wannacry | 087756bfcf84c96dc757168b24a46f7c69ce985081b1bb8e4b96e26673331229

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Size

5.0MB
MD5

636791c83174f3dffb8b32ec708a4ff0
SHA1

8742f643599a52bdab0df2c8bc12ba6d42c03ce9
SHA256

087756bfcf84c96dc757168b24a46f7c69ce985081b1bb8e4b96e26673331229
SHA512

feaa69148c0634231c53012c14100bdb25b25cb5eb118a044da1d4cd13ef18d4eccd8659e58384d327e957f501aff32858403b7208a7b6023bab71cde6969c4e
SSDEEP

98304:5DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HJsgKWH:5DqPe1Cxcxk3ZAEUadzR8yc4HTK

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
704	alg.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
2264	fxssvc.exe
4960	elevation_service.exe
3112	elevation_service.exe
4548	maintenanceservice.exe
4972	msdtc.exe
4196	OSE.EXE
4716	PerceptionSimulationService.exe
1628	perfhost.exe
4408	locator.exe
3880	SensorDataService.exe
1280	snmptrap.exe
3268	spectrum.exe
4768	ssh-agent.exe
4468	TieringEngineService.exe
5016	AgentService.exe
720	vds.exe
1608	vssvc.exe
1548	wbengine.exe
4688	WmiApSrv.exe
220	SearchIndexer.exe
1540	tasksche.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\39b7ed7514f51d1a.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92078\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92078\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e727fc730874db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f84193730874db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000756ab9730874db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0f546730874db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078fd32740874db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3208	2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
Token: SeAuditPrivilege	2264	fxssvc.exe
Token: SeRestorePrivilege	4468	TieringEngineService.exe
Token: SeManageVolumePrivilege	4468	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5016	AgentService.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeBackupPrivilege	1548	wbengine.exe
Token: SeRestorePrivilege	1548	wbengine.exe
Token: SeSecurityPrivilege	1548	wbengine.exe
Token: 33	220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeDebugPrivilege	704	alg.exe
Token: SeDebugPrivilege	704	alg.exe
Token: SeDebugPrivilege	704	alg.exe
Token: SeDebugPrivilege	3392	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3600	220	SearchIndexer.exe	113
PID 220 wrote to memory of 3600	220	SearchIndexer.exe	113
PID 220 wrote to memory of 3924	220	SearchIndexer.exe	114
PID 220 wrote to memory of 3924	220	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3208
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3780

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Users\Admin\AppData\Local\Temp\2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-31_636791c83174f3dffb8b32ec708a4ff0_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3288

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3112

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4972

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3880

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3268

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2500

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fe3c83c72f85926d8fe19823756342a5

SHA1
b42553a8b0c758d293704531a168bc6e7c251394

SHA256
5ed8a11856cb3ddf5b3db333b4b021847a92360e6ddad01c76f12a30164c3398

SHA512
3500fbba6772db8da612dd6ee5efdff902c7b8abf7a4eec0c83779134952e33b26a6f0c9a48447ca0fdadb99f87cafe4dad3dc63c26545e7fd6838cd36d2ac88

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
237c66d8e9e10fa5785dd51ad5589282

SHA1
b30a8180f58a755bdd31433bfc171e9e4fa33e7d

SHA256
3e1a277c7a897b0825e7e0e63c68750f83450a33dd934e49762e8c75de3089d0

SHA512
5d927c7b3edd4c84ac512a33f01045da28ba999ced541d71bfb2d119fa3ae0409583fc77ae6569cd39af3c8514982369cf641d27afcd2df52ea0501d6f543465

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4e19f56fd1062080e64ed68ce48ceef4

SHA1
85d524fd82d8ccccec4cb37713131da9f90a1aaa

SHA256
d574e7741f38d475bcd32d21c4fa888cf4ca8fec9ba90c08a99575cc9373f295

SHA512
3333c279be3540fa65d5270626a34eb08db2832feec427844530efd27e5968d85ba1b17fdf9a62f83a3b06a90d808fe64da5c13abd2064dc68e819269168131c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c780f5d1b64c04182aeda0034c10a861

SHA1
74752865ef77be04f9bc688756c12c7ba2cc156d

SHA256
2de668abdfe30d06dc8ad25be84f6b6085764aa312d34b4b2f2368401c04bc07

SHA512
0f0a7547943de5d7ac88097a8241bbf3d7f960402c37ad412a58b8d729b5fc476f4f49365a145e34998551cd89c4dd5130024e15b39dccac1eb56d49873c3e79

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2b9b6fe40671731a1475aa2a5daefa93

SHA1
5080bab7d9c22f8f84b98a4e7749b76af686ea9f

SHA256
82d635710c8d941efa71ef3744f637dc4b81e4f1dccb9b3f9eb7128b7d3a8b8f

SHA512
00d019c1e3e9508bedc44f2c686fc37de7b5da0e627427d38d5a2683213d87999903c4f0382e839f96776820426eb83bfe3f6dc88e80c3192ccb3dcbdee59bec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9b68be91af7ef4db08ea7009af67766a

SHA1
1764322991c4270e2899fdf1f08b741020c1f045

SHA256
14cf294e8d1931ce223a1ae60db3bed71567de434059cf21f9e7954c0f48dce9

SHA512
31826460b350bfc1fc2cb5ee54510f0bae004eca5500665274c50baf64294b3c9d8d850fc0be05bff4994455b20603ff1a32c9132afabe9f37569d50ce411d90

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
026de7e00a2ec2bf686ba9d6d1683976

SHA1
9e851ce8da6c70342ae9f607e62c63adba083276

SHA256
cd748382a85f3eb3db47ce986e83091966c169eab67e0e56967149983986ef7e

SHA512
e6ddb60a94bf36691e8784416b8e6ab2bfe37e62ce1930f9a0436f61f1377f8d4961cab4e3c28a939b950ed4c3b98329b6959f66a7f386586d4bda88098d9848

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f342b145eecccb8f48e2d8a2d87f66e4

SHA1
e89bf8a390d5890885226d0976df5b720deee2df

SHA256
641dea881bbb6fba03a8a7af9d45c17824777081d98f040e87875a552f4739b3

SHA512
57bae16666a38576deddf182d3045539c37aa1bc49abb55664265aafe3fe4bc606c505bcc2dfc7101285e815c1520382f19bb82f59667d62aef2e180b52d808e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d345cf39ab5c2282a8aeb60bb428362e

SHA1
26a5e203aff293b96fb574119ea3162d7fb9c993

SHA256
c125e39b8a004e0a70e0541e36a37ad311dbf2c77cce0cdd4d7c604b4b2f283e

SHA512
6e2c07cbf91766410b21f8fe8c20a7c43db35a93b2e28f14df0d2cc237751d06a46f68139b82fc6d0f620126d96cb677e5803a1a2e091c6ced332679117d4688

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
12ea1d007b49f4cab9cd29309698c73f

SHA1
07df12d72c6bd93ee0f3d842acff022cd6027b4b

SHA256
8d60f495c0943bd02a1f32edd052416fd99c5a3058172e5f7eb0dd4bd86c543b

SHA512
f6a255ee3cd7926b0c98f341d41a5108ba2e0fa83e4f2fde88f2283da2e7bbb794c395a138a61042953faa74373861b5ec1d121f2ac8d02dfe65a4c1dff8268e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
305c974ef8fa15262ba61cbc168e592d

SHA1
97a8e1c79f43d150549a9cee8e2dd4ca2a561aff

SHA256
bcac194075552814b72d8d6e3a6a9204dc908754399884422f58d6836e9d600b

SHA512
bafbe2259a6826418a8722289f10ac8f4b1b0633ab539db9d05fdec58541c5c997186e31d9fa3976e70b6a198466c39b0add204b82aa47206d97f1ecb386c22a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7c6cb76b1c80ff6f02cb27149b41e419

SHA1
d4ba7e0f69f2325f247b9cebceb276a4863ca6fe

SHA256
757d9ecbe472df552dedcc48fdb7579dd19da3fabc0f720176e37dbc6f0e66a2

SHA512
876b50c6e29260a928d23f52319f56ec46daa2e556533ae7a6d42b521f8e8281ecc34b2ac82f41ad9fd1f8602c52a8c0e29c1ce11ad653c937a6352b879636d9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4a210cd87dffff6482b76a0c8aaada69

SHA1
1fba5e5246b19905450f19c0f08d312f4f0e48da

SHA256
7a529e1f4af82cff563de67a2348794cbd4bc07a2857a0fda845d06462dc7be0

SHA512
f7274543d75f1f2c054c6994a2f424f6860f0727f43008d5ebcdd02402f47fc6c3a0586a44b77b1eaa739bc7b29514ae1d1cdae9a4ceb8e9e99536b42ec970b9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
52abce55c1aa2bd1a77f4596413bf37b

SHA1
2e0dcb4064383c0f1c82b367e0029de979f5b395

SHA256
d226eef952c4f0622888d996fecc6f1880501a317dc3b416ccb9705421511044

SHA512
8e867ac39f27d093ee9374636a03e8d2719fa0c2305a96514400f127645faa847ac58f618f385b89a98e1c07e91de934d797a13e7ba81a38326a2c04f36d79d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f27077f398a7ed6f8dc7ff5def25e70a

SHA1
e7c7fbe2c84deb1b4f7ce1775879edcf3abf3d83

SHA256
7c14ed4a751de3c0c8c2c825e8ec1ecc6e548188be3c2127477c3d6e8902b459

SHA512
607c68ae0160523892b0cedd53a067377020a7382d0751a334312286c215a0b4179af3b417167e987d796586ff87300e71d15b926e71c2f71aa0307eb01f7afa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
11db4ff8587ab8e14ef6ee5c777f1524

SHA1
2be99d31ebe1336664c32d8f07901511fbad2c6f

SHA256
d309f3ef15009f53345d675c55ae29142cbfe32b1891d23aad99de0a73ed27f7

SHA512
a8d23e13be55c64222c3438c6a0bc91940018554282b1c6cad6a6b502632f44e3974121fa9de3dcfdf147ad85c68e3ca61d62fa391e0b97f6cbc472505e4b3d1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
782a1ad8915ced2e813b33e75f0b06e4

SHA1
7cf53516106751d5e97dc428e6c087de8ce6ee8c

SHA256
e56aee0ca7eda71e0fb6b1e8180dc6ca2dfe14d59f40be13cffc5dcdf281b457

SHA512
d0506f33dbb6cd912ef2309730e2234e3dbc9cc4a5144ef4567ab9043a1dbaae5013bd016d05f6816a33bb86e85d779e70c5177954e80477d04dea89424db766

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e80e84aa545bff065f60615bd7998679

SHA1
3b30b3374cdfae879672fa12abc954409f2846d4

SHA256
17638f18d55cd62f05a28e70c2c34f7efbfec180f09fbcac98ff54b56f6cdac9

SHA512
a7af7c69289454880627a59554bb361ddb755987988383d6e02321fbfade87af638dd7761e2eae5bbc222adaca7609929e67b611f5293e492ec70878b3b3d350

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d7076c7b68f891ea12515366845ef004

SHA1
d1edd4072584ce5dd704c67c3764c494336a9238

SHA256
5eacbfbc9d62fff9f6aa42bd70876f556b7d7adc477c26b915641b07f22cf3a8

SHA512
2ec22cbe6b4579a52829ef48ce874b5f96658bd1611732f9983d028ed1d4104e562c34b1b55a490bdc16a163bbaba0d21bcb07a5e9cc900664efead6b015a705

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c85ff4f4fbc8ac508bf61ee085add2a2

SHA1
252fc279a72bf88755a15752235fb42bc9b254d0

SHA256
61a26730d2647f38c459e1945ff89ebe545f35bd4d2a7baa7ca258010dd56778

SHA512
413a65dca66b30c652eafe56075688438982f1f674b7c477d35e9066ab86b86da834c6bda757b4a4fd0e911dd9cc9455e6ca8dfa1f1f069eb58ea79f84be3e19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
329a1455fe43ac75062a7c1291806349

SHA1
a4892d7d19c2d12e78481bd99134df523b2ee425

SHA256
a04e5cbd9f973cacc5bdade1beb54259cb4a39d5b5d75d27bd2d888eeb9a7ac1

SHA512
aaf6a1145abc0abc48382a9e1ed113e6c1c7024b39ed8f8e4367e39243642bd58c69a80a54a84926b169f961b42e23d87eb8112d2ba0bdbff22b3b09612aa190

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
70ae0b8a80c21789424b389eb4f591f8

SHA1
1ff729d8ed5d980ae11fec48130fa534558d6ec8

SHA256
9387e35ad3981d746a42295d56dfaf2364ba2000c4420c9ffedc57502fc1d7a5

SHA512
e72ff311170b67ad12523b215d1ffbf488882bdca25b9415d2d82359d998c3a130e598c6286851dca8543304183e7d093ce1c36060aaf23570a94318a2464422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7e0d69c1d242ee0c7a5e28a214f488ad

SHA1
f85a18def8faacff312dc01236f77f447eaf2f7c

SHA256
b9124020d4723964b1faaa31879e2aea4efc38e2f5dc1165a7b52b0d4cfadc95

SHA512
b9dd844731296a3255a021c30aac251dac7a36161b5a7a08602e8dcbc1b705b0a3e87f230cb13e701b0ab9b32c6e1ac998ffb9456863b1127c4634761943aa71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
85781f4ad6bb6d5f383d7774b985ad69

SHA1
c03faf5d2757f1d441200875252e8c93142e13ad

SHA256
89622732570475ab653c665dcf034c841f923663721c7fb4c2106aa8bd0af7bf

SHA512
6f1f87112c9805681654517aeca7ab97d6cfba5f92110b091b8fa6ed89e7d6473a82bb55b5806a14afbd97173de5c07864eb95cec9d617c5eff8e593a0a9ae10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a69ca7db5666ffe9bcf50ae06a52f8c9

SHA1
a0449900ab170c825c8c1487a7399a441f399d5a

SHA256
d81f75b8ab7095192df00ebaec42cd80c9c6ca855d7e80196d7c4ca15fadd8b1

SHA512
d5610bf03afdc9e00225017739ae6a9c50afe594a6bc7eb493888483f572e04a666cf87d22f8f07cd47ac4ed259c534822eb726957bb4606e55d74571e700338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1ff2751c06667cc670b55f15f4052344

SHA1
7adbd1789ca6ad323f9d855a11a7f4cea795a252

SHA256
bfb35d998066d4a1b2ef663cc91fda8fed3f307e9af43f8eada646b19bfae517

SHA512
fb15670d903d3b0b40cf05b61c6be2ef67724b25546a8c1d47c184f498d3da054987966b464f90483c48d53b83384682bb47208ff80b124491c7bbba204b9b74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e8ee4f8558e8c9e9fa54d7e39c0892b0

SHA1
a90dff92d2c2c995a846832a234dd537531a04b3

SHA256
e07fbe1ed12b74f9e6d1f9d6b0aca20f0e0337872ca403534fc93ae54333a6a5

SHA512
9d8665c73954d34c124f45a86e3806ad646819453ea70ee04424fb0866820c023790f56255309f799c68703ae6cbd37833566853239d60996f82df9d8d8930c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
79fad00537fdfecfee0458f37e038680

SHA1
304e092308d8aab65ccad56af27b576c742e9761

SHA256
bc96fbed47a758319d76cda4b47d5f249faba991e89a8b9fd95dd5fc11cdecff

SHA512
855423477faaae072ba9caedbfdf412954146febb9c0a810913f5953e1fa1f94ebcd031566c51b435cdb3ea046e1e20d31ad9bb9cca5b7570c33551cfd59bce7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
74cf6c4e63a260c1f06d9208e5bee36d

SHA1
75caf0c666e21d85a77cec802291b020af172e6e

SHA256
f5f56a56c3167190ae04c23523c12d434289c957ab1ba7941ed0bde913ee3564

SHA512
27b3618caa420a56c6000e7d7cbc27cd6b34ea227802019a088f4b2b46c1462cd2b5a553540d41a5819edd5c027fad85b416bf600983c321eca814b48e55bb67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8d06cdda61d5a9f1a4915c9bf48fb720

SHA1
033a4e16580e50b9ac1cd8da21a6280ca28ae2df

SHA256
c09729f4d26b4335cf81651a8888eb86a0b24fb0bf9fe774ae60b72d186552e1

SHA512
e129b97869f2d92bb05657ecdac15f13a551d42ca3eb9969baaa470915fcc24fe66ea27cfc66145ce1b37538f4dbf4b5097cf9beff69cc895629a609c710cd71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
dda8458c621861d3ab49fb0778f2c300

SHA1
3dc471a47d8842847b65848e8ab8a7826636b789

SHA256
30cd6e199067bc8dc34fbf2b34b7a5081320091aca27f51ce3ca43185c563f4c

SHA512
fd95480b59f045c7138ae18ee56f5a348d4a3f37078f3ae923f4fac088e3573466437e1d5a7338383a22ddb929094366991a4b58053d9ce4f6dbc4dfbfdbffc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
823db1d1a315bcf6bed5c2874b835bee

SHA1
5886f43429a87b6a86b702ac7814d2d2c75ec2ca

SHA256
8cc1d054d0ecc782d0ac888e2de52584cd5f7e0c9d6628ee097227432b004ef2

SHA512
0ef184c2a32390f5d90d85dbd6306316c0cce79a8d45510a302db9890d69d68d7a6b6da8110792b5b97415da7f6a46d09fdc68e9ba908392cd3aa4580584ae84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
30fcc10c27dc586c8ed012f7aae3468d

SHA1
e536a69515935017a372b7a288eb6adcbdf351fb

SHA256
a514f880867a399f35ffcd29925be7109b2527e46cf09772397b568ddd8aeede

SHA512
7b9bbf52b45e60513e2f2f89def9bd6ed46f47c406c2131bf9840914b1d8909de7114c189ec39c4086d6698c6b0cadce41eadb3af3305202b34dea7ad8e93fd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ca39cd138a963386a1e980bf19036572

SHA1
c01b57a519042dd9878f2853d391d6b097dcd587

SHA256
835be3ff40068e3876c2ec5112517ff3f035d41eb48cc2bd568df79c808c81fb

SHA512
a72406292c714de92b9049d34ed7455ee6adb206d385a91f42a4b61f7be557aee8e630f7cb6a0ed8adb7f6f071f9da3ab6a90148ef9066b829d61e4ee85d8e29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6620997f253d8e2ea4900d0570446a21

SHA1
5a27847a0189d48f220e40717a6e4584370ac535

SHA256
d04010613c48ec29212aa11043d002d9db38196c938f35de3c1c0f7ec3f2285b

SHA512
bb4f8f7628956a1e89d178aeb00971eafc11a8ea7a7bb9abb83e8a24e786f66c969eaff0e450f6ac35bc5249b060d8fe52eed30010f4464a26f4c9a7c848b41e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
043f860a6d11ad9d6f39190434f0e8bc

SHA1
a3742ae44b730db030101222cbe1e55e2dc2eeb7

SHA256
5a8a2c619c922bcc3d39622e42566d2238e32902f431a212bd2689b62ad2a8a8

SHA512
65a27c693597ba33c3810ab01e7383b88abecfa0fe6df80ae675e9a007dd989baf50758a1636c0b5ec1614d6cc1e40415658f4c039fbb7f7d64ef707d42e6d8e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f3fdcad0389dcc9edc1d9ce1738b7379

SHA1
7172a601853df5b2aaa54be60a2867581b4f83e5

SHA256
f8b7f4cee05abee26a785f000d1d3147ca357fc6b880374f84c4853e331818d9

SHA512
96cabd47cfaad8428221130319143f35242ec9370098a5a2f29a8becff486ff2cb204a56e36ceec624fab0343e74ea8cca00c9b7ee3e41ea6a88b15140a5a4a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7382debf9a216e273134614cca8d9045

SHA1
30daf2bc03ef4a49c883480f68582ce177e1a61d

SHA256
c7b54160a576cc105af07315a86e619070a63570a2e2bba7cbda21a2b1dd5650

SHA512
b1882fe38701a5985a3e7f00bd09792e937e48495ed12f447ddf8cdfc32b195dffc7039540c96b50b13a23f6c0c1c7abbe45277573f38f18e967ea383f0177e2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
485e52b26928e5ee63867c0c5df1e6e3

SHA1
5b18fc5804bda2b992d68982443ee2e28676e793

SHA256
1906d89f1b41e9f13cc9b7b590ce74f12b9ed4c3b5f2b9d003d92e15e8e55076

SHA512
a7ea9a5f976218786aa0f925f158619d1828c68985820b2fee6d939601e14498e30990e42649e1fe99bb5e4b6cf5bb506df47271d0aa7ead151522099b03f170

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cb7b3c2fb3c2c8c7e9d3c6bc593c809f

SHA1
38c3236e7b38ea2b643d8c64c73fcd5b2ccab8da

SHA256
8fcb14ff10c889485d75c0886dc3f9488d8e38f1fb2abfd2becb588a43f8f12e

SHA512
1f31fb4476a9e6f515e78104a606b0f5acedc0184d31df7fd6e048559a8657dc1997dd7fb0375cf4260bdd03b24c7725ba72e136da4a04341d1bc69997a767db

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ca3a31e09085c8c74eb57ea2c4f9a34d

SHA1
661110b4d6dcb4e6519aa09964669a0a63bae62a

SHA256
b592e796fa1b7f822ea938d389357593507b11af0632a97aff2f5fcef43e0a7a

SHA512
5d51e92a458b783705a3d4e224d7f06d0d0008d701e7990c53ca1d152025463d9f1616ce011f243305878d52819943104b49052079e8bbbf4897d0001142a4f9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8284313a1bb3b944db4f352d62db5097

SHA1
37597c5e00e185a7feb5f08dbc73a7b90c0575ab

SHA256
3916b42a7635f0ebdab4dc0effffa5f53f6dc065fe773b4f44b18a9ce985b170

SHA512
931395af5042cb1ee83be3cf8528d15961cf7db3b5acd2a1c3edcc464c9e8d8adf87db1ec3a5dfc241c73ef66c98897eb4067140b6468b092860b3b0f7d69b37

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
43a681f990da691a7ae5c487d4411d6d

SHA1
17048cb069405c235f2029dde3014dddcac5bea2

SHA256
991c7cec7c61cd98637010f2101e2ba0bc14d85e7ee91580ae5869be0cd4c5e3

SHA512
f0c892115428833f7975ad6b906ea4c8675575a4793b324662e79dcf724f5e580e94cc1fdc1d59e422a2e7a5a51553f4f30a49fb9d8ff7d1744ef6f03e6f11fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
13c3ae8845350289f88bdf4dd7cc9715

SHA1
4238b345c580d05de83dfcf1075ed8bb499f9fb7

SHA256
5565dbb61a2b099b6b5e41c36efe246ce704f3ff5bd6f36fcaea9723d190f811

SHA512
b5e5a67a7225310e92aa02f612634a6da50271e202077a68cd62ac59f84e2bad81e6d2dfd8ae200a6ad0786f717f8daeade3c3b9c260fd49eceb0c90b855de32

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e84f98ae04b8c7b8792dcb03368657e2

SHA1
a00a1942f312a7bcc683e48bd76c06fdb341e64b

SHA256
4d26e3f69f7e686de8a0bdf6e499759ada1eb027cc6d07465ab3d797aaac3712

SHA512
34faf5a11e90cc660984d273a9d3ca00ea2e7a43cf61cc898296324aac05acfb9d2f8cacf6a0c1664599f78d85df6ba218b1b001f8ba87aeac98497a38d61892

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
baa5298881bdd533ebd6fbc5e6fab0cd

SHA1
51877fde5aa4dc6f4cf4dbfe3fe09d0fc5a7df35

SHA256
6182377176d330c2b962ce44901edcd7a6e30618c9dee8d7b1a2f9ba36116444

SHA512
5ffc8f2b3025e6264b3621da4cac09da1f7c00cd11fccde6b397b268782edf6ec3302915f72ecfcd2999e75d04726fe9ed63f70d8e55991afbb09641e5fa0550

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
205728a60f6024fadf456b8d7fa1e85b

SHA1
309e9ade798bc6e954751821703663834d092021

SHA256
c5d3c27048eef681c75f97742c60ddfe254c38cd2a59a12712fc0861d806d6f6

SHA512
ae4ace218cafb21d478be1c9308b50851807cf7b36a137b1cb65aa67a62e3c1b9a1885d0e276eb3014249c000df1a9a935a1a2b6924701d82fdc8ba218934c68

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6de580845f2b8e4f449e81104041ea7b

SHA1
e85dddf928795c15b4c3d68dda9f66e90eca66cb

SHA256
eda593c878af25c69a4f5825215319dab77febff727af84eaa58e137c6cfbb36

SHA512
8dbfb4610da1142d1c418841f6e8b7e36ebd60db7e8d68f681e3043b9a0be2b462b28b005dd3a3c900e7f7f9ead835f63f17461999a98560767dcf27b2340323

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
82087d481883cc92f90021c7cbe28ea7

SHA1
43b00d17a9e4262c1f4e36d39c9f68867c508f2b

SHA256
9daa5c3a6ebbe976deef985ed2209ecabee9fd6990422a6f250c8dbbc642fb4c

SHA512
013bb03d7ce1ba96098f1847f595799e9e2be0f1a242c7ca187d30a4bf3ce70a12ada73e7221b0130b3999d38e4019b5f075dc8048cb7089a8607d3f318a89cd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0ab28731675248858736630146506806

SHA1
0498a6c1caeccc87e4a3c13df726f6530078703d

SHA256
bfcc5680642b82d6a3b330d1133eb0a5ea9183183d65e372f4daf920248d9d0b

SHA512
d5544dc12204ae165f2d6a3f0fd98723f39c0e52da34180e78646f9d2b936c59e4c4dfa9ebeb99c6908aa9e32226d0110137d007622889fa0a4b57d16e89a735

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
63504a4ba61b6b5007e19feb6e5b73a0

SHA1
79aab14f31aeacb6fecc1ef58aa652ff35335fb9

SHA256
4ef3669afeab1180c8fa530f5712df93aac4c16f75b819221173dffdb5bb5234

SHA512
3474779fce57c34d63bef38314f8042bb6d5e435cf6ee5b2b831ea48b3897d470ce4a9d241c5471be71496ba255aedcc904b0d7e6f48efa87608278f4aadea85

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
74f7b55c706b6eb70deae3df28341ee2

SHA1
b3d0d1e6993ab39e156fbdce891ce36fdee676bc

SHA256
e84f367616cfa82c940f2ca26e79c128b31a09381fe9b2700eceb8893987b268

SHA512
06472624ed4a9a8cf57c326c9a20551e82ca187c1a077cacafc1d20281b178b6b830975677fc5b695d97fbaf4cba3c2301179af7a90cf7cd519ef08a79aef98e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8ed745b69c3d2e864db8a274322615aa

SHA1
ba81b060c9d92fd90b0f3098a264822e3d04d049

SHA256
f3bf4127216bcbe6f7203fc54df818355921f4480e079d43d38e672abc10b5ba

SHA512
4e285d57602b2dd0ae999c6c66890593d3a9e4030a7f4ae98055920d546bf47daa1ce01cebe764b5d859ae05a99b5a793e6fc279cc3a4ae382b18db7e5bc3051

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bf6f05e31c55e5bea69c70936d1f5864

SHA1
24904a15b83296963e336f5230ee0ccee24efe1a

SHA256
3221c90714b3cd952141e448032f95b6e3a67ef26b541ee4d476348b9dda8d22

SHA512
5533f7ce4ed1af564c4905f6c221cf012f2f118276336e4d61a78d870b5d40d88fb73d26d17bab52fffb5d687bb0df42e9809702cc3f7b4a4f7649764df65c49

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f06e9f877a826d9c878d01812daf6073

SHA1
53c86ae377de8e0f27d467e25952ed9b500e6bd3

SHA256
853e86adbe638c3c695b92e76a3988c5779b0cfe24bbf458ecbc1e6d59865c9f

SHA512
9b468ddf663068589b8effcaca2afe9a62542917754cb533a2a348c8d60dc40d0d90052605cba61575fe97fc770682a6a5afbd0ce9df7ca7f1673ee40567120b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
44647b8c2d963a730c55e5ae6d5cfe72

SHA1
48c065cc4952ca177985f44ec3448883ef81330d

SHA256
9bbd8b9cd5362705e41e0e833c9132a77c3d42fb032dde56513b5645322deaf9

SHA512
f584fd87c1c507848bc9d751ac48b7ec3991646b9b9517b56c7062dfc996520108ff0e0dba850daa7a4d5644050de0632fac1a196cab52c25a64fddc7840a070

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bbad57de1fd66e63f7e6e78b0c6e6222

SHA1
9585830a5399147a873e909c9914ab198a0c1119

SHA256
05853c6ea1ac2f387ef1e176f2af3d3d761911fb0cc62eca1464f0800ceac4c5

SHA512
394fe0d70e134c3fa8b8b3e54575648b9440dcd3ea95d03197d57c45c8dbd13e94c72faefdcc45656bf1c875f16c001cb5b78a0e8802705c67df354fe93766e0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fe295b91d78b89d9f08fdc1b32bebada

SHA1
4e7770a838135484df091c7f2ba13ee32818f5bc

SHA256
2960368591ed99175d23f589f5bee53a0f9e3b43ad1c822064b52c1caadeb335

SHA512
cdc7051ec58b793801abad5c5ad696133f518b3532da2450fc3c72c4f9e9620e0c85c52fbfe3515dc0ec477f72222b859fa0e02604bc932990575a2feb03321a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f4fb662da533569a7bdc7c176dd5a4d7

SHA1
813feaf393ef13a2b280c8c6eb7e6cd61be48150

SHA256
e8bc6f9d723a3d00d0c839e5ca30b87dbd18a64d9e535d2f2055f5655a6426ae

SHA512
68df93cef4ff32fe88b503ef6ae31bee2e2b3200656e72d5b30ba8ba9f2ffe88af0e4bb7d586d00377276d075ca9bb3c623b9dac00554fa5ef7c175f563546d3

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/220-327-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/220-624-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/704-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/704-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/704-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/704-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/720-319-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1280-314-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1548-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1608-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1628-311-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-38-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2264-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-44-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2264-68-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3112-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3112-621-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3112-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3112-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3208-418-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3208-8-0x0000000000DB0000-0x0000000000E17000-memory.dmp

Filesize
412KB

Download
memory/3208-81-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3208-1-0x0000000000DB0000-0x0000000000E17000-memory.dmp

Filesize
412KB

Download
memory/3208-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3268-316-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3288-55-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3288-47-0x0000000000C10000-0x0000000000C77000-memory.dmp

Filesize
412KB

Download
memory/3288-569-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3288-52-0x0000000000C10000-0x0000000000C77000-memory.dmp

Filesize
412KB

Download
memory/3392-371-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3392-27-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3392-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3392-35-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3880-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3880-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4196-328-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4408-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4468-318-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4548-89-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4548-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4548-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4548-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4688-623-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4688-326-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4716-310-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4768-317-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4960-57-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4960-63-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4960-80-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4972-622-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4972-309-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5016-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download