SHA256
0534df32d6ec6827523b41ba689f7a59dacbbb6c4916effb2da898838572a797

SHA512
62cb67818bc3fc3e5b6b3f88a33fb192c050154b2a0e8411634e4ff7ee86b2be23947be0b3ed2240cd4970aeedb83045ccd5469acc265c4ccb18eac7d627683a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c98369f8cf42ce8ddda9187e668a46b1

SHA1
58499283d587fa88a3e88eaf1fdd1e4f1c75543b

SHA256
b98ffbcd286daf25c7f0f52500955497ac97b54d4ac202e71e1cff18fed2a552

SHA512
f2ded0eb5910a956f0bc80df7cda9c3aa9460138f1035962f39b92a11491847c7708ffd2d38717c69005e9883062befff72508b7490685e2f44a5a37669b2aeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9f1cbdd59ce6218b0198d618a080e323

SHA1
8a6ca30ba65c4cee09fa3465a855db9a0a6368af

SHA256
68e967bf1a4cf57e205b8cef3ed1f9709a42cc86b2f4b5e10af97e12b0fb2869

SHA512
9e665e3b4c1114918e9a61c5aac0edd238e7977ca3d40c5e4de923b3343db3d1ac66e75639cdde19df3fa6f0f3b8c74803e6dd0ca70983557cacf3fa93ed91ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
c7f5022488dc29676cd4a3e301ad6b87

SHA1
d5002f4548a976c900f112fbc5b679310db52974

SHA256
ef8affa1411283de9261a86e1ce9ce28251477e418ab1894e9b46f8e408cfc82

SHA512
40462c827b7e7c1061676d83998ea4a90b901af3d5489dc5235f1e1a9d6748fd46038d658c6b189a2cf28cbe8422a947d738ad93083ad3a3d26cc74e8915e541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
878fb32b2d66d6c7403de1a0ded63609

SHA1
3940a310eac197f19096128f80f41b2766168eeb

SHA256
39f8bad6c46c3ced5aff70850c0c2a8de2474d6cf4ebe98473190c78f3ff0b9e

SHA512
c9a77fdd93770c5a771f0aeee36f9136b838d95a146d4cb2f52e6e613e665195d6df6c0eb615675ceb17ac334a5ea92bc72e78038115838ac14028bf0aa69b1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
84072c1df003dff1ae536ed803959c9d

SHA1
3895294e745e28ae059e1e25582b38f0b932d528

SHA256
bda8aecf198a1c129f0acf8d31d832c9e496a4572fba497a7b3210a81e711e15

SHA512
d0d61875792c2ca65883151e421327c5d6a198a1edb9faa13c989d58df24e85aa0798538a341644d98b8271823c729c4b1bdcf9e598016059a7fb12eccd3c153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
df1fa349935752f9e29341351da884c8

SHA1
d8a95e4da69f49f8c7b9dd8e3b7d6faa91a576be

SHA256
f7292fd0092311a4c04d99bcc8e977941b441c4db76dc5f3f4e65bea4e6ec976

SHA512
c5c097691fa5b286cbe7948ad02ddf08ff220394de776c55898126b8be0ec363f616c1986295b0ae3163bf36bf2a07a8289dd5785c81d53318a6a52d39868c86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
52ccd239b53cc9432ab1b4ca2df771f6

SHA1
98989caa981408f38b565b2fb0c6fd015c7b0d05

SHA256
3a01b1800466186705fc45b6f51775981aea685c14353382c994baf08a78041f

SHA512
96450683149df54db84be5d38ca2cb73cb106096f88da926db6e9a93c1de94c4093872206002f1d5f419e9037880804ab84375a698da74de3c91b205ce184533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
e858817faaae514b3f5c00447ce228aa

SHA1
0b054e095d2b13fb59df3436a8e54a6536396436

SHA256
74a708f68934ae5447161f2418b74aa1a7f90094484076a70aeb414180a474f1

SHA512
78ad6cf91f40cb61b8c8d0c67f1f1c30ad8c1eb92759b02d9278178fa95fd3697fd7fef538fe2a14350c784445a03609f48e6b59e143cf038ac1a1eed71a1f16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3dd563b2dc6cc33be816aeae891ba610

SHA1
52df04ecdf095490952d0064fadcca8c851fe202

SHA256
4f0bace929aae579a3655c75a2bc7b0e5d781036fb0cc5deb41a8b8d544d68ea

SHA512
ad18059d68d408510b357c683b6cc1af38917134241c947ca47a501d6517e3c72ae275e61f3b6dfd7cfadb50d8f78266e2cddc0782f6234ad3cdc0838e739a8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
fec0e59a4be4a0753dd6dd3fa17aa11a

SHA1
4419dea7ca74307e3df71dfb69c0a1a35a1e3eee

SHA256
01bebe7fc14add2a30a7d9b6e5f95aa25dab971a88004c7aa2027f7b898da295

SHA512
f742982228eb8a2a71327e16e4248946b79266103c7a34faef295ff82c46585cfa1f27af5bff5fa86264330534eaf779d8bc28ae4e402425248c9fedf688835f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
297d2093816f2ac0d6d5bf038af1ba8a

SHA1
71b3696ed01499a576f34b0d71ae7cd8ab73ffcf

SHA256
16509107838a975116b6b5ed1235a27e5b90eb017a5af2f16ee713829637f34b

SHA512
aa990fb0fc3658d4e07477509b2d2091984b34a9c68e2ac9cde155b6dd0b8ddaf9e419ffb77bdca1c0553fa6e33232cebedd19c3f744ac49afbc625debdc0b22

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
a822232b03b9923d27bc66f7c3c14508

SHA1
d4cfdbb36f378295c8dd802a8ce29b48c6ebe5f8

SHA256
6ca3666ea774422fcab155782d73d763df88e7e121c90e74fb23359fad0c0968

SHA512
1df417c211761aed7f724ebf19beb7c632c3500fb107de816bf37faa63c0006a2c69ff8b5dd1594526da30256e19f0634aeb2c338b07c8682b5341b0fc7ff397

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e46c6c3b97dfa972be45d679884f00bb

SHA1
8fd00eeefd9423dc9c78390f440193b0355e9522

SHA256
4143c943f9d02e2e4734a114a11b377596f3233943d35610d3eddca2fb99f95d

SHA512
89a643317b8b95e73c4cfcd91bd22c9431dac2bdff8bfd2a2898a01b61b51040038676afa748362293706388932ee2f2658f516ebb9083418bf1aea63dc94ac8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0eb087b67523af22eb2e165c7b02b91f

SHA1
bad219f16e9f72e6eccbdccff75a44a64dcdd820

SHA256
118b99d1d6c4006c4a765bb64b9067c62768887d0607f7df11e9564d48da7179

SHA512
f999ae316baacaa4b44ddf6e73183d3e5b36d9868ea1e766a920c64761efd666c137d458f9cd9d6621f66caef047fab135f9bd3086ce28dd4ee8c58e02dce001

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6ffe501d0825e120702ecabb18252ed2

SHA1
849544f483e169f8e4142a772152108f478f3ab0

SHA256
ed3afedf8fb2b059e236fd9f3b25d674577d7ad07b11456ee25ec517b1ff36f6

SHA512
be457226bed8344172b937701f16eeffc8be0d7405c06084418a4f0ff9df3d0ec474eadd6859bd62e005ef5a72d77d746990819bd7912199d6a3e2718e9c637e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1b9e5d41d75e752ec9d8c8449ed1eff2

SHA1
0b40f509d40abb8645998c861ac3594de048552f

SHA256
2f3e4b6e9373b4d3ddc5aa257dba6b329a7ef0864da57bb3dd58bf1921152d90

SHA512
2a9acb2b236130f51b01512aad0625736707a7ddbda29f5a220cb2b49772eb7f645ca4462f0a4c2187a58012dc89680c339df3a4e08fb55bcbc0d5ea72148732

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b3774ab5bb18391a8df63bb363ffa383

SHA1
8b8285d940a14f5d1f0b11a36722e654d41e64bd

SHA256
60cdd79b78b54c288b47f67e83702b9fee0a5eac3142f51fab46825c7b9ff33d

SHA512
051cfd743e3bd1f00e0729fb693efcdd394c3db24eed3336aac747e28a3af180b2a0431fe34f80cc23872362fa87f8c87d0e091f54c7ab33fc414219074a962d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
22104266737b634577c806d9eaf08e42

SHA1
70e00ce44d33685516b87e5f9bc8fac9f3cf0d0d

SHA256
8c7f00b9f2d313838614358537019132018b19dad7063dbccda30187efe57b96

SHA512
b30cf36c7ed6ac9ca4f3928bb7785b34fafb28a2da462fad612541423777710d636cc0fe2954138ae11fdd036e1278539699cc0d41a6a65f06d90feb96073fb2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
162a016032e7bc65553d07cc6243db02

SHA1
11022b00ea228370f9e65763d59c3385011ba0f6

SHA256
294e37600cac87392ad48e5aa9049e5da633641c6e7993d4688b83eefb69d54a

SHA512
8ff0ff66500c2b5d20de7274f5c325030946e08569c33d474667ba07ce89086614a8f21d8de22600f158e65dba5ddf0179109cdb1ce6ba064a0c66a3adeaf000

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d19c3a1c261f34d537818171ff0ad2d

SHA1
1f43640a565ea101f1d6e3b2b5a1fdb33cf6672c

SHA256
a168eb535a9174c9287e9e9a1a7705833425802e6a238986af9a066a9f7d7bb9

SHA512
88ce2169ba1140d56895b1aa6c75c7880c2f4624fd3d4a2cd706af0908d58020da343833806d7f91024ed6fe81ed78fc6843d61a0730be4bd68f185e8de978bd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1a85684fc5e2290c6ad9181294cb21d7

SHA1
3e30de2eff21eb3a550ae4dc4604e9c6f04e34f0

SHA256
1e6ac14133df7525ca4eb4a3d7fc4cbdacf279b2d542f46b18a57bab5da52646

SHA512
daf11d8ac3e8e7b2a9ddfabba670c92e9cf35fd0aa32c897d6a9988b82c2c292ca1f66d6fdc2080573752b48bd6403b944a53dfd74576ccfe4ccd3be7983decc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a9ce8927c945bf9e390a2f12c7b227fa

SHA1
5eaba6b807ee9d1b1400730bd4c546d34d645ca0

SHA256
9218fbfac05f3fc19eb86a390c2a46d9b5f03ce9a93046ab221697bfdfc3e9e8

SHA512
721581fb1741cf8a8868743eeb64813dad2769aa0ce5e157aa2318571b5f59328f1e5a84c06f8907d04bb8bed2b02d474e4a5f4c34f91fb5ba27522136d86713

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7fcc78d2631ed032fb142ca9ff6ef6de

SHA1
78be2c11b12fd87a534d9d81546c6b9b73d99154

SHA256
ffed2029f989f627dc8497d21e2d22b35bf6443388344c657c0d5b136b633063

SHA512
533aa995fbf21a9282721d01f09c32f94b3e71e451556ab5afee6c59378acd0abf1cbfc2c646c25a7a8959adcd8bdafdfdb5806f053befd81f623101f2df1183

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
13497b638df78a27951a8b2edfd77a5d

SHA1
de5e7c9bd5d1b0dee9bfed0602542056745706d3

SHA256
86d7e06143bc8412ed1904807273453bb18402bd91f406ceb0cf1c666bcdb0f6

SHA512
4ae5e2b699bcbc1481db37099836e0c5e13f720e7d0d5265dcf515d9c984c76448eeedd7743291056839b89e366e9161ea3edde50fef0b6978891dc1421627b2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
87bbc9a9a493aacd34eaf7cae23e9794

SHA1
05d0ab35d569b46f3aeffc6a3e40918839db08ce

SHA256
922601f5e3793154009f5b6222019cfd4a6fdd02c7a1a6195abd1e1832551a5e

SHA512
e093c9b89e4aa966a092ae68cfc4a4a6f4b6e4cda4b645a92fc10e854383b7037709f7df6821c8a92ed5333c718a326c85c9eab632eebc76168a5c9e3588221e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
08d47546432c95e6b29e91d26f0da000

SHA1
0e806e23fa2a55c27452c01865e26d2b9d4f4dfb

SHA256
b9963671dbecae2f8ac2a5c38051caa71316ddb4c040cf3cd8ec301eb1622fd9

SHA512
7a9b9ac66df11942b19d5785603a3eb62c4a660a9dd1086d67b3d8bb2c67c18c5b2c579316d6616bf1200a0332b23c6cba027b158d56dbe1d77fadb74dbb2d8e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
773cf523e63ca7e2559666301c2ddd2c

SHA1
921b6599a5f424b3da93da4b3bdc37746790e731

SHA256
b742d70b637a54346b84ff028af02cbcc0c44d24fab5d6a6b7422b38f632ca32

SHA512
f7bd1900d4ce0206eced63a5c083cc4bf4c36eefb8776de297bcf523ba3d434358ff9e3bc942a86197c983c5846247cb8d6db971902cebbdf33504353f11d8d9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
799f5d2857e53fb4aaf56d3651e2fa0c

SHA1
31d00cb9357dc85efd9c001eb83c66f88be48191

SHA256
bc8e446bff169a74ccd8dbe854bedc761f7a2a555b2c0274d4c961f556283c6a

SHA512
bd6e72aac87859ab79cbaba91688b71f710e60118945e05bcb0eadfa387f34aca96ef191c0ad5411e693de549fd7ae5637ace0a39321a32410e38a4b3bbac701

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e1c5d532c5a1f0d37225ea8f20b8d246

SHA1
866c49318036620e7a8f28502362dfd7e9c18937

SHA256
72fd52215d8dc7a71dece5f6e01afebf9bf4b42a8476690257e3b5cdebc63629

SHA512
b1dcf28d79d8bced81e7ea83da569ac177347d0ed83c1a1ad753037b995ba6998991e21f0174fe5ba674ebaf035b9cbc8021571a9f3f4034f004181ced8d1127

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cd6e442da951bf65a7866ec7ad21101d

SHA1
a522477d06d4dbd07ec61d49079fac11774ba2ab

SHA256
7712db6d4805beb9d23ffe9a881e43e76d266079cb2a0592fe69ff84bef38882

SHA512
f56179ff898ab60f7c67329b98af2d573d27b7f99e1887df70f2c15e4dd24d5b53261b19a4c1f67ff163962f524b333b82c654a87f21572cbf66cbb6d8dd0822

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
03962f3c2847b38a4c753e3f6638afc3

SHA1
d504799a234b68f7b65b62f97c9006e79fb42891

SHA256
462da04293f90ba5ca875cc06a525b156e5ec35557386489bfc133099cc24cb8

SHA512
42dec8719ceccb60e41bf4649b6d738f2abb95fcfda58bcba1a371f4d7d0fb8195771556aa2dcf7919b1c9f07737cf34141faaedd0f0e1afcb5ff43608daee78

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
b80eefc9156f297d321e235516ca3533

SHA1
543cb4d2397bfd27e8c484672888ceabecaa534b

SHA256
77acf33bc6ac05712902feaebd61296aaf9b17c2342284f1315eccdd565607c8

SHA512
0ed23cfcea5ff218ba1e2c2016e1e74547ebddbd46e192e23e5778c3753848962dd36e5f5bb57f074d76f62201c42a1f40dbdbf49f0dd417b597bab07fa1b3ed

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
23bb7ce22a93701ebd6477ef94911457

SHA1
8d0d25584d68d89886bd79b2409503e18cfd422b

SHA256
eb6c93c3f253b69dde28130079a2041f0bce068ac334e8438feb7c8e179bf04d

SHA512
857e47cabf4fcc0c9d0c2f09c2b17f90fcb3eccde3a1dee2565319dea072a3a97d3caba70ac7a45851eb457541212fb8d97c6bc913ef969577ca4b76497c78d2

Download Submit
memory/460-336-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/460-280-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/764-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/764-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/764-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/812-417-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/812-297-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1520-323-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1520-477-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1660-91-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1660-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1660-85-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2284-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2284-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2460-269-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2460-38-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2460-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2460-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2608-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2608-537-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2788-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2788-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2788-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2852-312-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2852-421-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2944-99-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3460-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3460-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3660-538-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3660-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3684-67-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3684-70-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3684-61-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3684-72-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3824-102-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3824-101-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3824-272-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3948-15-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3948-216-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3952-290-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3952-340-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4332-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4332-540-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4376-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4376-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4376-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4376-270-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4412-300-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-58-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/4456-53-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/4456-271-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4456-89-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4768-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4768-536-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5020-341-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5020-539-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5036-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/5036-214-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/5036-1-0x0000000000C80000-0x0000000000CE6000-memory.dmp

Filesize
408KB

Download
memory/5036-8-0x0000000000C80000-0x0000000000CE6000-memory.dmp

Filesize
408KB

Download
memory/5036-98-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download