wannacry | 43bca15528c558874940e4fcdfb4d19c796481525f59cade709ea62f81dbcb49

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Size

4.1MB
MD5

6c2fc86a1e1c332330a31dcedc49ba5c
SHA1

1767ed0895dfe108930b7ba9358e16888b63f77a
SHA256

43bca15528c558874940e4fcdfb4d19c796481525f59cade709ea62f81dbcb49
SHA512

c828b965413043387765bdffe222a32c82bf98f33bc23eb9eb5b836b443a6314ad0a9926b93030a87dd5a79553433b94ce4665ba68ae5bdb2bbf8c85fc6bb687
SSDEEP

49152:CnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAZJE3jM2ce:uDqPoBhz1aRxcSUDk36SAGE3Xc

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
3412	alg.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
5100	tasksche.exe
1920	elevation_service.exe
4124	fxssvc.exe
1128	elevation_service.exe
3228	maintenanceservice.exe
884	OSE.EXE
4316	msdtc.exe
1104	PerceptionSimulationService.exe
3216	perfhost.exe
4960	locator.exe
3532	SensorDataService.exe
3716	snmptrap.exe
2904	spectrum.exe
4936	ssh-agent.exe
3128	TieringEngineService.exe
4768	AgentService.exe
1960	vds.exe
4624	vssvc.exe
2468	wbengine.exe
3972	WmiApSrv.exe
4148	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\95709431e5a029dd.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078f9deebb464db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd20e6ebb464db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4bb21ecb464db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000701e24ecb464db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee0dd3ebb464db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed460cecb464db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a64cecb464db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f058decb464db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3f61cecb464db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3124	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Token: SeAuditPrivilege	4124	fxssvc.exe
Token: SeDebugPrivilege	3412	alg.exe
Token: SeDebugPrivilege	3412	alg.exe
Token: SeDebugPrivilege	3412	alg.exe
Token: SeTakeOwnershipPrivilege	1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
Token: SeRestorePrivilege	3128	TieringEngineService.exe
Token: SeManageVolumePrivilege	3128	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4768	AgentService.exe
Token: SeBackupPrivilege	4624	vssvc.exe
Token: SeRestorePrivilege	4624	vssvc.exe
Token: SeAuditPrivilege	4624	vssvc.exe
Token: SeBackupPrivilege	2468	wbengine.exe
Token: SeRestorePrivilege	2468	wbengine.exe
Token: SeSecurityPrivilege	2468	wbengine.exe
Token: 33	4148	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeDebugPrivilege	1464	2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4268	4148	SearchIndexer.exe	120
PID 4148 wrote to memory of 4268	4148	SearchIndexer.exe	120
PID 4148 wrote to memory of 3652	4148	SearchIndexer.exe	121
PID 4148 wrote to memory of 3652	4148	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3124
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5100

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Users\Admin\AppData\Local\Temp\2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-12_6c2fc86a1e1c332330a31dcedc49ba5c_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4900

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3228

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4316

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2904

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7340feef9ee050a04136f358c9679329

SHA1
8560465792aa7206bab585c23dfcd22bbdc73395

SHA256
31abc8d1972214278299e392afade720bffc68d7187c20ec441a56797e07ce04

SHA512
cd9650e7251b9348f6695196fd5269e32417b22e1ec8c50df6f3786513fecb54122c39c02b8bf66d3c6a2f29342b7ac5b88020a591519af545518be14225a308

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a26e3937e0d6e468ec3049a76aca9aaf

SHA1
7d292de8b29b194f7de078fd28942fdb1be25965

SHA256
5227efb2ad8d0caa24ac9ac578df2ffc63bba973318675cc7cd032d72005ddeb

SHA512
96e6dd31806312442fe4d76292737de04e1d2c8a5370e040716b2e60143993ba9bc9ad417c56edf2bfdc9cd6e14f4179ef73cb8dc45dcffcab28dd96c9a92f9f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
5ed10ee5fd0dc689b3b67867be038363

SHA1
19ea1e521be4b89275c3a45c3cdfd7ac070c7137

SHA256
1eda4abb1598b1c776ad76ea99bc89e79ac55fb7b1651d6fbdc6ae3aa71dcf57

SHA512
1b824d299da5b68df4f65516397ea69163da1aa3dbbc11c73e565f592e0e3fd2bb3bb990c2bb2391eed5e7901262b2fde984c9bfb8da41b2f5ed79b3ba128747

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d1487e3f64051c28ae034cd3fd6acc31

SHA1
7a98cc257cc7ddcecb96762da06f86ac367a3013

SHA256
af5e1a1e7b7e7442416f0b9942b852bc23aba0753a99ab1d42465201847497b6

SHA512
a3a3df874a33174cd5b1e915479b1dec04cd027f483bce8148263d98c978b07e3efd1000951f076d503b864897ab93cd2500f78619fbe1dd0f405ac222fb1e9f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
856f99834f1bacf7e3d70db62da3cdbc

SHA1
ea777b09dc3a23320c68b868400660db4239c43a

SHA256
1a957286a7b95c46172e3f2fc322bbf61f7b27afc323e4a7ad1daa54bd69ba96

SHA512
89650c55ad559f1dadfeeb9f30d88f05d4f33a145a2592ec3351a7a04a3cc2a106bc1a8aa5e212b412ed284f8d8bf95d15e4b296f935a9cd84088af999ebb99a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b2e6c38f5b89c800eb08b19c687ac0f7

SHA1
bf8900b5baa7e9ab9f63b58d6f7211ee3fbde84b

SHA256
31dd701bb2337c380add4bbdb12fcad1d7928e650f3590c64dddaa2cb86ac4a7

SHA512
ce339f274248c3574b983c2df9908e69169eda060bf60dd54c987bc612827006a5084429dcc0cfbc79c6f49907fb00ca6e8469326d92e59e7dda02a3b3835fb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
6700ec5e7b36dbd0efe6bc49d917de53

SHA1
db5e5771faee5dc8244927356d16a1a2f5c70aec

SHA256
5e1e9ded62c739e05a700eb30052d04380df36311d2c194911e3e45fcf2cbf68

SHA512
0c429135f0ef09c15e7ab94d7b34e66d87441f856dba3b760da9256250a7913833fa7de9e7f97bd27d0769e4f92a285483609e7067dff0e8df08d7ef0620acfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
65c046e13a6be5a6545e7996759a9ed8

SHA1
8ca46eeb865af6a3ba4c79cb86e97413d22d2be0

SHA256
ace29c46d604bcb5e49cd6ff1bb4c10e5ba3bf2d563905d31ab483d480e0c979

SHA512
bda08f1c6ceb455b5c40d2d7482da4ca5e9eed7a802c4f1c765cc087e264e02441f4dc150537c6c4576f7ef68304b0a004de423cbb319b79e3793479a44bb0a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
3fc4d2b38fa295645b8d143c2c6c910b

SHA1
cbfe8e07339d7abcba6c7b576d1c1a5efe6d760d

SHA256
9805aeca08edb0ac080b078f59dc828680554a7c1acc3de5e817f77fff14eb70

SHA512
04a295a011ca1c730616818237320fad72d41435dbedd0b0dca8e907d21a7d803f444be55a168821f35fe3b47ab9d56f563f8cddba56903c2862ab221e5833ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
642b3f293b8da8a8c9beb37041c22728

SHA1
3abc477c26f86d4ad410ea32a2bcccefa7c77ba5

SHA256
4f4f8ad55e4ea78e167e85067d8a2a0ce13d791cbf29be1496b83c5298302815

SHA512
76a36bd90b6038ab0ba9784c0bd03296acc70991e075379686726c6632e2c91d451d28d83d15a4367eb3799b36c93139bb7d18d227b3bb25fc588e9dc241c077

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa51acefefba5df7c7eba7e44b1a2dc4

SHA1
4a8e7a6fd23f0184b16144d482ab072bd582ddeb

SHA256
1083e1712dfe2434411f6de7bd16ce32df44cf16837468615ad5fbe7e2b131b7

SHA512
04e2611441c0fefa6ffe5ac86843fd6a31222141451a7fc5203fd2bb5ac69938de3a3fcb88f890e0dd938426b52302a07412803497a0087b598bcbefd78ba73e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
551bd948a227eda3129765011c1aff7c

SHA1
d82b94da3a68c438a5638a25f7f54042797f9f2a

SHA256
e921efdf20a6db29eb8161a1ce6437c8662db3db0c2c50acab0cdeab55f3a330

SHA512
e2ff3c7dde455429ca921b6e4c4dc664c81ff011b76a66fe9fcfc73881f96f54d1dc59af19fe809ba3ec3e74e4d99b477a7ec64d5f76325acf2c91ea9c26c699

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
023b9b8fd8f8d33b816caedf5cf01f75

SHA1
6b241ad052dfcf239cdb471a7a12e588125c5f46

SHA256
91420661a11bbb7c01dd522fedd93f955db28cc272fd0bdc05de89dd58985739

SHA512
f64ea7ecf43236853818e4f23ddc57b3b661098ed102f6d7067fe40a7735ec261ad15ef907832c415c7f929a54eb83046f2b9daa77bbbfaa46479725145b375e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d11628748fdbb2e5a1d71310959140aa

SHA1
e2da6aa2b0de80c4c0e4d86a4cc91c30c8c54231

SHA256
24a99dbaa760a3eccdda88b5b798dc29314ba70524ec1ed135a69f62da96dae0

SHA512
56cfcc199d2a557de0c9931e5d03b005ec08e257d7eab9f5e738f6c99381725223e1d3bc32acf6fb7bb64f45b6c94a368c2333c1dc76192dbcc9e178e37a13da

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3c5be5d2eed92f44a782a7c44c5ee74d

SHA1
c811b7311aced2ca146c3ba405b914951a05a587

SHA256
00fa205af2f9aa0457384f1c71e67df9b3bb570c7e241d14ab0395b06843e146

SHA512
565f5bbf2fe7063e4614ba2acc0eb389398cbbe50e3bb9c7da785ecd1a048ba7ddf6005ec69e746ffbfefd97ffb72d89853f419a2a56ca3a3fde5f605cf069c8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4c55bc2065263442d3f2fb04a5e317fb

SHA1
a4c9bc5381a1f80d44e0ad1fb5f403869c981178

SHA256
e68f744c8f2a1f7a7d0c9027c68e6074b4c3f2e358495e2b4e298de5225cd289

SHA512
46b220199c5f51e9a68d11f14c1495262de3d769038af72dfffd26c282d0c07c4b3b1b3ce063aa5373245d42d56c4898aa136622ae5ba1ca364cbe5478b851b0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
69ce4d08e96df97b7c32f1cf109f9ed2

SHA1
b07bacb8fc6cb638bfd631a85c9c3075860c26de

SHA256
3b6f7423347ccac2ecae0b86efa47f0b7737ca2eb54b1a3f84887c7ba8497e0b

SHA512
ac9c828f1097165bb840aedd9c4ee372492e93a410c359758cbc86578799cfc96bceeda7045af73e681285122a083cc81439dfe05d579c80d133c2806c649bdc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ea6bacaff8c54660860f3ccc60270a9d

SHA1
bddff08c3af0f69a1750893283895bfb1c381a5d

SHA256
93e94be44b7d81c0be4ce08b214577a136895144d448e01b9cfb400223c7330a

SHA512
9096424c2c15b0803d3eb9bd5af620fce2596d421add6ddbe9c6c6c8aae0e0f8d9d113012f4419e60eccc2c204a3016a4303c4dcfcb0aae20137020996477722

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1716cd750e8789a754d414f0031b322f

SHA1
a5afd54d0237f4177c1942c9820f3f85f714b844

SHA256
98a791eeca03e14a3bc30889b54c7225a9ef27d338333db6fe806f023cfe7863

SHA512
6539b3249820f4ae5fa4b228ec04f0fe8f953d0036919d2eec67be9712afe06f326dbddc8edbd08dc1d6b31933895f910afcd87f928e53c237177bb5847dac09

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
a8a6e5e46a4272f8e2e70d1866056f9f

SHA1
7b0cdd660196b1c2643135759d033d58feaac445

SHA256
ab7b5f7d44625da587cb3d96b7f6004e577a727a0a12e091ff4d22d845b21214

SHA512
6c4f2310920e6e6f133587e178e68a2930a61bb7be30af911310cc23f8949e6eb6f1364aa4f1dee7672ce46b645e4f47e7c17ff60c872cf10d9207a44cbb15ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
c9fc4f3fdce30f46c6d40e829b3d94fe

SHA1
c71917bfd7107f42749905a0bcb57c9c1352eeec

SHA256
62af89570e570a6506ed46691f33f3ba982f6a56f85479d50cd4d6a432f086ae

SHA512
6f57167f5606256e8c323d4801a876a48fbb39f7ba21a9f287be7a72e9dd9478e44a02c2f150f0c753f4a2f4249938ba094337c28e11661df98670c20e3773e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
0be3e9f545f6ae054dd7bcb5cd93d4eb

SHA1
31c617d509ddb435842a6e5a878b0bdda74d77e2

SHA256
9e6fd265b716deff24e7a9fe9df91b011b4de01276c7856ec0c578a6ef0facdc

SHA512
64dba9e9a63e4f350138cb1b6ee517723d4eed89a3f32df720cf697a4be265b2e1b18575f7737958c7a757c2f61157e8b9cd1daf711b7b29ab3e21b5e0534027

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c5bdded4fa194618bd3790fd6059bb42

SHA1
de81bf03abcf86267252d3bde2511fed214b1910

SHA256
0fcf7b93649996e9f3c9f6f7078ce8aa8724a432b3eb8c0f8ad639668e0bbea7

SHA512
305c80065426660a5f07a44da3b44cef8f0e6e24e0c9a4fae11f5079f9dfc782f98bed872d60ab79ebd4a6873c85382ecf274faf862d5dcd522c1cfcf377ee49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
2a2c26cde708b2db94296c4efe01242c

SHA1
930360f860f0befedd989a85ac2964130d139da0

SHA256
4dae0cb9ab182ae896668b010b315f283d040c8d52aea85bdb553ed8e7488ed8

SHA512
14021302752a491d8730d8157f646856c704bf941bd2ea010dbcd18aa5afe96e4c9819c91297b41c4fe87c13df2e018dec9a002fda7208915851bd20dbc09c06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
f0c801c22549d793bc661d4dcdfe2be5

SHA1
4445f36257cb399e49b461f6443ee9fc3586f80a

SHA256
a4ffe504a3b5977e5ddb4ce0cc48593edae8d25fdc37f23a689dde6bbe433bfa

SHA512
ccfc0d64d7d3d34e94ffe50573ef4ecb5e8b4e3db312584132b67a243d15831581af038d992ad3275479f140cbf7dd4c39ca7691af9587d41dacfb88a83c1837

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
36540908aa099ab1fb10b837eb4fbef3

SHA1
b4d77e24bd41089844595432c31026fc88ec3f15

SHA256
4f79ecb6b6e6bdf13b3a83e66d8ef8103eb24216ca1b2284f2dcbf398d059e75

SHA512
9401b25fd8d9aaa757091279ce5d5f5ab75e8cc340d8444c126d1dc9dfaab5d422e02ebb55d82cc86edd9999db7dc370b1cf84257bf5ab53b90947ec892da2de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
82bc5c846a2a3bf4e15b7ef60b721e4a

SHA1
f21c9586c50197aada7fd7734a0ff37b8a09523a

SHA256
f8a3dfd7c9ac6e08643ec32f96ad0b27878c4ac29f87c7066035dbe8ead8cddc

SHA512
4a6d598f619ae1e4507524cae0a55ed88e9e80ab619ee5164785d0b4472a69843b0f05c265318701435b5b132cca43edc03f9c70d73c98287c872f1549b100b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
60ae3d50e93fb7c35d2e0969d8551bde

SHA1
5aef367e59d9d60668f7d464c8423da4d41aba28

SHA256
73d461cb3e6e713ae1f4bbb4ceadead5702798d653a9b58e86f9285f9fac77bb

SHA512
d9326871de32ff511341589d1c38920eb85c971208da14893c61d5d4e135d762fe76cc91c04301562727fb85f28061d5f7938e88ec293f00d5875cd5e15f4fdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
862e7cbeab97a1ab8a35dc293c61dc7c

SHA1
bde26f7f8546ca9da51eda6dacd876b2646c5ee2

SHA256
5efe6304098212c40c8d13211f55316f3e83f6c93d2da9a846ae7b683066b183

SHA512
534d196ec7f759b0399780ba93e74e150f0156dd437c9a50fac30194af0c93a92d6e04a85f17f4bd152abf38b447dff5c34fab7140ca0288ba66be3dc3f427de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
2aefd713814043d249755a799b636c46

SHA1
cdcc468d1f2433f36f369ff24db49685bdc73265

SHA256
2d2883b100763c5e5f6a4cde292ef94bf0230ff07af3114f099a5cd2e63f2ad3

SHA512
089135af5d24134670470291abb770c0bf522de98b34dc58a9a508f6aa00d8dacb4dfd65a7b133d1988217ab55c9bab3e47ed2609ad7127e7b0aca8c31218083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
05909bd0e9c4485125c40818ce38ae25

SHA1
a347600d268858d19ff204423f561f8b6ced9956

SHA256
d2595ae7ca43ce0fbf24f7bd386aa87be64ecd1aec0be9cd04dc1f9283a98272

SHA512
b1645d4657b223d37dcf59b0bc61c90bafc9430ba462ef1256484b8b602f638c4d0beaba1c73d36ba0df1b421c4ac303612e448e6612448ffedd05af1c40415a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ee04b993cb98cae2cc8462e99d97e832

SHA1
208fd6d82bd67aa933b66bf1570740897b4b7f6a

SHA256
f2cdfb288a08f0d6544387e80beed14a7ecdab3289066acadecfc0a3a70212ed

SHA512
58fc17f53e785ff807ab4936ba04434c464b9249ef99e12ab1517a61bc60b429a8c569f2c7ecaf50b53d1ca483f332bbe875e17a101f2ea88cb30a3347924b01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
1eaab87c8b805ead85ae8f273dcadd18

SHA1
d6410210a23e402de01fcaa2dfc2975ad5c109ed

SHA256
948a81ee21850dfde2df4afdc52ad29eaf594dd97bd3f19d73c80b8d3b06ae7a

SHA512
65e28dd377adb2b861526954224b566973116aa27ab796cfd226cfe60de29f245a7bb5c9e303fae4b33f2352f9032fdf0ffd050f1826238ce7709a3cb0b73905

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
bc33b83bcb67d05c0efd097a0d284f18

SHA1
ab029553e83713b50a096d1243a629ac10d5b698

SHA256
b362907fdae55748893953f8ffae1d37bd557f63e2f7e6632d5a5afb345a1a35

SHA512
bc0f7ca64ca474c2385be65c8a0f5b82f9cb9c4930ff1cea29426dab1a64a479b897c8fe60f3dff3b815ce6769fa670c1f6437da9f8ad43fa6d78137ae419fe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
fd85975335b43d24231689f393bb3346

SHA1
b4f43ca9ddc9dfd3fb31c85e674c3f8a45fc987a

SHA256
e41653cc8b0bd40324817a5fb2c7d76b0798e76dee5888aa444f8cc70d68edc1

SHA512
e76c62d3268ce75fe45969eb639f7c8a02b509b5b62e40eb0c613bed42485deea72e4583dd974d38286d09dd9bb621e80715b8f4fd37ddb48a0c2a03630d268e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
83ec0acdd5b9db7f75d2029fc94866c6

SHA1
3c91a38f735204616edcfc8f4ff85991bb73e1e2

SHA256
6e957b38582a91bb3afb1c2bd154c690b68ea453718e815b5546dc19e40617d8

SHA512
e9ab279a57c5494bd9e1dbbfab99d32be3bee1af34694a0f246ba21acd2bf445c26f55a256a4a72f0d43a7d57de9a758add2ad55793f796ac3ce9e832978d141

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
782d9892fcc714da30d5b19528815925

SHA1
fc718d86bc0e3dfae1c7fa49a330c09a694d71cd

SHA256
eeb67cc00e55f47e09fd00a23e6ca667e0c4f9cda1bcc6acb233627d923c25b0

SHA512
8f4ad2233329d16e2ed7bb72dc63ccd224d87bc765e4f8502244966e43f486ee268b653f2d449cad362a15013a079305d359cb81beb0ea95033d89677f8d81a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
3a1d45bb00fd856fbc194783228e34d7

SHA1
42c9c82cc9839b495f082354a0c725e9fc61fe15

SHA256
99da5b3a6c6f084fbbdf4d8f1f41c6143c10b6ad19cc588edee477840cd88ec1

SHA512
29f470762ba685fb95e2732dcd2029999bb2aa1a67ab7e96e0b378b29423645d51f399f10423eef8d9f09e1206db79a929cfdc72ae2264d3919d4e26dec47efb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
e33a3ccab8556902c9b53bab7922fbca

SHA1
262b5dd9cd36c7fb0bc46630c822b7cabe0ce499

SHA256
d8b366591c2eeea4bde89847e249bf9394efccd68af738c99b3c0c5bf9c40f37

SHA512
d7fc1f9ac077a0f0498c6b0f7fbe55270b5077877d7362ff94be83ff2eb81a7dd088d6ed7eb7e24897f8f745e161a68f263ea4124acf84f97d6d889fa971a803

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
95fa90fda3840f86bf0445c8101b0e2b

SHA1
5b7195da55195e454b3000b151f1542353427bf2

SHA256
0c10dea4daf30d4fbda60bc86a72b643d2912bf6dd4a9d4f650a8c52e853b991

SHA512
e02d306eadaf3af7f9ad0bce76db9a53ba7e0ae7b59c73575028a54fe83c13f98e0196a1c786a683164337fd6277a52716d6e47fda3e1c0f0e115dd891104e16

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
659d74f9f3abd05f39bf79309d6b69d1

SHA1
4dcbb029bde3dfbc91d1bbf57a507d2baf443761

SHA256
85096529350c694279ae8d5b4197a2ad216477e62e90de05fa92233e9d9b5840

SHA512
42705cc0eb0e08c07048b1617e82c76c162e8de0c572314636e31fea70e297a7fb7a15cb8b2edf091b2a4e75a068c4ba094f468f4c0a1f6ac5a65b93f2d5eca5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
25e608a33dac741a3161918a38328653

SHA1
b4694bba312b49b9109d4ddb209a87185a64cefe

SHA256
d5a9823803dc32e6fb5bfd30392bf0d9c58b2d459e9bd8e46b1da4b79747b348

SHA512
729da6f9b05c265c571cb16259ba172af7cb0fb5187d411a8af42c382796a89122cefcffb3c0d4d4b894783b8ae8a0d2f023d83449b0522f2b920f8f12263e1d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b8dbc72884c25ebd6d531a2aee35eeda

SHA1
e4a07c724317ecfd711d4974729032a16feec2b9

SHA256
60c00803b93c239fa9ab4258bed203bd026beb3ba239818854fc25c9f169d3a3

SHA512
0daa878ffe42cccc2220468d7fb372e1750f33811a273b97a287d818842e13de46c9d7f25205aa93d86cebbb1a179a4480c5311284ae31e5c566b8ea8938ddb0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f67524e3025ecd84b9f90ad234c6cb5e

SHA1
2d43ed6b6546e08d1a34009c0448bad2dcfcf2f4

SHA256
9d218e207461cf17d65462049eb3b32f943aaa1dc6c22077aef41d571cab144e

SHA512
6442924e3d7f612b764ba99b80f557799f65042f059215a36a255ab0853a1ef02c8dddf7491bb31c2798087c4caf6935d9660c840815ba0799a7e28a5bfe86f2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c75eea314e66f8132ada5b8caedb3fc2

SHA1
74d02e4c7300bef4f66c78e89f880876d3f1608d

SHA256
9cbddbce4659d4619fd45c5a95db798192cf485ccb7554628bf71965ab0844c0

SHA512
376672801f857b5ccd6cbbfcb9cf6318fc27f29b12955aeb65a68170d4e789d45afbbde9a4e6ed2e6eb7218e13f19aef67a0a731c0dbb9725c2e64323e87126e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
48fec0679d82e2353c8a3cc7d4f8c626

SHA1
b90a5d7f0dd2f5dedc6726c9a6441a7657cb1ded

SHA256
34be82e614c1745c307abf477169204e93693dc6a68718b67df52d5b9a9af0a1

SHA512
828dd3fae07dea80262546214348a44ed84e945aec86f7e2a3dd797a627b124f011f7fa75281d4c0e30271c4a59a28f6402e31a1ff27b2d458168d1db6ad1625

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
eb6f183444e981ce37be21c08d63c320

SHA1
3101d06c06bd04a0d884e12c18f484ccfabc5f64

SHA256
bb4c5b5340cd354ec996d1c06635858e7383c5d1320b8cf84b96533530f4a9ad

SHA512
484d690aee6db7a604a75678e708e638c26319fa71b56c52c072b6a2522ba36f873d996b16769fc137b564a3cb14b5dbe308022aa86847416568690e79f8e486

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
85ed6aa5777084aa06668757665e9129

SHA1
d31743d017fcafcd915284c8bf8902c408e57287

SHA256
0446955c1210666a3fd8ed2adf006418afe1f0f1f380bdaabca765c5d6315401

SHA512
6446c27436ce766427b90de7c73f1176f1b719eef6f6246e0998370d051c9c071b8d40a1905245cbb4913cdfa74dca4e46096a345a165e8f43868ee0d4aa8f5e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a5ff516b6e0a8a14b0536b0c88d15e93

SHA1
83115e1167a8e82de2a92d1311df0b802323a007

SHA256
fe93ab15d2e2d57d8cab335b3196c5cc9ffb69ab12e26d72c75f56f982ffb5c0

SHA512
a2cbf8964863145e37b965a1b6c7647d8a3bcc09254187e852690e6f9a226a1c4a70cf472c8d629ac0307aa40da7602cd1007d0be8e74fdc9bf448ecdc5f535c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f55567e3a04f5f2cc3fb8284ba226c7d

SHA1
8fed88ec40ed3b3eab742a94a6c428c90c253d19

SHA256
6273f0e52a33e86b9eac01e59bb16241908e5265ab3a9f055a73c923aa7ce855

SHA512
b623a6bca943ae7b5013f4cb292316f2e45df70bb52c554ac2b8e1b5091a75090c0b2e233a6fed81f63963ded3612ce224464e7d77c51e2e87de13197d204f46

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee4d2c6e53b4798fa82de68ba977f266

SHA1
d3777709009cef91eb2ccc2828e83eef671ce32e

SHA256
dcfc9b80bdffca9faeeb8230f16ebcc31c212928bc2a57abf0c057330c22a1e2

SHA512
5b278217b7828370568987a4692cbac51bb46bd2201d54a6a00101571930d8afb15ab06b018f5f7e752cff5fc59930ebaeb18dbd925fff6900e190bbd851c475

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
07b5b53819d7f7e46c47b57aebdc3206

SHA1
6ba2b88f5b1678d19d2c0ba06e6a5e331ee57869

SHA256
5c80ccea13a85c1d14512206025340779f50ceb21198a4bceb41a5c9f07cdbd4

SHA512
6581997ff8933f6b156c5c5a141610314506b67ee102452bd1438a939bc43a52de35429c308336a9173c54b0da9aa4971ae7146785b2c85742cf7768fa0b1ab1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f98730c733fb686a71ff931ad52bb4f6

SHA1
7bc549da5c14064008c8a2daa0e94f6d8112f92d

SHA256
044c45bedd1c8da61c3f0d7ac254c6630981525c8a51486572a0327a1bc123a0

SHA512
0b574d7528b374a76620e3ed89c069402dc5641d50c634de7bd8b3b66b32f8d26f7920bbc93c9b3e8759e724dac511e20667b22130822fb2a56751215c1d4d05

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
df9d260716759f10f4319e7012ebc19b

SHA1
c3fa49827e893f885b2c85c9cf865638dc43c830

SHA256
708566d29e31b8bcb24fa9095f0908fb06494ed39d7308aa413db04e356e799b

SHA512
6c26c744fdcd06e8e83a7442088c7b58bab7f63be9531c1320a90cfad44831f32f7c17df66026c92fa45ce6a9a999e3da05f9525def435a7a254e116f276cefd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
798179e449bb46999eac147b3eaf465b

SHA1
e35a082d30f1f721effde48bb18e2294dab622a4

SHA256
0430615a98b76f179466b9a4e60ce23e53def891febe939d3e9aeb3aabb6536d

SHA512
befd6fdde1961a923773a2efcba556d9b0f95654d64b55e0475ad87212e45f307c50e4e2c35ca691919536e86b149d74350a943cd18e087c19fbb491f9235c61

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8c6da843753f9b74fadcf5c6fe1da876

SHA1
94a29a756b6bf11b08b42ad91e6b509c1a127acc

SHA256
34cfded523222462e99398a3b8f22601d33c91abad3d1bc14de363f4deecf8d9

SHA512
de2e692b339e5e94e148db0fa8c4f35b8f5a0a924e80592a2ccb12841315685637e258fd134e691b6e38970289b06c7e847c0fa1337bb98b7494819372bb4b3b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
86b2fab8dffed4c16beaa17a92fe88ba

SHA1
3be301287bf790365472cae05daef8b85e451f40

SHA256
4f7fe61a566318e9c2fce9c9fc7485cf2227e431589932935cbc5b2c11e0bc1d

SHA512
2c430fdf597faccd41a843b5514be1d9fc7595228e8dbfc4e95b8e71884279800c92d43075c006906ac6e598d82b98c872a122e11e052ae17bf3882a7fee349c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
500b513f29cc76962b2285185116a10b

SHA1
0943ba5ee61c97ac2e359e258896a0e35dde544e

SHA256
e195687991e35b0863ec9f80dec4736ea80d62acab9c2640d54289d248b2a14d

SHA512
cfa20b20131649e7b9aaf029097dbb4ef209bfaebef89a0d5579148ed1a07a3df9667440f38831c556d63c49546c72e3053400b1835d6ffca069a9f3e8f340a0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4a569d4cd1fe1b1cadd9a16c355f77d7

SHA1
9c37bdb875cda17f737fa55393f98eda4d6de04f

SHA256
e12abe033adbbb220d6d748f010d71df7edb3ff68e62bda258b212cce009446d

SHA512
c2e03160b7eb2b0ed92faeadbd26b07e73e01454b4d7294eb86dd6ad1f902075a1015a56962c5227781bcd6669e3d252c4bdbc2ec0395ee932d6f5430b219e10

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1a5cebf682d2a82ce4cd07d5110bb186

SHA1
e5582c180c6db85b3e50e74a17d944a0d0a8bb74

SHA256
28df14d6856bb84e6150f321a669919d15968b425e264ad7d7a30088142c5b5a

SHA512
b4567aa603441cc43d8bd36c4e306d6f94bdb0156794d5c624fea8959cbca04bdbc6fd8185e0fbb2f7a71071738267ee3559aa4cf7b4201ce2538269e8a52c5f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3233aced9279ef54267c479bba665b90

SHA1
0b2cc142386641901511269503cdf6f641fad305

SHA256
f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b

SHA512
55f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e

Download Submit
memory/884-116-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1104-303-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1104-403-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1128-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1128-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1128-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1128-272-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1464-266-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1464-32-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1464-24-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/1464-238-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1464-29-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/1892-42-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1892-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1892-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1920-63-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1920-55-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1920-271-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1920-61-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1960-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1960-612-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2468-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2468-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2904-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2904-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3124-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3124-1-0x00000000010D0000-0x0000000001137000-memory.dmp

Filesize
412KB

Download
memory/3124-9-0x00000000010D0000-0x0000000001137000-memory.dmp

Filesize
412KB

Download
memory/3124-53-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3128-576-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3128-366-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3216-415-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3216-306-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3228-273-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3228-88-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3228-94-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3228-109-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3412-84-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3412-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3412-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3412-12-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3412-13-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3532-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-611-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3716-340-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3716-521-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3972-615-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/3972-436-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4124-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4124-76-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4124-122-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4124-82-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4148-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4148-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4316-280-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4316-391-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4624-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4624-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4768-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4768-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4936-527-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4936-362-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4960-309-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4960-435-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download