wannacry | 04aba9d9010b4b111bd27e9272cf00a7acba3e1070e4bc2be1ff2508273c13b5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Size

5.0MB
MD5

09fc4a868fabcda73a9dcc5c4de8e430
SHA1

697fc70dc34afa26cef69703bb590530ea876261
SHA256

04aba9d9010b4b111bd27e9272cf00a7acba3e1070e4bc2be1ff2508273c13b5
SHA512

2bbe726a66516c4ff107cb7b8e45c8bd8f9ce5d30f8f73d9f43ffb79e0f5afe672ff3e44b7b2274d98ea051443b4d1cffac4d28b0f32e4bebf1e2cc9ea16426b
SSDEEP

98304:tDqPoBhz1aRxcSUDk36SAEdhvxWa9P593u7wRGpj3:tDqPe1Cxcxk3ZAEUadzCF9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3160) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
5880	alg.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
1612	fxssvc.exe
3288	elevation_service.exe
5856	tasksche.exe
4536	elevation_service.exe
4584	maintenanceservice.exe
1000	OSE.EXE
5032	msdtc.exe
5536	PerceptionSimulationService.exe
2388	perfhost.exe
4344	locator.exe
860	SensorDataService.exe
4704	snmptrap.exe
1852	spectrum.exe
2404	ssh-agent.exe
780	TieringEngineService.exe
5152	AgentService.exe
1204	vds.exe
4372	vssvc.exe
3948	wbengine.exe
4596	WmiApSrv.exe
3824	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8b501b5f89f5d741.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nmhproxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c98bc30cc79ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e853f0dc79ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b93090cc79ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ca2790cc79ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007bcf10bc79ddb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076073e0cc79ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3560	DiagnosticsHub.StandardCollector.Service.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
3560	DiagnosticsHub.StandardCollector.Service.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3188	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Token: SeAuditPrivilege	1612	fxssvc.exe
Token: SeDebugPrivilege	3560	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Token: SeRestorePrivilege	780	TieringEngineService.exe
Token: SeManageVolumePrivilege	780	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5152	AgentService.exe
Token: SeBackupPrivilege	4372	vssvc.exe
Token: SeRestorePrivilege	4372	vssvc.exe
Token: SeAuditPrivilege	4372	vssvc.exe
Token: SeBackupPrivilege	3948	wbengine.exe
Token: SeRestorePrivilege	3948	wbengine.exe
Token: SeSecurityPrivilege	3948	wbengine.exe
Token: 33	3824	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeDebugPrivilege	1944	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 5876	3824	SearchIndexer.exe	133
PID 3824 wrote to memory of 5876	3824	SearchIndexer.exe	133
PID 3824 wrote to memory of 2840	3824	SearchIndexer.exe	134
PID 3824 wrote to memory of 2840	3824	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3188
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:860

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1852

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1200

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
1bb6212db61444f21dd2932bcc34d34e

SHA1
3f1818b3907739ac6a01d048000cacd8f318345f

SHA256
a83581541431b7fc7e4ca4dce273f5b92a497bc7785a28bd12f0016419b0d2bb

SHA512
f48babb7a140241bbb8130f17d2464e0be632fe2fb36659b0970c6dbe9713be88fd57d83d7747f07d7ac1c010649f88417514090747fa7968462619e79c40dfa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
053e8f9d5dd901248ed9c0c1507486c5

SHA1
d5800eb31125e0ade85413edd9ffe81c972facb4

SHA256
fff723c4b6193e8e4be0bf3f64c0c8ff8de5a81d18a7f8778b86ce1ebb475647

SHA512
6f3a4e92acf9d1ff6250152c95748089606cd9834e7f35c344378c10dd27ff03d589ebf5688d5e1de05a5de6595c9f373fe797f6d79c00c7b7f2352ce2c4df73

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
8c1201664b027b48153f1f2b1fd812bb

SHA1
c654040b131cabdf2ab0814b88e7673c9936ba27

SHA256
710dfa3d0ff5914fac18a5c51263530478c89ca668f8bf960782cb5c30f999c9

SHA512
02a625b47cdde7e83d2475bda91abc668e061814aeb629821fa07d35a13586d5e26fa22be2712a81ac14b45e1da0ec366431593ad861a1493448f9885e7f4425

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eb2060e552a610bd14adf5b49ae044da

SHA1
822f9f778bf4078377f1330daf763f3a0daaafb9

SHA256
8a1e3bb1cd02f3a0f8fd53c18bdabe28be87a58f8795a2d802a375e21bfa5f1a

SHA512
bcd3c8f4029c384ba1ea8c2827e47e9862ac7ec9b610c5af6ce00533a7d19c5d959006261a35308ebaeae1e37ffc965c2b0546f4f519368530100cc671374d70

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1fc4a712a12a5fe6ed3e5adb2432f694

SHA1
463ad33972ac9889527d4ce842b38c58007abd3b

SHA256
74a4bfae65f40f7171c66868d498aa335e87a6b72a9ce3bbba9083aba23e7050

SHA512
96adc50d65ccfab1b00a7d81f8f138667061aed85bf8d20427a0e188f78ee00a8860c81160d392e79cba168a8989b72dc4a3b8e37c3f1455db7e20e13a85b55f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
625f1907259501ccda87071b3cad22a4

SHA1
feec3b0f3663ad8268b8ef8a554ad85513a220ce

SHA256
c36cea0457971c7f4b92b963f3e73e5ec7264c90f4fe78a3837b98ad2614d7cf

SHA512
708b18064ac977d565f9f27a95716f4a73414470146dfdd8a56ed260e5c7032958d6e7e98b624b68d072583edaf855d69802142a1d18101fbe7a8a60a3830178

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4411c99463f3bb4cf367efc23368cd09

SHA1
26575da3cdc8febb81b54070593d116ea9ace6a7

SHA256
c6f300229eef0c69942f3e6334835d461789415397580aac9156c998b2193c56

SHA512
4376afb1c48ac3a57324e6babbeafad0a836b4e7ff82058f0261a699bb31683540f72489afc97668bef311f4175b881183e34a0e440fb9021c1f4799f705456f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ecbb20cfe4be1003bc554fc31a4e9258

SHA1
7cc01f01f19f3221a00ebeb19a1f599e14d9d1d0

SHA256
0977e2c347507247c6c5fb5750907b2d69cacf48264697e71044b4fcb5050524

SHA512
6535e2e5b9ea6eadfeef1b458890be5d61b4655de150e280b783e86760344a0c2cb00fefaad90f0cce7199e076ec322ae2bfdd40bf76c4d440fd9121aad558ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
46eaa0b94a1f0468e64573e74f1c31d0

SHA1
900670a6b7fadf4aa408ecf734394264193a8807

SHA256
9c8ca3a196588345d5f182215b493c5d0c0beddf04ffb5146f9516319b1ce3c4

SHA512
5a1b3d5f557cf884623683bafc11827893a079fee0adcd531b59e482f543ebe12a0c76f22d48d682ad5b0f67e20a07eaaf8859c21dcb933cafd862e424782b97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9a39ead540e0439fb584703697158bf6

SHA1
e8c0147ad231bad5fcd06d493863b8c1b998b3c5

SHA256
762fc065bc9b6b8bd8ada30ae9efe145595f6794a8789dbf5b7d3e0ab4cf6c74

SHA512
5c024ce30580a2e95cbe591c3f6c901e942215036d02014b0023a635f2e6417c973eb99271c1dbf2c3e37e5cb99c15591fca155e1060c3fe71d42f0bb1717c45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cbc82c29536f4a989b2c4c008d5565f8

SHA1
038db7640713cd98926819c2b0106ea486c63ea3

SHA256
169f7a2b6032bb0c1f86b267ce14b3ea6a8bd1fb71412d728d1f2467d2c42016

SHA512
a2005d1ef1cb1beec50569e853a229b7dd289a344d06a0fa65d29ac0535c80637b4e2e231e0b4b7f8269399966d5825e191fe07ee9eb6ed4d89415990ef6c540

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
04e4abe6e9f76ec9e263b6702b0f1c42

SHA1
f9e44039f28d05ada706a8702f4cd5a325f73dd1

SHA256
f136cb656bb7cca096005fe8c08c68a5f94fc28db1863ba03cdd56a53bc026f1

SHA512
12102338ef4de08bbca57ff16a89f87fd56ba9754fd445c311e153e31de169d56eba0f2f450841a84052e16f163277f8ac6d3cdb45f55d9f4c382332ceff4a94

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f3a6483fcf6a95056c46188517557a0b

SHA1
83145e7e2c3a7400d148fb7adc45f7490b38aa20

SHA256
c1631612e58ba1ef30debf0e0f6d8d7b854ed9e017f3d1d7a8b86a4535ced5e9

SHA512
7ac07203af24eff376b356d0bd9c8eeaa754b7ed84eac2a4ae16e602d12f1fbe8e60855f9167549491c6f8d1099b23e21d1aa2a0ad1dcb1fcf6781d143145734

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4d329389ad3c755e20515a014baa5b78

SHA1
37574fdf8f33494d4fb52f2e6a810b51421517c7

SHA256
52d454aa3ea9ad163e6d0ff7c3bb03c47850cef35729234050fc35cf8162eb1b

SHA512
debf4887ad20b9cf6d961b76ff622a29eb80a25c5de19e48aa689aa22d3c6e1680b09a729d425abd5b3e95946e5b89e8fb7cf9934f5c60b7d8a2d6c326a78de6

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
c218e2b0e95896d00bf834bfad79102b

SHA1
48294d14213eefd4e9d7b0a88f59e7f0e8398b66

SHA256
0ea4d0d47bc6f68d28369c66797cb5c1bb7507d90466549e77a163de46c556c2

SHA512
590003926d66fdb8eac1b66ad520716542f411f37a0a0789fb960dc9ed422229d26bd184f1d2af69fb7e7ca69bdda840f336deea3b3d52ddd46aae356a8bf675

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
7bd18303bfdc4aee4a53f3d3c9d47936

SHA1
0b5f55bb451e2db73ae352d85a4478c336177309

SHA256
c798c7ea23d87a597fb79f44ca17de4ee4d1433f2f3be233267821d4a6b57182

SHA512
3de1c6d61e8612bcc66032b90a01541778f5ac111b29d5296a37f1fc82e7bbecb79004e9b57e7247730efbd6963809112e5fba42b53e2c5c9b40df8096a90686

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
37df3f1eeba4eb6ea09e55a3611ae3a9

SHA1
69bc79215a4e0e4a038c7c4f29ed4916577213a5

SHA256
8b047817c3bb6ae71b5cb558dc4317be049902457a42c70cc12327ff6a6974cb

SHA512
a22747063f97853b479a1f0e06b72ee7b12365e7e12cac7985b218e5a16584fed6274294f75e784d60d5c94b791200b2b21c12926b16c464ce98bb05234c1dc1

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
90578b9bbb81910a89489961d296c4a4

SHA1
e55a67816b87c4572b52bddc995ffd0440396827

SHA256
0c8f8d5475e092dd6fbeba96a272f7dd5497a69af3c2761cf723d85e0455953d

SHA512
30e2dcc6dc270e47f9cbece3fbf3cd74c3d28c0f08ebb2aaca3981a704a1c8376f2f193c05dfdb7597cd2abc0ce7e905d17a8221611348fe1ed4fde4b090d552

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
8fff2dd2ccb4fbad5fe3b1284f836876

SHA1
c48483709ae243d36a61b655a49b742e5480cd4b

SHA256
8d0979b783609d47f4c61d099bb4f1ef6e8b9308c24173cacdaecc9532ff63d7

SHA512
9e0819e87f449e55132b3438fc90592184fd4d6fab082f597a5214c3dca3517e5b99b0275d716c087c12690d07f1d106242c89ef7b55eb9d28c9d902984d606f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
4acb3f4984b403b67de69c66490a87e7

SHA1
f87fed123d8f7082ea332fe36036b6fee997e1e5

SHA256
32cdacfe4fbe41f7d6ae43cfbfcb2e6f27323f11aefdd87293dd80fa13d1e678

SHA512
33d9792f0ba562d22c558ae0a694bdc03701ba50d34ff3934cc56e0b1069c445dd8bdebeac051baa422050a2b979474c654c4907aad2be11b873ccb13167324c

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
c389d5daa59aa85860774c64d7bff745

SHA1
9d40709477516a2c273230ce582434e38b56d761

SHA256
45a22aca958bd8c55fb1f42a378cd62de459cb68c1f4c8055bf27e1d4c1c5ec7

SHA512
e836db56071aab6c4c7b27e880093d3785dd7adb4adbb9ee5b4c9a57b71219c857dd5c7df8d9c93718d46831c5d494951b4cfe3663cb7154cdceadde72ad4876

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
66477caa4ed907801cfb25746c163f01

SHA1
1f8b96f0bfe7bfad2eb38e80f9262250c2367e5a

SHA256
3fec312a51b86a4035545cd05cd5b6821e33ae476b4a337cecfc3fa75f1b0803

SHA512
81670e3b594a2935b3ae36eed4304a4b55b4f2885f64f4f51efde65d9d6321b2b9d5e3024d057457d59c33c3c00d40a2458b01c057e6608a745808e4b06e9bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9f7e194e220f41ce3d8f0ca5f295fd73

SHA1
8424b9759b5948ef113745c2c097f90306d5ace9

SHA256
f4889f40e0774933c7227b04a026d2bf8b2ef50b8ed12ddded297527b4d1e7a0

SHA512
38ba7ecb7fe02b96c73fc7911e05d1898691f16493019d50c5cccdc218bf2b79e21fc6cdbc33f794b6a4e3d1e281dce50bf93cd5e9b5dfe8b1e3f1979a0a6c79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8ed95955924c2e421e84da12fa923912

SHA1
414386c1fd33dc3255bcb798a94d1829e600e7ea

SHA256
c23218c10727ab9aba65fc5e171c31063dbf247be7cb7093f7f0144133d04e8f

SHA512
e46fc049463f34550be614a1bd929b214bf016e985143ff8359741a7652fc8a15c16db69978dfa27f6e893af31755ad512e7dbc4b4dd7b589df0c025afceaee8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
881b484f8c0c43de53a8f3a906157b92

SHA1
7db66baaadf9655bee50a0a9ad99909f597837a5

SHA256
ccc59dcb2e5e2a10aa798ebec870d2c56c87338e0d1cab3b553d7a023ee6446f

SHA512
78cb685b6282d95805d74a220dfd1fb08df7b2c9a6eab73470e8153d619c16e298c84d0c38edd4a302bf815371e8f345513ced50c8e7295add5c3935991c7edb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
3394c4bfac9325875cc2f426e67f6a97

SHA1
f9e98a2891637c0f40b4c81151ba5746a1eabd64

SHA256
c22679b7b3739f097ef934e0ad62c4a3f1128d9958af806d5084c9116a0af50d

SHA512
6f09b6d3946675cb30b30b4a771a359f5d0cde73337fed33f273c17008fe6d7f3df706f23e2725cc14e01fcc3a5ebef01f61f39fb045803b1ed1fede540bf863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
dc6eff1ab29b3d09c521ee8791538284

SHA1
0fa23b387b58b8d51265f4dd7c176e62002e9ea4

SHA256
72e4a68159dfbc65df839ad6ec124828f1d463ab30b2876b27ddd66e5e3f960a

SHA512
b8b11ec9ed1a7728d74c39c9f2f05daf1b4827c96e934be14c9f1e52cb8ae1141178617e67ca7125896beb17b945b49be4cce8fb0556a09efbd0621212f47635

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c0330120d3bbaa2c5d46ddc9f6768204

SHA1
2290471389add296163a2d0b9a74933449009403

SHA256
89bd1d70caab456f019e0b19582d7b44fd617fff584ca2d2429ecec9e5ecd1a0

SHA512
97ce5127ebf015aa43939b92d513decfc31326d79c753a8fae8b1a31f5a6c20286414c011558633399df42c1c31d23b71df521cf5d03c12c6d6462e5ab64e581

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b0e36d57a4204782cdeeca1b32961026

SHA1
b1da8b6453785c973681224ec3481308608932bf

SHA256
fe809a0ed0d3012eacd15e475f7e418bb2961dfe51c16ca780337f75086d1c5c

SHA512
734cf23aa582c0f32ae5f62672dc0afc78d3279e67de2b93cc00b733e20bd0f03fbd14cc470a2ba466909ecb8b62fb7e169bf5775ee9daa3366cd3edaa1a5ad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
3d4c49d901be62eef8c6f5854d332a40

SHA1
5e3564ac05942ac03a35ea5827cbb01c7f95b1d9

SHA256
9d05435e2d2dcc5eebee0c7cb6569ed2fa5a4ecfc84766660041e1bb28b63b83

SHA512
1a070a46b80120ca71492eb786b95585964e30d63d2b41fa2fc8ef3c59e2d0b12ef606970186e7f83eea2042d50d2bcff34a8abdcefeb16bd9dc2e4db0eccd3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d78c282329518c932b75482d101edf09

SHA1
423947fbae2d443bb2839df29d557a22c031522f

SHA256
90f7ee43d2387d8342312425d3d558a6784d138d01546f89420385327005c0d3

SHA512
ed2f7e2ed6c35c6edc36ca8d8e20ad84d1cdc1f934050edde58a6fe329809649b5f067d1bd00a901d955073fd21798f78f82cb43946faca0ee39666c32400be5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e73eba40747684529031b56c65644887

SHA1
49b68b10abf2740bba1163c9fbffbdcb36cbb6a7

SHA256
79a429532d19f0c68e02a89d4ab758409e9b2f6b039f2252a7f72416cfe2c6e1

SHA512
ee2621263670016d187e0ecae351cb03ec851334dadb24f385e249733180dc27e68a29e6bc02c46fc071293cbb66c5863daacf440a17f6321f84bfe7f489c484

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
b4fa2433a2004f6d1e7a44deb41394f1

SHA1
8bdd3dacf869b66a2e5b5c3669bfb7bb7f657659

SHA256
a51bb132684a6d73ddaf1f4c05f5276dd66d9cdfc9221e66ca36340702912c47

SHA512
5b9f66058c60ec15347093f86f797b020e2f8be2e06341abdfda6ebb5bf82befd74d0737a598c4b80ed134912cf764a77eb2f691cba332606208e7c749442768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
28682ed6b9162c9d634e1471489e9787

SHA1
c388d8f227e4ece45ee1f3c8ab244486c33aef10

SHA256
52ddef3b791c6646f897e9573b43410f831aeefa03363c3a469886ac4ce55b2a

SHA512
9b8c52da2049b39d230846245a90be106c31e29ba39ecd36bd527f4dc46846621e8124e30da41f118d6eb228d710c422eb2e6f5494ac8ec6caf73ace755f2b49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2b8e4b81e47ba5118d6f4ce3046af426

SHA1
1178f58b4292fe5cee68ac20ad8ca1e66ba6549d

SHA256
ea17baf51539e425579251d57813d4fbcea104dd8effb63431b19c1207023baf

SHA512
f7deb3ba3ca6e08617cd0ff61ab37104c3863ecb394ee7b37e4e2ff319276db9a947f471d9e89378c3f66d7c9402082134a0eb6b5eb5d507f5760ea53601288f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
5246b8f8ba04d9b61ac5c914af9ddfa9

SHA1
d1c3af356734c233ef5b913e48358986d4db07f1

SHA256
9b11d3bc200da06b6d0aaed58c3a3c80e026fcd5864d691d41fb93cc2efc0f87

SHA512
4966a43aca556d565af53d788b15dad62582cc36951329853eafa7600341f8a6450e66042334707290f265b5c74b15a82c7a813b9cdf073d52bc0a00c03b8aa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
15c455aa67fd89de5b1122897a13da88

SHA1
8f7465b5a3e9b57f6e7ba0f70eacbb52d91b4229

SHA256
1e85b25b38deca9d9fb1bd27075ff51658e6d7fb9ba04a7b31986c4612345d74

SHA512
ab83a81834975bfc50fa390bf993f1ccad2de0abc02182801b633746bd48d2c3de31c78a9c77126b7835b71a2f4f7e45e68bf78fc21f7beaf5094623eeadbc75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
00bf123687f68a24de7d68a30f2da31e

SHA1
eb5498246d8d80d846de38ddc03176fdd97aa7f3

SHA256
00829795ae5c2281f4392f494fb8454a236c2a3ac90701c4c7425cb27f16a334

SHA512
a7a09796ba047c41e71a0cd6cbf51fc9fac9a4832989507157edce628662235229b5ae566c8bccc7d556cba056863b824acde66b909fa20e9a49cc31621a3afb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
56d4ca85adf2d1822c42cb018ceca567

SHA1
2afc9eb8aec0c7e9dca0e18123730cb2efc1eb39

SHA256
791ca41a67b66f94dc2c0e864b23d0983e794bbae567fa8ccede2feeed6de3cc

SHA512
9980dca0cbde81c36b7fa00e18054874bbfdea0079d7e9a327693973984c252a9c1f24caa6e52b5ca253c67a2dd15b470421e3de43ac3b27edf4142702871177

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
91959f35ad7fea6a8e62ff3be7ae65c1

SHA1
1dac766bcfe9852708c26fbba5ca68cf9c89ba41

SHA256
ce38539767ba71dec0b8b431da4461027f662b357cbc9d4d85a39e0296d2ad8d

SHA512
82c325590be45b74fa1fd30043b3b6cc69bfdc2410ff42ea7db0c12d3f2d8fa4283147c464e085c78d141b863da6a8c92fe1c4be755e925284533a69c99c9061

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
36f2fe75faa737311e60953c86a12a8d

SHA1
8b97801f46761e99dd1ee48fa3deb1ec6a7745f2

SHA256
3a88348e8bf10fb163968e2750953b2d7bdaf01f0c93dfe93807f611a67834bf

SHA512
a54b5c0c78ac44f0b648b3910056e18f60fce2dbadbc15287f4008823bc45804df42fb5662b6ca64ea41b985acdc5f3fa97817ad76ea4ceb6860da0278300874

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
55f901e8cd81fa294c2c9505e0db0a21

SHA1
79eea0ff603341a68055517b15109079e3555c65

SHA256
580e5f517156569d284c8904849a29ecb985b52a40ad9439ac745599cee405a3

SHA512
e60fc6f3f9e0416505ba0d0b524cdb46a0da209c9ccaf51f4043b910ab70c6468226b159782769661c9af357e946231edd0727eb835ea54662603fca946a315e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3b40601fa4848a65a08fb791692c9105

SHA1
09f168abb16ae23434d525ec71c95a68859808c9

SHA256
fc6f8b747bf2bed1b3ee7c2d05e024a1b953d45c1a92e31f25a62125e8cf866b

SHA512
dee75f370c64e3c0c6fc8e1b16992fe72bf8772fa0808cadb701f8c01358eb31ec4713b0611d5ff601b47155d00c70cd8319711648699231ee22f927173ed4a2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
15bfaf3e82921b5f9d7517c364bfc831

SHA1
96763228542a03ab8d9a6717f2f8072d2a7597fb

SHA256
b58539871f0215e6028ab7c1ace53bc218b1d0796bca87eef8a1f8fa8341972a

SHA512
12ac21816c931ff748c683e8c150f6a7a99c12fe0cb0420717a193f5a0d0061d6f975a8482412d5517fd7d63e0f287da8c25057f510531f2cc05a385c1012ff2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a270654552818fcd17650046503ef321

SHA1
d69093a080a4ef706f712369db1ce3ea3abde211

SHA256
3d33530cda77cf781b897e9cc5a5fb889bb2d2e6db3d51239e3339ec660a23eb

SHA512
77e2ab5d378bc391705cd5955cedfcc3e4b9ae1b4e8eaf0726f204ff2a67b8bb39f64463bdf4e65ded731a420c34381c73555a50c16073e8c5d14d046bf71bc1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fc04a7e20e85729826b8ed0ee8768069

SHA1
0743b0d83eefccf7b6334185433c0a8653b0e132

SHA256
cef221ce889c59164a130f69b8082d1ebffaa734f31f3f60729e7a3c7f130e1b

SHA512
fe7469a0bfdcb819e6d4174b00e1015b15d1efc5b0bf50626cab99d3df8a46017292efd6842f85980475af5649f2779b528cb79383bc5808723986659e40cee6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
832587f3c1129b557f84de7e8928269b

SHA1
35b370322eb109f82c501f6ab445797412d23664

SHA256
b77cc3ee2f5bc6fe33af74579e6e5866d927eb2165ce2030aa766705b1684fda

SHA512
e6c08cc878905caecec09525a91c0703c96f903715dfdc48e33520568145e080fa08114fccd09032d78e1543daa74eb4f36012642b84a9aa475f7fecb0096f7f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7a2083723bdb821408b9392732103dea

SHA1
7bd927dddeed033fcb6d6a8c07f96f00eac72bdb

SHA256
8717d1e7601cafe81dee900474417792550a9bf8ea6b94664473f9b27c6a9993

SHA512
937e308be26061eb563a0fd5f9cffbccc804904b717006083fca2949006de67cbaf970cb2170cbfac3a5212e63e148a15b59853643b13cd5301f875a18547bbf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
466cdce9d61c396532df58df1541fbf8

SHA1
7a6a745339309eb63c922768422bb0ae88f58021

SHA256
bced49f047ddbab4ffb30239315af78d671058af473235bf5e1fea64612864f9

SHA512
0be036fbdc12e681db693f0d77b3e5822dac86b49314cfe58057e6d3f2dac1db8291b7146bb9857550cf932ee5fb956b54c21cf83a9f39e3ec4324f5948bbf95

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
489fd3e94230e0259a51fc1dc27c40ae

SHA1
4940fb8ef2b6ec50d1ec99767b54709bb5b8d745

SHA256
653a6b13df1e2ab0ce5041bdb5a0649a5f5d2e9e13cfa86b82dd61166b0930df

SHA512
55a28aa7ef1dbb1d5048723bffba7b32f9b076c68d486dd2499b4d98eb7d2443cb28243aadba7f906b469ce9594bdde9bc2d8c23da7650ae78cb58c0fe562972

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d984f3fa590850874bf39853d789f92a

SHA1
cb1651fce5cf2826c22b527b1e3559470062ec9e

SHA256
6ed93da335d04afcfb9560953fbe728b6d29078ab927767b28d91cc7e353ccb1

SHA512
773170af6931c3526b2e39c237ac8460186a2197c6d4bc6ab0445c20a4b5557791407be8e2688270e541e17c26f1fb205c9c76b3a6684aac8955feff193524f0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8e160876493f6f340a2be986ed0f2e6f

SHA1
fd07dc0929857eacd92fed592c5b236c342bb438

SHA256
b69729f6617b4aa9e8e1879554c7b66ceaa60e43f943f83510e814638adaf064

SHA512
b3719cd0370949a632cfc8acb4e279885da3e309315050d3a8c4828b3be98ce82906236f6ddae2489c6e80c68d8ddd2fdb17ad1ee89b28ad7fcce972f106885b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69db3159e208f717f491e63df975fb6c

SHA1
a16e80749e56f39c424ae357b3c57651a357aa55

SHA256
702442d305a00cb43137aed96283b1bb66e29140eee85d11d207c392635305cf

SHA512
9a945149a148208a7eb36b36d6e8033739af9740505862e022f41dc7d175493f07a4f36ed0006daa73037be48e0ecfa47d2852cd0f4f1f3b87ff49117b9ef257

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c92e760af58ddce3fdc6a4d92b5ee6e2

SHA1
84d3861c9da1b87fed428d3d04c882ce1e707e0b

SHA256
3f8263d98e33005aed5025519fdc9f9f5a880e6ff33fd54affdddb2201a47fe2

SHA512
d05c106005edbe3f4e7e06bb266dd4e1e0107da2530e6701fe52f5036e0527275519b0d10da37f03dce7cd22a45f789ecfdc6e4fbe271716888d8041695a6e1d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a627c16954cea3b8b94497d9f91df636

SHA1
99e9abfea075333fa0258e943250571f52431b3f

SHA256
899802c8a2d03c422a01cf5b9573ccdd7637653728e4135a4216e192ffa9ef32

SHA512
0f36b59ebbed6f6e3eacd8929c042188a0695898ca398b80564051e3c0d66552a1bf6f11f2a51d248c471125fbaf9027cba1b96f9a893655fbcc30fbf823e38c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fbd9b36f840924e3f162df57e8bbf38e

SHA1
06bf6ad6f58d5ce2092875b69829ea3fc51ac20e

SHA256
89ea6108e99b33e36db42d78fd4427543ff2b18b6011cdacb7cfe3ae8d26591f

SHA512
3b07f32e3a321b4fc50ef05d27e2a3f2e44bf54b9429d1057490b1fd64d16d7886f9ac7210f24b47b105f7602672b2a28de1871641829ceca2fb9666ddc293b0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2380904a3f06a27981abb5150ca5c66d

SHA1
de644a3fe72dd1b549761c073abbae580bd73310

SHA256
9d4715b5602f8263a3ebdacb8adbb1877efa6b7b2acc00c16631a61eb8e69eb5

SHA512
ec3dfe216232447048118db75fdde7c4e2deb282d400f85750fd796f3cfc8f133be95802763b2012f2a88345a7f65ec7def1b111417d7c03400dc42c11c3918b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
db94191d5af81885db6d7e628c979163

SHA1
e1b46bf22d4e2b6e370b68ef0bc9ece778742dea

SHA256
7736f191fcbc6d8f9a003086088ad13956d9e80824f3281b5ee9ad488762ade8

SHA512
36a1743d2ce06a5c6addeaaf5d75f97ea1ec72cabc6512269ceee161a3fc17afc35999b203ef0d7de87e3fae07188472ad8f4df57593aea0dcd20ed4aa3f4382

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d354910bcc3490fc3b1efca0f7f70f7c

SHA1
45905ddd0f6c60d83fd5095e07b9cb8329cc76fb

SHA256
570ed5bb36915ad805f743657c8a06a55573edc21f4981e541555cd254bdabb7

SHA512
f5a244ca048fde4f99f94f95b27b07e518ee17fe9dab5af3e2c8b195169bfae2b92945b63e6e265ddf2b97a732723c65c7d4e997371936436e910dbcd245ea3c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1a777faa698976a19436a51fe9c33f85

SHA1
ef7ca8ed621dd9c78517694b48cb93b2f981f087

SHA256
18724ec63293a1d5ee43ca981ebb08d2887176fc4a923bcd15e0829f3f1ba690

SHA512
1000cd8b6d44ce60406076f48baf0995cece69a9b50bca1cd99bd0553f0800dd5d4183b27182180900f4c2d059cde0575596e52de8341c6ca575cf6e9d1b4c49

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/780-568-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/780-320-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/860-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/860-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/860-571-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1000-95-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1000-93-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1000-87-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1000-251-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1204-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1204-572-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1612-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1612-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1852-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1852-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1944-68-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1944-250-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1944-32-0x0000000000E30000-0x0000000000E96000-memory.dmp

Filesize
408KB

Download
memory/1944-27-0x0000000000E30000-0x0000000000E96000-memory.dmp

Filesize
408KB

Download
memory/1944-48-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1944-247-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2388-277-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2388-335-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-488-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2404-308-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3188-7-0x00000000011D0000-0x0000000001236000-memory.dmp

Filesize
408KB

Download
memory/3188-66-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3188-8-0x00000000011D0000-0x0000000001236000-memory.dmp

Filesize
408KB

Download
memory/3188-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3188-1-0x00000000011D0000-0x0000000001236000-memory.dmp

Filesize
408KB

Download
memory/3288-248-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3288-67-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3288-44-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3288-38-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3560-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3560-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3560-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3824-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3824-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3948-574-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3948-336-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4344-287-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4344-339-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4372-332-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4372-573-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4536-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4536-57-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4536-71-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4536-249-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4584-80-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/4584-85-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/4584-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4584-77-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4584-70-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4596-576-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4596-340-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4704-294-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4704-421-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5032-259-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5032-327-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5152-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5152-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5536-266-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/5536-274-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5536-331-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5880-244-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5880-23-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download