wannacry | c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Size

5.0MB
MD5

a709d7df28f649a44714d72be0a82062
SHA1

e22bca2840cae46ef9bb615c1be931e531df9f54
SHA256

c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f
SHA512

7961125036699f546edde26f5c6a645a3a2bf01858c6dd72645dbcd687f833650bef854c59a403d14d43698a730523b145830c6ffafff650f9e4a00c9369a0bd
SSDEEP

24576:rbLgddQhfdmMSirYbcMNgef0N/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rnAQqMSPbcBVNLNiXicJFFRGNzj3

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
1340	alg.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4696	fxssvc.exe
1420	elevation_service.exe
5024	elevation_service.exe
2736	maintenanceservice.exe
3416	msdtc.exe
4360	OSE.EXE
4508	tasksche.exe
2864	PerceptionSimulationService.exe
1760	perfhost.exe
856	locator.exe
5084	SensorDataService.exe
2200	snmptrap.exe
3628	spectrum.exe
3084	ssh-agent.exe
2720	TieringEngineService.exe
2108	AgentService.exe
5044	vds.exe
4896	vssvc.exe
4868	wbengine.exe
1696	WmiApSrv.exe
756	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6ac1556ec1221773.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5569c90d85ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d020a91d85ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000797ae190d85ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4744	DiagnosticsHub.StandardCollector.Service.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
1420	elevation_service.exe
1420	elevation_service.exe
1420	elevation_service.exe
1420	elevation_service.exe
1420	elevation_service.exe
1420	elevation_service.exe
1420	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2280	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Token: SeAuditPrivilege	4696	fxssvc.exe
Token: SeDebugPrivilege	4744	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1420	elevation_service.exe
Token: SeRestorePrivilege	2720	TieringEngineService.exe
Token: SeManageVolumePrivilege	2720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2108	AgentService.exe
Token: SeBackupPrivilege	4896	vssvc.exe
Token: SeRestorePrivilege	4896	vssvc.exe
Token: SeAuditPrivilege	4896	vssvc.exe
Token: SeBackupPrivilege	4868	wbengine.exe
Token: SeRestorePrivilege	4868	wbengine.exe
Token: SeSecurityPrivilege	4868	wbengine.exe
Token: 33	756	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	756	SearchIndexer.exe
Token: SeDebugPrivilege	1420	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 800	756	SearchIndexer.exe	133
PID 756 wrote to memory of 800	756	SearchIndexer.exe	133
PID 756 wrote to memory of 4700	756	SearchIndexer.exe	134
PID 756 wrote to memory of 4700	756	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2280
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3416

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5084

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3628

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4348

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:800
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ccdaf0adf9789753510af8ca21445d71

SHA1
e1a9896ecc5a7a675c233766ae7fd712c88de55a

SHA256
6f34837d164170f35310dba43690df6efee264e4760b3c1d7596b37b6ad61bd6

SHA512
a2b0f12c40f138470450b96c538355e8fd3ed63c7c413901163f6ae363119fa4dc2973d2144b43d0785f8e6fd6cd7096eead2e3ac2b0a68bc51476ac73af57a8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fd6b5aa393a0ac0caedb782220c0946e

SHA1
5ef7c0f222c32bc4d1ad0f13f7e2ea9387d49c6a

SHA256
50daefaf7e7807060f03d6bb74f8f04aa336b5aa58a175e150cd2b4b83a933b0

SHA512
d4ed5ff735f9fbf88165567ab5c18cf40018c351499b8e901c1be2619df57aeed807f5280e623757414eeb4b7c0de86078c99fb99b3e5ea53bc66866526e6fd0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
bb5032a3e32161a67f554374352a18a0

SHA1
ab9598d0243947741e7870a69b77b3db2dedcca7

SHA256
37ed307f13f843b04122b1a21f4eeaa65b9a7cd44dbb82d13eb58197a3fb6fa5

SHA512
b7f6a772145ef70e721ed78ef93bb84c0e286700815ddedfbd32b423766ffb0fd0e1e77fc605493c516644444b972ad943656308498326e6b60879cf2cef5947

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1b29523db05726665d4946b8c2d254d2

SHA1
d5c5bd0598cbee36d60a5289f13c4dfb26d9cc1f

SHA256
1dddb595e1cbb6277fc00d5ab9974b4da4951331bd4a51df1f398761f98690fe

SHA512
38cc297603d6356adaad393df6547ef90b7598bca09792e0b4827a34fb9adb6fe9214304d4819b287b31580f00453d4f7c85ee3270058f1f67e7dfe010e4f715

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dd18e074463723ab046216b684f07cd8

SHA1
142e7144122049d3f811ca0943768335aad8da86

SHA256
86b093159d0dd6735ba140e14c8498a74051cb58dcb5d760322d3b38cf041f5c

SHA512
ade5d2b4fd88dfbb32ec3a74b1f041d0c8fbf2d6d1c8d1bd176e7323ed5ce7b3c287d7b0a7486658953978765ec6da0905aac00cfa6aa2703ace73402747a261

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b5c93a81f57f43ee9f23db91fa44e900

SHA1
1ba2b9908c76b815f6b14c1c7ca5b5ee21f78c24

SHA256
26614f78f446c7fe97c27e736141972b378abee071d8d9b04457f1b8afe43a8e

SHA512
ef457b1dfda4c703d9755aaf29474b4709df67b60f73a334b2ac271b547e8feb12957ca4f442a944c1216e620533dc228199161c995c5d241a259b96819468e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
22b239e95ebc7ab9b634dafd2a8a6ddd

SHA1
bb8c9cfc72aaad81c0fa7348a9266cd12db196fc

SHA256
5a3b72c67af71e4008ce6b1c10791d449a223ec47fb5ea94147de382353ad225

SHA512
3d1d3b9fd0135cd7a5bb961421a26fb88dec00d163987288794d21ed906317f2c5452de6f3873f55337473668c525ffcdc9eab14cc879be10a1bfac50f096e9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bc72c41db55eaba3a0c67c76dbc384df

SHA1
068fef885077fa4ab13dec61a1bfc71fad1dbbab

SHA256
745e46a35f0f4923ea46bb74822feeb38e222306acac81657200aa749ce24691

SHA512
ae6e506c64f634e1780af5f9cdad8930a987c669ccc9e79447440f986fad9b1c35d500e3fb6cc5a46413440b03a6ee1eb5b71910b7f4157e796514b5575b5616

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
6affad6cf5f3e2cd65d459e9866dfab5

SHA1
854c4216b9f3faab797152d8fb4c7e1a69728069

SHA256
fdc3b492f14a8ba399d5249fbabec495cfcfae6b857aca973f77b679cca367c7

SHA512
9c16fd4095a95a1e411412f9c8dd5864a6d100e47e759cea1ed6e04ae2e3c4dca87d4ab323710325d114845f06da58bec75bd18d76c0dbb8664e53c7f6b7ffd8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8fac672e9ffebd9e9189ff7a078df151

SHA1
153379dffcafeca1458c485df3681637511c26d8

SHA256
88290f5e992b63f44d041486766ce28260c5e4c1358b10c3f409adc108cd2a6a

SHA512
2768a0e79b8160c429bb065fb333bd312ac8e572f62f53fce1d9c6109cd3e64616272d6f4634fdde1efb53534091f06f3bd2e10c9607ef09fbe05a979935ff89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
04d841aa41a3ca54f176d5446e4448cd

SHA1
212494beed336cfbd8ebf590ee511eb31914eeb8

SHA256
4282328d7838c69ad3132c24c33e53ed9737461ec5880a40a62a04ffefa575fc

SHA512
51f2a17908825f3e9882dca7b85dbf7bc3784167be937021061192cfe74ce2874fe6609637d9f5ba3a935a191228016313fd33d2c97d654b1ee08eebbe2b2054

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cc7b3a91a3d515b8a15be229af043cd8

SHA1
e644d3e9a88eed260132fc45d131e95c80399273

SHA256
b530c6037bbb7e75eaf55bc1191bf077e0a15cead74ee714a0782bdd7e2df67a

SHA512
adfe7126f444276997d59c50a6ee48b0735c6733e910f2d92796af92ea3aea235e0f320664a67622a488e797fc5a595b1509d9a05fc92eda99bcdd64ba7af3fc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2d2dca99751d679e77defbf12e4e6614

SHA1
0dad169fa197d8d6709e7867a2f3412bc977c007

SHA256
5d1d20b59b61a561f32cee568c5d8c624937184724db1bd790cb30be37b96e76

SHA512
87d5cfffb226ae38237616d2b59f0f77338d4606bc972b42a2f7046e44f378a7e8e52119c5e87d6798653c4f503584ae754ee2dac751a53b0ffb22fef50e0f1e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
77fe53cbfafd1b4ee734aca67bf96327

SHA1
7423f81df8d257d4b33eb86af256c264ac29af56

SHA256
43db96293d8626f47e06d921f728035ff4f4070251f169673906ec698f1d1e93

SHA512
d58909497a611e273ecdc81a618639c0d7cf3f7318e8eaae28a5106f55a351c7cc04a0308c99d48f966c81c6af1b2721f5c7c6b482277183d14a53f86acc8aea

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f470d45cfec25dc6d0c0f8164b0c66a3

SHA1
0d2d56cf738a87afe9fc97131fc7315a35041606

SHA256
423e6a97bc6a7ab842cfb9d035a5c4ed0b507ca3e9e679653709e9d3a456c660

SHA512
8413a0f90d0e40fcddb41f97a9b51e9468cbb14419418b8387f2e76f33c3b7ffdafbaa1564c4583600f6028254d21adf702aa72920e0642cfe1401eb51e2febe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
06dc00ded9bfc11952e81a8edfd6fef2

SHA1
f6748bc1f027ad446b1e3b3eed253d06b71d61ef

SHA256
c33a93bda8e890cad96fa031504b16112aa5a84f9f5cf4b6a0f550b8fbf16aad

SHA512
81dbffc4d525ccff1aca981008348b42ee866cdea31089bea16bcdfe96578f8417640d215ebd4a3fd73fdeff96f467558f27d7923634173b3307aed0579a2ec0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
42d15793f464b5c77a2f95deaa151655

SHA1
226b4b12b3182eb97c736f13618e7ef14ad91848

SHA256
de8be74362503bd879ce9346c253d6a0e6498f1e223a42d9e3ec09365a647bdd

SHA512
954b9537192e6e574e94597e6841c2cb213411e99ae7e7f81beabd97289c69a63000fa6c8be0d5e2c9f2d99f1130a8b4e612e57ad03694d3f5848c4cfe8f052b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0ffe718030cc6bf17b45321c180c251a

SHA1
940d4741959f58dfec45c9b1ed6c7c739c3e61aa

SHA256
ad1520fe25f2033d96878004422bf64ded52653fd9e12f447a9c53e2d1ddf002

SHA512
952f28fa227049781ffea8eb63ff66f9af442b544d0ba1172b7f6248e492a13007884edc381666d1616b3dcc64c108baafbd15307c1c4381d3a3c1da0bf89f50

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f587140e65034b85b2992f74a9619db9

SHA1
9da14842a42cd7719085f92553c945982aca7f51

SHA256
5d866ff0520ec9cac0ebc4c1cc1e849817db0e9863acd83bd78c92045241a23c

SHA512
da104ad9aee1641cbc9210d808da319d9571990e677d38b2955c689886e0b5a14fcfd7970d494caa91ba577b924b13a091b1465307a3c89a3e6ea85e4da82b89

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
bcb6cfeedfcc4f0d12fc1ab0b66ccaec

SHA1
a5d14e392bc15b168ebeedc10d34cbb66e23a806

SHA256
2cffa4b6bc451c468a53f54022dd140628bae9d4fcb0bbc177102dab78fcb94e

SHA512
fba62740e4dbdb1827c9ddb9ca307abca45fab65b5a251de34c93e829c7c0f7aa0eac019c26fe34aa2828c3d9b718a424f72fc513e4ae050b7d374731b6627d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
76390aebd225614cc6022f3688681408

SHA1
63ca045fcded7d92c01f43ba11d1854fc4e6177c

SHA256
3822f2cb851fb2fa851e270733426d6b1f84817c66b8dad737e735b224a5a82a

SHA512
b673c71f6184b3d753f2a3ad984af204ac7099cb7571dc65fcce0354c54928775b5caf4f44dc892710b9d22ba533cdbe61da7f0ef814c3f67f4215f425d54bbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
30095829548ffab4b90c84eb5391f8dd

SHA1
4dbcc7757bbf8adf062aa7a2e7abd36442c7d763

SHA256
e983e402a19b0f69c08116695ca4660505ab15ae61622ae06dbc363d70eb4ba2

SHA512
ef511b404eaeb4c3a5c999475ad6972132a83621d92d2daff3c50b01fed141d2ecc0329e7c7caa60e8a072375d958e1ba7222633bcce705065d3c255bd484879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5f52f19209f82a28e5102054f7b411e4

SHA1
e3e981c3834ecf22414de83ff9d977635fe98ff6

SHA256
2b2442ff3fadf7922af9e9e9bc55e082836bc24ae69c7cf7cd0d7dce6ef83c27

SHA512
0ee0d39a5789e16b189bfe692a0f93fb01d07f34543629b9feaa95896efe9fb73be8d706c638348dcbc96269a77496578099fe4e06e106a3c7afaa6e2e56d8fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
068b8b3281292e20718faffff01743fc

SHA1
e9cc850db4711398600372bc9b4bc1a5524f72fd

SHA256
7a0df5addce066eb1c34a4027cfeafa7c41f0007389b8ed80be90936e9df8b09

SHA512
260cc3f4236f08084a97d9222d01c3c3ba2128671a04d66eee7721aaf799cf51e5b153486ae478ffb87f071626796114776f6121fc207d8aca0664d8df287adf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f168d49ab9864919a7a444dd23fa3e1d

SHA1
d219c351181625b46408b2a4da1d635d4fa04fc8

SHA256
8c9e8797ca5fc5570a518c3abdd48e40d23e6ad6e534f63f1c06e4f354a4b879

SHA512
1381b1a639766f16679e1103fa25655a0422453daca3074e67b5606987041403f4299aa6c3907ca45bb544e46306c5810afdabc5224735c5a58a7b9344152c4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c5b1fabbf04024080861b3b572f63e41

SHA1
94bcdd4b10045b962d89d4296f5082b8bba512d8

SHA256
2328b3ad5daf1bc0bcfdcdaf822520023b3f748c8554abbe1a5dd3b32e478fb3

SHA512
42c1b8ec7c746831d004cf33cacd3feecd82291a0ce0653bf8de7c36360ef501dd3ba3094ceb9aceec61d2dacda1daeea4dd52b36d627f098acefbdac73de8b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e19e53a470218438bcfb8d46e41a8e29

SHA1
a1b655b28149d9350cf926131c8ea3bd51b1b5cc

SHA256
bf526a55d196517aa0283cac8181c6146e4a3d1718b315b82a853567f5b51516

SHA512
fb23fdbe30550297944dd92c5ac69a107e330e015efc942b88f54a487fe60d8df9f41e678ae887630e7c5654b86bbda048451ece384a54f518bd675cc3c16ad4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
8259fc4f0e86b4ee90f9a337f76316ac

SHA1
d4d61045264a30dba43dbe85239906216e68d398

SHA256
c0550a73e0e8643a1b1c7a3fc296f7e904495e99cbc3b970f130598f81b9fbdc

SHA512
e430ff3411805dfa96207b1c33cf995b62de25e0fd53b27217530e6703010dedf8a3f28067deaf0ea0f5776a92aceb827feabc0e435982649997871e50541238

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
06ed6f56d7a561da92a07507587b5264

SHA1
0f19e7ccc8d94dc9d7f0484d109511ea4272a461

SHA256
f911dbb5be7cc9c27b94518eb71e307e566c568e350717c0ad38f957bf141b3e

SHA512
7c8d27982ee3101e239d64ed71dde44c38b67ccc659e9243479b1117dcdec090ec5e88f6ede17aeffae6d1e91290971b635a2e4a584b12ec0791c6c6f91c5057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6812054558a605a156e7a952c2975447

SHA1
c7d62112ae6838ddbf45c2b03ac00baf278ceab1

SHA256
f7ff0997aba5fa45e634b45ae128f2ff937070893573fa82e3733ab0f3b18f81

SHA512
987ae3083c483033276e62eed27369253295c82da017df4476fe94ddbf8867b2914536bb726d66fa2d430cfe9e72db9b2ab9513dd9ef6adb86a855f507bfae55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
ba9cd6487851eff8df2b5f890f4fe396

SHA1
3b4818451662e58dd95caff4b4fbae83164a03a7

SHA256
0aecd51bb51786cdd196250a1ad77b5462ef5b88f732311a35e2a4ea83feb802

SHA512
a122710f2853d26002a6d72c70ce2df96debb5fcacd397d17ce7c39d1a578b7ef0310acf8caa6a6dd013a561eee4c2098c6144d7421ac13e46ca4406e68c0fbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e63db4a44a47cab112fe0c4f0048726b

SHA1
de9c262f05e57e619a38423b20b8d806fa65ebaa

SHA256
6754123482f5363bd6ce18063f325b23650f434f393d4b0a175c60d45e477bb4

SHA512
7ac5484ad832078ee997d5727bc92ac1891237262012cd150ae2a19c6127a666056d4142ba82a947764f557ae3ab0dfe16ebc5f74cbc424a8d9228273feedd6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
437d13ce8423774deb2dbea8b30bfb27

SHA1
1dcb118cbe621adf904361e2dcc9011e94aa3121

SHA256
04ad06783f5f31cce343d0096e61b1f6e30ee6a81ebcef325a5f30f97949062b

SHA512
43a4b635f996299580f58f05c419f5e62c2bfaf5574c0a4a1e95201c6725d244c4bbb9412da9ed9798ba9da7a1f8ed6e362e1cb894c126d48937df8b6204f58f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
c531396eea083e04ead0e27173d5de3d

SHA1
73e8d721beabefd791210a0ee859fba4f4e9cf13

SHA256
5ad8afc2be6a05dda66339d43df00ae08a1cd97b06964ca64a0ab2ddb1a3c0c2

SHA512
a451611e2554846d0d529635339c4b69ae558100b0e1e0a996e87bb09e0f269eb94abb293c251e68cc4a70f46348b1040c5c6d722e5b629a8a2ccb1a8efd26a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6a8c4d8630df54c6801412cf6a564d8c

SHA1
142920c911d6957f4315b0ddad9d64a81e59c4a3

SHA256
070d3d87004029b60143b309e0162ab7f8e9d064a6b83d8966cbbb7e94e74154

SHA512
7c4b05aaf1380968020f354e58eee145cb0365d6ffe83f438eac6b3befcf670eb9c755028e6e4e85575a09f667cbeb83529c5b8c18495f59e33b95ff45b437cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
e577a190513ee65c527e56b781d4c4d5

SHA1
c07d01e550fd1a8b2bd7121cb75863abe12feda5

SHA256
e23d810a887c7388d51decba5476980946c8b35d82e560ad106433e127dab861

SHA512
7d3961cf6c629c63bb895d88b1953b1a8a205b1d8d2c7a6988c2ed4058de6018899ad7194fa42d5d2543e756c6bde9f0bc90b9b42836922538a2509bdd455c32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
d1b6c7054bf6920e971eb6163a35ce71

SHA1
8669f6587f90dedc8ae6f2d648aaad7800ef07be

SHA256
357421ac050b3d65695bb9c156007c74eefa7069451620137f830483669b9b47

SHA512
8859286110d260972610ceb521e2fd133826233d18c3c0be0d90f95b059580e99561edb68c427b44cff7c1af41f75c2db0f82bcca7fe4b4450872578126d95b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
bb7c9b48c814634a99b98aad648a02bd

SHA1
12f338d2572771a3035afcf2e1d288d603d5737a

SHA256
ea007c03b6b38d6e171bb7809148def2ce0242fc072f7d349b553bcf5f3bb5b2

SHA512
d715b08e583b400ccf9d73f140308d1dd3b4ceccc55336a808766f6d82d30ac7f6d6da6eb1ddbe5a60f67402607e4f00301be4da34ee61a16d2e5f4ddff51cd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
661cbf5ca770dab50e2d262ad310c453

SHA1
bab9c6425b29255d816fdbe72ab0d1cfdf3245f1

SHA256
1c4615c514cc7a4954491a646e255c95a2de9f9d2d4fcaf726ebe500308a6730

SHA512
59327eb1c512970290ca8af1885d4588a03796dc520e1a8a7669543171d8b51c5846ffb6c1375f7f5873dd471973d7741689a46a8d2e2d6cee678e98f31528dc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
30ebaec309bdc8d6cea7b5f3f8be841a

SHA1
db32ba07d4b68efb5f3b9c58b472306c56b2b6c5

SHA256
17fe8b26fbebf168c4f33b8fdcbec0217f8714fb3f16762c38d3bb6dc726d46c

SHA512
767921192dd54c3b25ddc88388c3c63355645376d72ccd7661a4777b51f8bc1fd1d50adeeb65f48155eaa4fe5ab347b8b67cc57f95e10b05f20c96647921c801

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fa98211517d9f6c93b8eaac3264e959e

SHA1
35b6de75c29452e9d5733f68cb1a449667aea799

SHA256
8373b665af046762190fa7ba2fddd0b4b21c96dcc7aa2f724970685d6eef74e5

SHA512
a487ba95eedcfdf5e8488fee78f4a5987603ea598e7856fa9241e26b24f672bf5ace7e3afdbb8c00ee9b1ca1545f435f5145bc09ca7a21231d371606f6f6a375

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6c41e3053f57fa9da71c7fca38eee332

SHA1
d430efe2e3b0e19b4235d364e92471553f378bd6

SHA256
71639f4003ecd997aacc933b5a89fc02c498501e42ca38b1c245075c7800c854

SHA512
2f6829952b22580498ea5d1e31025685a6c251c781d29a6c75c7a774c7b937345cfc16d41f88f981c01f58947a311933964fedded892d4359b0814fd9b01f0cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d05cb616fccf86717dbb9c1bf705aece

SHA1
5163db3d8a170db686756982f2b5264236af7bf5

SHA256
776447910e287ee9dd9698655751ee51e38bdf967ed4c7aae4be49b9ebc01955

SHA512
9c4d530b65d0cb62d793440a8c7b3cf689775b71c2c43c15758ad423dc9b1861babf5dd7633c5531fe7a2e700b92acf6fd502611c45eb2c0a05760a489f9fa7f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
839c035226a82c9e80f7406db6e02e43

SHA1
60c2abd7e172ff49db01fc5f0d26fdd02d52ba65

SHA256
2e5cd7da30ccbfe12a37703f40c74b6e9923b5d0543b363510c593b03f3afcc4

SHA512
e99cfcbe02da544739e4c6ce475defd85e44daac4417a1aa10c7ee6b3d57c0df1e52c77adefb5f12f75a79dd836a41d254b1d70270f4e8b44e36706a48075576

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ac9e6dd4af4a415e29317284caf75187

SHA1
189d2d506c70e8bb7db3a5ff87520560ff5c6487

SHA256
50119802347724f30ecd2994e4c79a18b24e0a081ff29421f65348cb1676d014

SHA512
ccd07c73d7c4515f8a7c88a4997f0ba79c76e8e42139a4bc8d7b9cae56d25aab4021a2ef74292aee32ae37e1ffe35a92d6cd40690dfb7575d2f0613ca19382dd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7c4a71bfeb1b532bf696169d65e4ac15

SHA1
ce8ef3c903253bd02b2b6221008f53d2156f0999

SHA256
1ced46c86ad26d44b9134087b88f063193b3303f345af3a90499395e48b2025f

SHA512
85c3243babcf71b04fcd299c44b8b7d9cbc3163d28a6bf0377570ed83e4cef601889b4c1a33628e9ca808160bccf35939b15ed203ab73b9558a790d219b7222d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5c81ef5df598a95f41e3b1784341d5b4

SHA1
76f02896b8b689881785df550238f111b42f4487

SHA256
0e599b65b248c3deaed1454ed1d72c520664571ad4ea71bd98f69321e7ca348a

SHA512
d66de5efeccc1378c7ca5296161916d1bc0610a33349f664455bab7be13d7791373513eadc2f83ab39e165653a73624680952eb827a942479d92655fa0c23e77

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7039fafea63a10acd73845d148ac8481

SHA1
642af6ddd1c84e9662f111f870f5da0ade6f0624

SHA256
337af73dcfb9b9173e0f7dcb58d065b8f40b46f4e71b5d8eeb03da3682a74cc0

SHA512
83966dffa4fe21bd43e44b383dee3a23cb842d3cb35b4a111793aba3efa11cdd4d2efd0ae244d66605a2af036e59897bbb7f604e3e825d994c0eea9f9e18c841

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ca676600932e0647bf89f3441731620

SHA1
74f2a3cc36829b4aa128abccbadbbbef850a2327

SHA256
9eade238af048da506afbd5a0e14be8df4e0472a2de185fae8479f2430a963dd

SHA512
9895a3085243cf0469ee9e753bd0264878be8914230245487072b14635a16962fbe197de003fee6b18c0f6b291a70acb99fa15186603862040412aae1e2512a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cc438c8dcc56dde29c6c2de529733fba

SHA1
9373b86f0f0c72bc697bd88939c0307580acd71a

SHA256
7ee2fb53d675372688e509e76be9ab341bd9cdabca90ee6a0f3ecd41bd88f9a0

SHA512
5e9fb5fe383862c3b9eccea999eebf36912b17ed8ccccb4f998b95cc1986262ba71bad4c44fb78839a092eae936e11eea497ee8c58a314c71f7434e12575a18c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
10dec44e248b90aea2af37c932766e60

SHA1
5aab8bc93e18c6ae12e6f150ce8b5a01072b0810

SHA256
5e3e84bc33919cc59ebd498e0e94c78b13054faa120b17ac3204388e7a8ad49d

SHA512
cd7206ab46a368f423fd868debb244da737aa24cc45ad980d74c570debef77936b7abd5f0da438ab907099a4eeca98d1ca06cce0c3ef3ffcb779ba9a1422bbdd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
995e689ae17e2b4da25bcc3c79be001c

SHA1
d2b6edd1944818688a7077b41dc2553468a35a2a

SHA256
48f468b9d1bcd666ebb7b703d17ff443007498aa22861487754b7c2086881117

SHA512
beb3bf2d278fb91b1315a7afed2f256a306af1cf5a5f95fdf4096aaf576b63d9f5cfed1a6873fda64b4a0d16a09d278cf368bf0eadd5e8672ee3f198ae50bbfc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d4a973d2627436e1dcd3b897005f6f73

SHA1
bd4aad834e0895cb727b07245cd910ed099a0833

SHA256
c60772e262dc2603775386ecc497de2555497df169c8ee93ee00236fcaefa0b4

SHA512
ea48158d773574f763aa0589453226865cef3345113a9a5017979dbc7b8752f78bb0b89ed6c509d34cf5861367f54156eb70a52b6fcb1a2f3c7b02e17f2ea19b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
0a347e53ab9a114d1899fea79b67a3a2

SHA1
2b3d80024dbbdf9e0cb7bcf74125211a143e681d

SHA256
cdd753569341f0b12b3889804a6420e62e274cf432ee7674fad0a8b769565198

SHA512
22ff7ada6c99d513da1cd03319e3f10159f401190cd73f152b2c21e775b20244de4cbe5413c3da81564a1dbf0dce2199caf8559226dbb842c78db971a42cb514

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5093ebbad37bc6abc6916138defe3bc7

SHA1
4a73636c03c68860381df835dc4a3e8801ac7abc

SHA256
bdddc5bfb53f9080ad91a5a4f0c3baf0903dbbabc402e7bec6659d1aabfd6629

SHA512
fe3f6b4a2ec6b2bd1065a25db366ee584bd86614a7f3ef7c1cdfc0eb838b922fc86c834b91cba68693cb3f7d53b63f133169952953c81f27b53e1fc822ade556

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e3253025c56eb3ac8ffa85b94936afce

SHA1
8e29e6d25d65b408cef91c78f5a212004cdb5fa1

SHA256
9bf21398cad877e7de00299868ec7a70836040b9e379710c63e710ba390e612f

SHA512
42c3d25b17450e3996351f4823f313060b3d21d742d9d656b1e345f1536aa2eee9e185889f9130ed9c73e1411bd6fac0c39c667a25624a948dfa0857e368eeb5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cd5fe6191231ea526497b1eb9e8a6a7e

SHA1
a4a79d6a8ccbb54e394f31147039f7b07e01a5e6

SHA256
de4d2e459bcfe3423605365ba37289f98ef2fde6d4b8fd96429a06396fe4d393

SHA512
1a88876afe1b277377540f66e58989f7a6a2924dc69d12f73f975a3007aa0b27c57fe4c0ffa16618bbbe4cf40360d5577e4b723096419a0aa8a1c7658dd4a149

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1b15d225d6e4a978936cb72156bb04ea

SHA1
4f4eb59b20a886bce001ece775d179557601ea45

SHA256
b80753ede44273c399d94bf53d7e8a7cb4edb99a08fa3bb1f07d9d8481b16304

SHA512
e2dd5062274f4ccc7982328a677dc1715bb0af34154f59df8e0f67bbd14bf0121c9f55d5650b7d92bc895e4ea1910acc53ee7f9c6ba49092e96387bfec8c242f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
737867273cc0f795b96050f70337968e

SHA1
6614a0688bb673e52701e710f6814c9906996d83

SHA256
7ab05d8bfeb549d957106fa52fa30b5758cb6797539ca62301f4783bef99e4e2

SHA512
c42523c82191ce7cc024dd093ab677ce0b53db40fce86c4981c9b14bc7d6a562334a369162c2d9fb5d5074a1e290ab916b78e586aa06774baad51f83db2a4218

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
6153958e90a38624293e8c927f05939a

SHA1
db42b2475dcc51daf5a8163952ee064c34dc3264

SHA256
5ad742c2c588c5b22b45fe604292e7147e466a476b71d27d4d66dbedbce59a6b

SHA512
5d0b431ebd37d31afeb10e47dce3eb096a1024f7216aec447402869140684b978c18060e35bdbab70fabdf6468a796793cce3c2941866f22359423db969fa2e8

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a376b33169cb2bd169e62a4893d5daeb

SHA1
eaeeca0604fda0f3b45bf83d6a630402ccbe1a2d

SHA256
dbbdfc40f2228e5b1a42bc35ec6e270c927c62c129279c31710daeeb83668940

SHA512
3619c4fbd194711c7f2436ca8084416ac9bf8370eb7dfad32144ec18d44d85787fd2135538fe59141dad89e5175bf673cc89962d98515ee844a56fc36aa963ac

Download Submit
memory/756-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/756-479-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/856-342-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/856-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1340-108-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1340-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1420-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1420-271-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1420-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1420-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1696-344-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1696-478-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1760-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1760-339-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1992-57-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/1992-52-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/1992-273-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1992-60-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2108-330-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2108-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2200-299-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2200-419-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2280-79-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2280-101-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2280-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2280-6-0x00000000011B0000-0x0000000001216000-memory.dmp

Filesize
408KB

Download
memory/2280-1-0x00000000011B0000-0x0000000001216000-memory.dmp

Filesize
408KB

Download
memory/2720-474-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2720-325-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2736-76-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2736-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2736-62-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2736-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2736-69-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2864-107-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2864-110-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2864-274-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3084-457-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3084-314-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3416-93-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3628-310-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3628-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4360-82-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4360-88-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4360-100-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4696-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4696-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-23-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4744-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4744-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4744-109-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4868-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4896-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4896-476-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5024-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5024-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5024-272-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5024-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5044-475-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5044-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5084-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5084-477-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5084-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download