wannacry | 48a2392f271850c0e467706c315daaf8c712c45288aa42bfd60b015ea1d1f68c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2025, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Size

5.0MB
MD5

04613c493462f140a68b2568b25cde2b
SHA1

7354f468d1c078caf65f2c6fc5cf869572ed4722
SHA256

48a2392f271850c0e467706c315daaf8c712c45288aa42bfd60b015ea1d1f68c
SHA512

2d31db50908432789f3bf17e4c599d365803443e12b02b10573894083256a77a9639eb628afde586e087b0693345a84bdc923e787eb022bd5da7178bb5182081
SSDEEP

98304:BDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HhD527BWG:BDqPe1Cxcxk3ZAEUadzR8yc4HhVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (2882) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
5040	alg.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
1528	fxssvc.exe
4752	elevation_service.exe
2104	elevation_service.exe
216	maintenanceservice.exe
3172	msdtc.exe
2080	OSE.EXE
2188	PerceptionSimulationService.exe
3708	perfhost.exe
3168	locator.exe
2916	SensorDataService.exe
1136	snmptrap.exe
3532	spectrum.exe
4272	ssh-agent.exe
4308	TieringEngineService.exe
3316	AgentService.exe
3772	vds.exe
3184	vssvc.exe
2376	wbengine.exe
2360	WmiApSrv.exe
4672	SearchIndexer.exe
3596	tasksche.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df631cb41b720d30.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000041bb68c5276db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f205c28c5276db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c8a478d5276db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022b6d28c5276db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc49a98d5276db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd76348d5276db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004589668d5276db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000874e4c8d5276db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8f9d88d5276db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040d8fb8e5276db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2672	2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
Token: SeAuditPrivilege	1528	fxssvc.exe
Token: SeRestorePrivilege	4308	TieringEngineService.exe
Token: SeManageVolumePrivilege	4308	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3316	AgentService.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeBackupPrivilege	2376	wbengine.exe
Token: SeRestorePrivilege	2376	wbengine.exe
Token: SeSecurityPrivilege	2376	wbengine.exe
Token: 33	4672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4672	SearchIndexer.exe
Token: SeDebugPrivilege	5040	alg.exe
Token: SeDebugPrivilege	5040	alg.exe
Token: SeDebugPrivilege	5040	alg.exe
Token: SeDebugPrivilege	2316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1152	4672	SearchIndexer.exe	112
PID 4672 wrote to memory of 1152	4672	SearchIndexer.exe	112
PID 4672 wrote to memory of 1376	4672	SearchIndexer.exe	113
PID 4672 wrote to memory of 1376	4672	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2672
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2372

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:216

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1152
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1376

C:\Users\Admin\AppData\Local\Temp\2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-02-03_04613c493462f140a68b2568b25cde2b_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2e2aa14e06e6505dea6f2bf6755bdddb

SHA1
d038f0daf9ba37cca786757cc30589f92fcdd70b

SHA256
66924ae0b7aa5cf462f38348e3244a23bc5c42dcbf2b7b1d3f353605f52b9cc1

SHA512
e5c4d16b506fec114826a10a701eba680677c9129203beb56c9c8a45f20ccd44121a3a343757bffa9c3cd9e86479b8d6a12c2774e6ef9e4979195cba65e5de51

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
05e6e270adffe6cfaa849bac4f679420

SHA1
3f341ad2c91e246a31835e34ef65e18b01252743

SHA256
bac8866959a98d1807695cb239657b534aea07bdc6ba827bf679a9b242a635a5

SHA512
0a641283cccec1df8c5b260b7e5e287cd30f2f768d9b7cadace86da553458343817a612ac325fc4680ec20c0e84264656bd431762e777a6d6c944bd3383e0b18

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
374591ef78648aa3c77f165ccffaf60c

SHA1
bad7dae5c14dc6926d201719e522261fc46f2038

SHA256
e62aed80b035213ebec7ae45d10cca19ff76276ce526ff329bdc153020a3c232

SHA512
a0986200d295c2efefe280349749c857b3d04e050f866830b2ff0a6e74af3c51d4ec6c341b2178f3c3a53545ff2c1c214544543dadc35532bd785490748a529f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
978eef6ba1e9f4e141f63da686573369

SHA1
01cf5c80a42069a1a490232593b6a55fac29064a

SHA256
cbc3ed474a3c88b0de98acb55078eb68ce81d4ac59644fb71a44bffc9dbdb26e

SHA512
a1d2b41a4d485860c2dca84df6dfe5e229f0eeb7e91c297a1499baee1ff3e27b2a96a66420c36809bac2dc3f93281a91d1de7c3acf3cbc5fdaff678b09d85206

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
31087a901177b19b21ee348e817a4465

SHA1
a86e0970e6f6ba2630dc5b2e9ab9b940dec5a608

SHA256
00a6f3b77af24432b231ca1f0388b5c5dafae6349d74a6efca46a04cd9533e29

SHA512
7ee2acd5231e006baabbb5427575e2baac7d46100a59d756737f30eed4dbd0406543beebdd34375a528153ce644aefa1a25659b37db34994dab86ca5a1f6951e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bda260a3bab084c0b94a955d32ee249e

SHA1
6366662ac98c42df0c44164c22fe541c24a4968e

SHA256
342e72631dc6f1191315b03dedd4c6fbb0688b0f3a99bae63e36060d4b26e863

SHA512
02811c655df52f12104d88106c73010a5763b572bdab58bf1c00e1481a9260cc33ff2deddf3205b32bc08ea00619087514c2100d61c4ac226239afbd4161b9a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
236748f2e795f9fbbf61b044dd4a8294

SHA1
e5933726f0b754887005185160c223fd70640458

SHA256
a5e2291cfefc930e8e1787a6ba0f2a02a580f837f1e301da6b5963692d6dc591

SHA512
fe8c0c8aa55cdbdcdb3f7b50dcc76da0d82c85ec82847c38cac63217f45faca85c65ab3d13f826326025d333e49c1b83774da3ad83cf93029675aa90b569d791

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ac15b9deecb1e4162f25485d34123c9d

SHA1
bc2c84358fea15e425cef1baff8baed8fed67d5d

SHA256
81aad165c09ba317a6100c7cc71f045791faf8b54c4c945f2cbfeeeccaf59513

SHA512
cb6b826c93e557dce57a93e2cdd3b858852b48ec78587c81545a5706a7a3da1bbe4cccb76d6f68ae06ca6d491a2bbed9aecb93a1b0ba70ea3e8b7a3a44cb8666

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
082f69aa0ecd88fa15c1ac99d9b9c2d6

SHA1
4f2f4e3e61f09163123d578b7af66cbbc5fc669a

SHA256
044ad1b5f17695221e2ae676000bd97b4bbd82d457ad28fd41ce5f0a82946c85

SHA512
5a9554503553519ab9fd9724473a80b6b911b8fb0541b36cb0503b41ea8895159f0566adb7a770d0c0627b721164ff88b31ba351060532fadaa16887ce188bf1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fc4d726197d8e4a578df414338725900

SHA1
57ad4c48f9e2f195dc9b3b38619d9c71039317c5

SHA256
3762da5f27ba9f8d69e35d7ac4db78f8f89890316289dbff9aeccbc942663ac8

SHA512
6b070e912209ce71b5d12363f5c788ee03be7399c15e5157ea98dc909cb8f7191595110bea7fa56c07f7df028dcbf843dc933d285aa6d84d826da23a0bc17ca9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7f04c0ac70c96ef68c0aa7ccb717f15a

SHA1
f79c94b03fb4b506fadbb46f1633a2dea1e5c822

SHA256
d0170190b153e2b10aad3040321bbc43d799bc6cae989b45915e0c33fee7f55b

SHA512
31cca8eb40c1e8a0e55d42e61a7799bd511baa7738a6820d6138421858f10ae13128e1999e63e48b4f03373f23427538984644cc2e55a13a70ec874ace544ece

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1b5243c21384e41425541add6007e37b

SHA1
88dc2e655adca885e13159b988ef861c2f26fe91

SHA256
9ac900155071b40f88fd6932b1d7a2ce57cacad3c26064f7dff53deddfc34716

SHA512
849432cb595bf9b5c3285df98fe8421da0377462cf32d724c4fc7622b60ed897fbbab1d7134f2561b43026d4d7355ae2aa3ab007d14dea0764649b89476a2e47

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
68eb20f77b90eab3dd8a17fb17ea56f1

SHA1
a68ca78865426845db74ba323a0458379c8d154c

SHA256
21c5db87148cb915e7ea24c42fa5136eadd98a2c6d9eaef337fac54b41d3b242

SHA512
275bfb8a64fd6cdf411ad9400446ced82ba77a8ff94bf4378ae3a36b5a9f78a1af8176d14c4fa3857e73697ca51e17366a2a698afa702f85bf6bd5d12c803199

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0451329d41fd55dbf5c17ed084b93cad

SHA1
689cfd2e9350cebd4a56b085eeb7a30fc7426578

SHA256
9f664c51511f20ba68cc2012ba0650865a85f03fcae6d82a88ace67a646bba6b

SHA512
75030ad2215c99de34e7f989af846c6704a978b74bb83789d4526a717e2622a7616994564d865e08714604ed95b58a1e1103f1f6a9c101ff2cd04baedb2570eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
38fcfcc95295740c7228e29cf43e56a2

SHA1
c3528660f7e0917cb69c36fd5f5e932579b97fee

SHA256
651096707a8cd7aba7f6adf951bd933eae088adb68ce88fec660b5b53794fa29

SHA512
e84c04effb27f98facb3ea9da2426d5ec6f2ab75691b65d43f034c7895bc81ccb9ae1194355bf9ba2767e03cbbe19d49fb11551128324438c87c5a1c250585b4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
529c687bf06518a519244bdbc791d42a

SHA1
c852d024c7c5f1e42cbdfa2d5eed3d4499bb401d

SHA256
46267bb244c96829ca59c9b3c78d10c1a11614838a6b4249427fcf83e9b938f4

SHA512
d02a6282203ea9f6e62ac8c8c5a32f5c2739b2208ac185a9c3540b3ccd8df62f7a9ce3de3e51a1cfa63e6b3a8d5d60705955726d7f16215f25fe5a6d17e77c2c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9bfad97b7ca79e60407a53f9f11a1ba2

SHA1
9658d6510f20e4d5ce1ee09c512e314038d8fc44

SHA256
84018e3018650b55012057aff640f5fe35e293147ebf56d48eb13f575852ce63

SHA512
8ae7737e99583cb6d749feac1a2264176c2b8b082879112b1226691150d71404a06540db62982fa3a345bca0c936188ddc91b580530eb032a655b09d169b59b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
f4ae045d93539b1957855e66fcca9805

SHA1
825b2223e03563c67e2c07c45b50e9861bd209f7

SHA256
2df2a8e15eceb37819560c9987cff2aff2a09d79eb3e173aa24017b5154b2cbc

SHA512
5661dd868b59627fbe533e41ffdbcfdb266682024c59ad3430dce53116936255f9d74ac836033c051cb74aa0a06e219630e6d7171731555e8cee210b229ee774

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
5b1f97057d375e6859f438edeab0d8f9

SHA1
ebca83e1fcfec12649f30eda213c1542b1ba9b22

SHA256
949ada7512528444812c309bec0b973a880bd9883aa1742dc3615b043873622d

SHA512
03a5aa83ab38fecdb8a71aad1d80dcfd7511cf333f83fcbf5c437ed259fc8ca57d9bb8677820de6dbbd9925b4f8d34fd39d19285d2a439b43703ef8ef811344c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
69be60f6125a626d22db21e9ce066f66

SHA1
d3c2791b1f571afc0797ba5f867cee779f565a29

SHA256
2786213a94c93f6f62731df9013b7e797aa83bc0d3b77c6e4171dcfc321adcd1

SHA512
cf478b12b02c6f8a443df23b6d346766d8f3c78230cb27186b24ccef453a9c062e93559d75575bf6ff47b6436f8d4d4a17d18749766eb580c5ab84e759168a37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5d1576c1a61f4e51f3eb6ca107f60367

SHA1
cafaf16b18c8e3f125fbbb1b84da717038dfc439

SHA256
fda0978c1be6cecc66b2db9eb4b0d3a500734ad6dd7586d156a71d662a9de3f8

SHA512
17e08b94689d50f74a7a597b5938b54807673194169b45b621b01d27f12f074c61dcbe94bb2061e23f0a56b00c642acf91e4748f41b6f29dfd38ab4824c3e028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
dd9592f0e200e151da7ba2238b936dd3

SHA1
709a0ddc413fadc4b26f8bb6e6f65d9d951e0a07

SHA256
8edbbefce4a8f472eb370ffeab49a125e4d73b7c61b3306986a4273b4c2f93f7

SHA512
675cea7831d7de03d59d902661b59ee6e6fc060163147afc35b69c59078e48f340576ec9772685068761c53a24b9947a2e8adbd2dee951616a2639f36e326796

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f205cb964a6bb52bb9ad40658d15b46e

SHA1
140c3e708485f6df78412901d4241277f1bd4f79

SHA256
961f3147ccd1d8f9c0b3f60639b93f46dbad5b56a6994c99273c1d864afde401

SHA512
cd9929fc2d5b37717104fa12461f4b6965624b84fbc116290da19e0646a391d3631008c907fb6eaab63439760ba154fd5f3e3087569af16a77f45c0cbd808a1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1de563cdac881ba2a26f729f5972cef0

SHA1
d973bb4c432c47fafe045d9658db193dfed35279

SHA256
b6327f313adfeaa1c40063b2e01f014b629202122447bb499ddf19a2344df402

SHA512
41c4d6a3caefdf200513ae9fe3c6bafabbbcaf9434eb3dc4df5bf2379f1d4cdf4f9d74fe0c84c0e2cc1986148888f2c7c2f8af4149ad20ad7be9bfb75ec67ef8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fa4447cf57752f4bdc499cba86cb9963

SHA1
07c6f71821611f9168aec2195844d84e01755a7d

SHA256
cc51ea6e443075e2bf87d4b86c4704f3829c5994ece869ca04e6c744acfeb361

SHA512
17a3825c2f590292f0725252d93b7e1c9351a5d371c4eb23e99a35e5176e82e2d595ffc78e8cde2a515c310ea826166e7563259daead25fa3aab74f64b7f88ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4087786602ecaedf6920f22dd088ccd2

SHA1
56c9b566c754b0ae404177d16248019b5b968f53

SHA256
97e732ec8779093847a8e8638b677026a3bd9d045f1459f77574b565c80c09b9

SHA512
6b3aee03fb8746ab9725d10e5d9ac714c0bb591ae68401cd6d9e19b7f6dca29ae18dd0197af63f37554c322dd97ca0e10f0c3c55bd7e5ef2d23b96d5f24546ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
65803122c10a7e62526c40d45b3cf37c

SHA1
df1197a4279a2fb6209bf864d6a3f5f821384c58

SHA256
f7e5ef5e62f56f4b78f176a9662841a2303856b049da6af7c94e0fd674460183

SHA512
151ba0beea274e6413a14144fb5884282a2ec39c25974c0e1a80228109058484c3bcdd1447020eee16f175dbbb209180c7f4c9464bff9f7f5ef083b212741b0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1ef18477a1fa58f4f5fb0cf9ddc90f81

SHA1
182a5fe589f1a617b2c4b88fd86d5d949e224825

SHA256
bbbee58ed4a3c1ba04911b882fb5f2b4996648fdbe6b2cf2ab8451aa50d00f07

SHA512
39c09855d164eb4f6ac6cb61470888a70c08120d3fbf77cb5d505ff8910be31b74fdfe11ace6567c8e1c6edcf70543d9ae1df3c1f7c45bb018a3fd9d69fb4be2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b1c66682577453ef99e8d1b97206473e

SHA1
d0616194353689f0e0732c981af223c77a8c66f9

SHA256
0a67c206d46aaa69733d7b6b9adddd2c1c4bbca3680343b0e9530b0f1b93262b

SHA512
ed9f571ef0af67a57b43ba994730c9c6a943e915eb2c25701a7acb483900116fc60dfd18a885bacbb1afd2c6b48261c3c4a11a2ddf0c3a05a9af0e2f3fd2f0c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b4b0ca373488c43f6221bc38324401a7

SHA1
7e2e4ca619ac5b67f58f4135f56ac97c130c3cab

SHA256
048d8445d892d90c1cb7541027bebfe730c9092f22564df81ed0732e6f013933

SHA512
ab68566423e03299ab0539031007417347101e28180ce758e25d2b0efd78097de47724300aaf87711c66aea58fff27999b920f1588c5c440bb0eb83bc2f23dd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
e2f6e6d3cdcd82f640a322a00a51d1b8

SHA1
10cad43526ef9e79b7547e1d60e40b63e4d5717a

SHA256
3659a09b459e50fcf32617dcab641f613e6bb968146fe5bbd158dc610aa797c1

SHA512
db33a3b9383892ffe0928a97be008fde44dc4f831fbecb03502df2eeea6d27b9e7fa26ecbac9727b654b03dcda965e4cf98c36a4d3369a235c8e79d8bd267479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
edd41b837c28e281a91a8a4a294a97f1

SHA1
d78ba87fc1069c925125368fd81d8b2ae757d2e6

SHA256
12819a66e9b614f30e1fbff06851e7fb11e11ce3ac5322dbb80e9ed15b20635e

SHA512
441dbcb359d21f4ddff3531d730c978fdbadf2754bd29d42276bfce0e60ef00593fe3d2e8bc3cb2d137a73985db1823a46afefb493c71514a489c92e0a9b74da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0f638bb30e89caae205238b1e7492ba0

SHA1
6e54568e147e4995f2efad852e3de8c685c19d17

SHA256
26ae7d47f5096fa0ac7e1469aa42b34cfacd4d958deae9c81584129352522148

SHA512
c8f0953ae0644ddd5c6dff09daadc4cbeb8f2fdde3f88d8ff1ef06ec07070e50d0fbea5e05a8b06531a1c0ab44ac26fc74bcf1d56de10a0ece26414ebf7c8818

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
23b3a5f1451be4af4e8e44e9eddbb9a6

SHA1
7a32a44bdfee72b3f8469bae06d4793dff0fc711

SHA256
7df541e3e3da39645b01453fc597b7d76dc66f86e777b1e26403de62d1a25c25

SHA512
40acc319ddf337857443cc53ca4dfb90d575d52443afa713f24eba01fa03a48fe8916d270329923b2b23386461eaf7c400cb9962b8da97e54877e020f29065d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
c0bfe93eb1effeeb98a15bc07ae10000

SHA1
a3b78d92a74c0a56df5d1327bd406ed7c10f7630

SHA256
289f4eeda0ed28720d8f865f4a943564ed981084cd30b3c34da879d76bb9dfae

SHA512
18e2e6d85314bd53ee4ffafd07fcba28a8f6b49f4dd3add51d06af6a106cda893e7bd42b234d4fa1e86e4a1463a31c43c3f0ef0aa13736037482d41bcb8f230d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
878e01d3c4543f26d9a351d5e4b6bf5c

SHA1
e17f1d62a03e5fd980faa432da353e29b35ed50f

SHA256
97a1f09c0244b95e58b119a73b326e2ab640c54330d4f1c95d421fc676c27941

SHA512
cd0d95c817a95563346ee54034ac8cf18ac4e3bca8ed23544ab36ee0bb187ec2d74b794c7ab4fbc5a09be939649c03d46b584663df38ab453363c299dd4728a3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a01d82db2b14808d763733aff4e7f846

SHA1
2f602844ae3f537cd0b9ba0330dfe268763b1396

SHA256
2d3b50da741f82775f6ddfc6956c94b7de47660493cf99e95c5c665508bf01e7

SHA512
a538f3d17c4a766539f1bc6a752d319d741cbb2afa9f1c8afdb53dc8bd35bf30520cbd0c36e0388a127a539bb623f249ad7bebd28c1329f259e5803a670a37f4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b68ef2b4fa569cb1368c77f2cea44cf1

SHA1
727a9a89aea58fed62ff9ad9e9794e50b9794546

SHA256
67664657ef06ec4afdb404cbb53f46d56a0c5754bec635ccb702af90cc8e703f

SHA512
25c186e5d9a42d0f938a9eb08c366cf1006adfebac58174188033fd97b70713cb80cf498c33ca3df16cf061e7ed6c1ffc9e317396a765ead8cebed024656298c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2edf89afff327c6ef907eb506e336882

SHA1
112592d1d4ed49eb2bbe97970c9dae957f8b0106

SHA256
d2de4bec45e68dac1d52d4eb6ce9a0e1e207a438ff99e3e095bc7f62ede73aab

SHA512
595c2a22b4d3cfc02dfc2859d165e490db5103822b939b9524c6514f21513b0610d94c7e635f35c9f6d078f4e4f2cbf1987ae5aefa3feb89d06765544e620a55

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d2f0ccd04a9acb17a5472f846f43533a

SHA1
ba891fdc63fc0d783549e9ca4b513cce5abc2f91

SHA256
2aada943614fed7fd9f3b8ab03f063bb16aa281d2ebcf7821d7c2e2d7a94af50

SHA512
49d4091931764400bb79f21318b71d3a9c8be34b6536cb4e4b9b1d392c710bb54b52cac20725ce4a9d85d3fab544b2f179ed33169ef414140ba359c8d21b5380

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8409571be44df6969df171154a6e0896

SHA1
96d0f596c8ab469a8253c32a08129eb0fa5ea595

SHA256
9e40c7a310cc980a6887afa15770f673cd4dd193ba01d6434ad86d54e622fdab

SHA512
44d9ba04626304f1312e3c59d669edf80c9bafcf5d27fbbb5fc178bb034de3b12bbc5cbae24ceae1bc2ff65662eeac2bcb38c3791ae0b9ebd89bc723f680b329

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e70c287df080bed6e3be6a84db639af8

SHA1
c429b6f8f4d0b0a5d90bdb34cb041e223cc7d351

SHA256
64d3780a7e1805c062d3fd80146bb998ee565c266177ab2c5b3d05d4e1e6b1b5

SHA512
f5fee6b0d3fdd787ca84bd8131bd2930c9e532a3976243901e30398ef3e4c84f2c33731f566a85f48ac32679fa72da4987c936b510b52872b4796566df4cda38

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b42c52fe1df12d1db6e43c88ac05b9e1

SHA1
e3f149cb4c91b6b58406d8ff9cf33aa9af2d868c

SHA256
c3e36e1dcc32938568f98ee3df8b028d548b1a6f55b2cad63f735ee7eba3113e

SHA512
b610a5fba12b3df89229f611be886c9e6b41ab72958f3b2a461950d442fe1f8149bdfce507892e73b1a0a9c12dd52747a0010bfe3134debd89c7f0a004d81953

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e64ab4481cb2a1c39a124d6427d326cf

SHA1
0e8952dab1ff2f334d2eed6231383f7596f37599

SHA256
4c5bf903fb0474234ad39c8b1f01b3270df1a2f3e1e4e6133ae6b3ff18e1c7a4

SHA512
5f81cc19090f2f2cd7c31a1d5fd59e9579c617da3a4d92401d8c3d2e818d72301b8a2972a00d6a3507881589effde54c1a559c23922aaeaec950b658c3986935

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d0a36a55424095b9aef6712cb56f24ce

SHA1
89e090e12bd513d84a3a800a467dc4484af88c5a

SHA256
128807c87583b6f495748ea15cbce4a3f039766e918f42596630ce524c1acf31

SHA512
2ccb74dd884c345faddc3aa30c4e77db4825025ee71ed4cec6549f73522de43886e4957dbe0858a2778df20fbfdd0f3ed1f663a6ab0756b30ac7a7280a89c52a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
73cd5a11216e2adfc9560557e8c02b69

SHA1
a1dc66b95533c663a128e57e66e36671e61c1d08

SHA256
455891e2d6d4e94b4304c3ec8a2d0657605ffe40a476b52b030660d513ae36e3

SHA512
adb3b11f28261ea8d709b21a147b64224c77c053d20bb446fc4a681581126a0d6ced6ff6f47445fb853e6dfbf622abcda5ceff01861049b770d72bd323943ad7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f58252df2c5722eb1ceea290afe2e41b

SHA1
dbf2b173da719515d224143dc0b3f07a82152a48

SHA256
71148aded4dda6c8304bc1a155ef7ee96dac59a5bbb39ea3cf7f5d77659b27d6

SHA512
264132face47029696db41d38daae9e0527a8f0f36c5ba2ea9dc3dfaac39ad000b60b94dc89be11cd8cb76d5622962592f9af026bb0af7d1eaaa06fe9f48f4ab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
df3b23b4c1a6aee329c87ea366f7b953

SHA1
b4fbc6855f3fc6d6f8879aa5ae9f2db990733353

SHA256
13f3a92db3928cc9820b5612d9416a3c8814da68bd576136c603a1a659431e59

SHA512
48fd054d1e994262101aa2c541497b0b0e71135d8af3151d221e2567deaa2923a7184989c4c671f0602fb925467bbc08e7cab450a24f9f987905ccbffaf24ff5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a7b4038e8c62d2a731359d316570dd2b

SHA1
d7ff8dc75cb5695b9b95ab6837a9b0477d1b417b

SHA256
01d47e23b0617329992376dbe665024824653b1ca6cce5d009ad0f0f9266fde3

SHA512
24b05f25a6fea26c04965cd2b933f84612fd87599c7b13672dbc92a1a901d0a6b8b927afcc922c8e6d853af19edeac3288b05bffdfc758d424859caca310c763

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7c2c824687957a9fcbc253405227b87a

SHA1
218fdbb686fa2095c9cb63c5c75f6257ec72ec72

SHA256
ccb250c40e195b8784499c177494736d88b550168cafe052b466667827ede27d

SHA512
8abd62ad0185594bd87e1d07b81fc2ad712d6a77890801447c2e46942508b08b67350721f3778a1166033752665fd72fa0ab27d0df6f41a26137159c8114ecae

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
dbac51fdeb5e62d3fb46faaa1f4b87ca

SHA1
58f72999c1ac9b754f67637b429ebd9406ddb4ee

SHA256
35af76cf55aa74663f2ff86a5616b8e7ec3d2a52f1eb5135dbd0bcb5e47d46ee

SHA512
7b29312fd9e6aa43f49dc7706a5cdaca4fc0e4b06847578c57a0eaa7d8b5c4686303aac6b9429213c0bc85455f7d04fbf75a6970c2ac6f80f03727e9eb18e27a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2ed9592673e165df937ff89cf039de6c

SHA1
530d155385eb0e4601c58dfff42a74f840e59a31

SHA256
264dab8001f2b4ef3a1c3a91edfc229bd8509cf7a9d05fd8fabf469f48acbafa

SHA512
b684f9d01b3f8f15e09f2fc2bf97e527f53ad6372a9c1ffce0bcf12ee6f3b832727bba758dc3e5030ded03e6ac1e2db41904c866bc4f3b706728238975e760f7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fa7ecaaba014e93caed66fc7b6167e7d

SHA1
2629113c6980cfcdce0fb235d0e27bf5f3362656

SHA256
361d0d2928d11a1c202d5af2a7163adae2f3d88c66309948c654d6e0b1aba4b7

SHA512
130d71067fde910da0be6db6f2a493ef67dd8e005913eb9a51d1d614ab65926cee5319596262af229371618da4f42d3f26b5c2463e1de575f92112de011e50b5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3438f0456b39e9d61dc2d4ab7af77d8b

SHA1
9f844214ac15862676396be79bd51df97775236e

SHA256
9d1b99c1c9827820acdf5a17a36f0a1d47d67c640437dc48e6e8214070130784

SHA512
1ef2d95a460e62d471c0c934cf6063c6e441dc678a1ac6632a35cc60f3d4710a031062e314415c41363b89dd958621963c9260a5a612866fd88675624eeeddb2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
adf446fd7c3518446489d8c837fa4b0e

SHA1
823aeee5754d5036802cab8bbf297d97c2e6e181

SHA256
cb07c42b23102a3640c6bfb3dd67835e574c590daf8bd5565330330b134f4da4

SHA512
37a6161723d52fa6e0a9961bc8803b979bffdc1d3e76c4cee128a89af88374b334abb4db466578fd9d28f88e60e1e62933ae77847c21156bafb007a72d582202

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e824537d904780ca45d3632c4f630d69

SHA1
ee62057be55459e90e35b69c7cb5595118111128

SHA256
9bd228c4297734195de115eccfef9a1f42dae6bbb04bce0c46af7bf5683ce014

SHA512
6c70e31478f848f2a0e4fb38eed3c79e45f006c80b35df696f917ad16d44772d0042e73bb3d74fd9b0e4a2293461965f2f9dadfb16aaaa719ad4b7028d693893

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f110b8e9c50075a12ff1f491d415852d

SHA1
4ff4c17440bdb291e22656c4cb3717699f793d64

SHA256
0abe91c1eca181e4668355b41e6446cebcc3c5f428d068dff0b155ae8bd298c0

SHA512
c19e573d4feb772784ce3dd57d1f58b385dec8b4e736513f6ae2da4ce5008833adb6228ceac9e6f1ed6cf11921ae684da221c3a3d46a6662aecdc0f030242842

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
14bd77ae82ed6d1f7439701df4d1cedd

SHA1
0dbba65f193e1c22c271b8c47749e815d6d17143

SHA256
01112585dd91919935eb1b39872b2fca4a3bf5e0fb2f67c269cf31a93dad04ee

SHA512
bae43f56c3e013aa97b9910d4728b86a4b7167386178a9620c6ccc59fca98dcce0248c27d69c1dc0c4e16539dc96e1ee884a15b2cf0998bc06a8120d0649d201

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/216-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/216-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/216-87-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/216-74-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/216-80-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1136-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1136-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1528-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1528-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1528-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1528-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1528-48-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2080-106-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2080-217-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2104-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2104-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2188-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2188-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-117-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2316-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2316-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2316-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2360-262-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-527-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2376-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2376-523-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2672-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2672-84-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2672-8-0x0000000001030000-0x0000000001097000-memory.dmp

Filesize
412KB

Download
memory/2672-1-0x0000000001030000-0x0000000001097000-memory.dmp

Filesize
412KB

Download
memory/2672-556-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2916-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2916-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2916-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-133-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3168-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3172-92-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3172-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3172-202-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3184-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3316-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3316-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3532-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3532-360-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3708-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3772-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3772-483-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4272-387-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4272-179-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4308-433-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4308-193-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4672-540-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4672-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4752-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4752-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4752-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4752-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5040-90-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5040-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5040-21-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5040-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5096-535-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/5096-583-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download