wannacry | 04aba9d9010b4b111bd27e9272cf00a7acba3e1070e4bc2be1ff2508273c13b5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Size

5.0MB
MD5

09fc4a868fabcda73a9dcc5c4de8e430
SHA1

697fc70dc34afa26cef69703bb590530ea876261
SHA256

04aba9d9010b4b111bd27e9272cf00a7acba3e1070e4bc2be1ff2508273c13b5
SHA512

2bbe726a66516c4ff107cb7b8e45c8bd8f9ce5d30f8f73d9f43ffb79e0f5afe672ff3e44b7b2274d98ea051443b4d1cffac4d28b0f32e4bebf1e2cc9ea16426b
SSDEEP

98304:tDqPoBhz1aRxcSUDk36SAEdhvxWa9P593u7wRGpj3:tDqPe1Cxcxk3ZAEUadzCF9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3195) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
4596	alg.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
3276	fxssvc.exe
516	elevation_service.exe
2248	elevation_service.exe
1880	maintenanceservice.exe
3248	msdtc.exe
3488	tasksche.exe
2144	OSE.EXE
2760	PerceptionSimulationService.exe
2532	perfhost.exe
4764	locator.exe
3316	SensorDataService.exe
3456	snmptrap.exe
1320	spectrum.exe
2944	ssh-agent.exe
3276	TieringEngineService.exe
532	AgentService.exe
3364	vds.exe
548	vssvc.exe
3636	wbengine.exe
764	WmiApSrv.exe
2452	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7123185f6707a3b7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a27c6d0c89ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045f14ed0c89ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000588ff2d1c89ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075451d0c89ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d4a2ad1c89ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7d414d1c89ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf6483d0c89ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f611f1d0c89ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
516	elevation_service.exe
516	elevation_service.exe
516	elevation_service.exe
516	elevation_service.exe
516	elevation_service.exe
516	elevation_service.exe
516	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1252	2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
Token: SeAuditPrivilege	3276	fxssvc.exe
Token: SeDebugPrivilege	2776	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	516	elevation_service.exe
Token: SeRestorePrivilege	3276	TieringEngineService.exe
Token: SeManageVolumePrivilege	3276	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	532	AgentService.exe
Token: SeBackupPrivilege	548	vssvc.exe
Token: SeRestorePrivilege	548	vssvc.exe
Token: SeAuditPrivilege	548	vssvc.exe
Token: SeBackupPrivilege	3636	wbengine.exe
Token: SeRestorePrivilege	3636	wbengine.exe
Token: SeSecurityPrivilege	3636	wbengine.exe
Token: 33	2452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeDebugPrivilege	516	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1668	2452	SearchIndexer.exe	135
PID 2452 wrote to memory of 1668	2452	SearchIndexer.exe	135
PID 2452 wrote to memory of 3060	2452	SearchIndexer.exe	136
PID 2452 wrote to memory of 3060	2452	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1252
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3488

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-03-25_09fc4a868fabcda73a9dcc5c4de8e430_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
17567553e229d9b871eb271e8eaca807

SHA1
a6aff3802bee60db162b7f18012d75c535fd5cd9

SHA256
15dcc3ecced422bcbb20fd2667a5b8ae9a5707a7f59cadc89cd69b0da3eec9f4

SHA512
5ac4210ec9b3d909c939fa57f203072dd44936e1afb5d41af51be1677120ff82e0937c4851f951fa86aeedd69271af343bd1713b47bc9301579055465833cb0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
93999b9bb649bcb8a39be04b28c46c2e

SHA1
00dc4a10f42af88e1e12d55957205350c619b8bd

SHA256
f86c57564fe0e63db59ac9485b69969b3082d6030a9276fb595a742d32e4f3f8

SHA512
ec16427845ec2e9c8dc39c0eac09dd0609ff9014d169bde7ccab474aaa6c931f142c97684ff394e6d7af38552d2bc6c3cdb9689adb2ee94fa48230a59a8f907d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
61c51282745daebcab0db7801367810a

SHA1
a33016f6aba5c05b8a897f6151b1d21c910c8f5d

SHA256
046735e05b9903dd35bcd37075a72266ee71532b795930d6b86bb456ad9b4610

SHA512
6d54cc46d88c4c6897869d71ac4f1e129143f1d2a1e094a47cfcc28d8e94444edbff33096bfecb3a1d32069d9841e2e6cca8219d62a9de8431210fdaa88b7bf8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bfb93587c38202e09286d197092a4136

SHA1
6e86f6c878dfa231787f6b5f0689e97a4ba0f0c3

SHA256
5953778edecff331ef90a46e79c6b3828c14cb130a64dae7ab59b4404ef67d8a

SHA512
91b56aca3dc295dd2a1c1866267908111ab6a2ea9ff2760955f10e4012ab25fbbd4d0987d79b046363b067a59edaad658a30b537600331a62f4c2f8adabebdd4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fa53d1a445a80070150c00dd29c369bd

SHA1
9722d3397ebc939358ee5da69f4609155e2d74f0

SHA256
6689442ee5ac7052504a21e5dc563937ec5925006b8e13266def1a0afb1e63d9

SHA512
48dcf0c21c53740539a81fea55c480c05f8bed3be376ea7c423cb6e6beeb89946f717c313c3638c5fe15faeb2302a8d6bd5d5f2109d5b432afdacc7a85a7db99

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f8866f7b8c399f1e5eb04472ce82200b

SHA1
65eb3b648bac927ad0912d2f29df493313a37384

SHA256
4f804bf6abeb425314612dc11a1d614517972a74eae1de09f6f300cbd3b5872b

SHA512
f5c71f6b016b96f1c233c26f2b523f46aadb4619d7ad0452e8409562d54d69dd36af94d176e2242ce87ba983a9eca3398a3ce2e58a5d5ca6c697d3be70c19677

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
3c56a3813d43a78ca2fd9d73c22c562e

SHA1
714d85a55b076da780f5eec2be0ffa6c9f6e8c6f

SHA256
70fb892f80843fdb2558bd4cc6824894579b36e8d625bedce792d0a43d36f719

SHA512
7e86a8b48af84298a377931827a94d8ada7328f7604665d2970fb5cba64d95d337ebe792212d869b91e5e497def8652525459e9c1f2968bed0e99e86c825e396

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
40f74731fa369b2ab8ed0dab42d3a106

SHA1
d4ca4ef86d93e379a0f6cab7c202e010f7803977

SHA256
8a3b7b52b8889e707f1c2a34abf52cebe3afbd362fdb8b39079c0d1428db2635

SHA512
35c93d4c5095acff14342d189a7dc194c6d7716fc6a31e97f612e7a45da23a735cc0aee59880661f3a7bd5751331e0da12861b7835eb29128cce94b43d81d912

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
ea1778a03cc3ab290aa9fada566af396

SHA1
1ee55d3f492aa49b662489770a2e1a4f4b99dbd6

SHA256
72be15466d7ec051805fb539276d116ee9dbcfab5d6843266aa05b0867919e38

SHA512
861da55230b8210074267eb458aa5e91b0c384f3d4e0661bb6a945d5f81505135890f2ce9ae87e297cc92612194f1c6fbfe4b7b4b550cc6077c3b97bed2eb594

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
61a324963262fa7571f69820d3cefde4

SHA1
53000062e07df2aaf13e0c8b112da6df87022c38

SHA256
1a1a37741213249505fa4f37761234c43e14e04be9a74827d55051a30c47fb66

SHA512
6b62b36a106cb4196cfba645492ac400ba0479fc3fb47b026fb7edd72ca58e40111b27faf47d851a0bdf11b8c57e1ade92902d405a75eb1468f55458d0100bb2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
22abf91d4e062a268cb4efdfb4d1da40

SHA1
c7b1b67b0a9d2dede5d47240c5e2decca658caa9

SHA256
77f2603e90d337c425c8245bdb7c747fcfad00577c0ee8deedf3f901f59a2f54

SHA512
8ac586f132fa3c0c1bd72e13bc1fb5f1a2c6c623822a7c4853a3e1f4bf7b33c561534e37e29ce38a824f08c5ef1c468572ce80fe4d070356ac0e5e1e75bf7650

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ee25ab2681b6cfaec9847283d3f385e6

SHA1
8eb17f7afc6b0adecd939693c397d68a4d0e40bc

SHA256
d50a87c0a4b14b008bf48939de4422b0373ecee921622cde3c97cec809906b86

SHA512
1dc7c53c53dc406ecb226511d0ab6af4ca01a758719f40a2df23644ce3e6f6db4bb12b9aaba179849f70d2e861d7a1c5db46e3b21af29e20ab55038866d748f7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
16efb81f1124ba150d8bb5aede47839c

SHA1
35d2fd453845fafa549f60a5d31e9ad26f9c8c27

SHA256
6fa524f99001f94599c5d52b3106f989740b1430399e7f2696d1cd72beb284b2

SHA512
c874341626920177952436daa8084ca68ade43ace6d34ba89cd3863ed33cd2562f7e9844ea629fe41107e9ba41d52e83e0d56f0d4bfad49af239216b83a64daf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d7c44837c611eb062f5721e0952f6e89

SHA1
aa634e82085c9cbb3cfc83ff7f8820b1e6af3373

SHA256
9d4f9180ecb426906bc18f15a935e72ea3ea4681d0b7fef44d5483c30fee03d5

SHA512
1eb32f7771319c38d069c4d5367e0762f39a8f289e27259dd533ee2646db2a797ab5a13c46b2a9aa884dec477299a58c809fef5f2531911212219412093ca90f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
6f44ba821789dff2d213283ab138932b

SHA1
391d833e552589e739c97461c96944b8cb881cde

SHA256
9b389ad065aaab5f588a882683690da62756b266af8227fac66c2fac3cd6b2dc

SHA512
73d0aee5addaebf59d41cc16b6aeeb71687b3657656fa7161e86c1cdfa13f7ebdf60a220d1b9b1d169e247868d53fe9bb588d9d2f8b4662b6c536f61ed2fbd54

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
78187b8af3210a266f84c72260eab589

SHA1
8fa02a6219be61bd8e5af678212575fa7beb168e

SHA256
bc30a7928a62a700414c017d9cd2dad3ebb7567fb1772a20bd19675ab4be1cb6

SHA512
d976b75d88877c596261165f08cd97c03be3c284447c0ee1b2d780d3510b65f0d35ef9d8dff3480740720ca529682092c69b808df2dfa197d472c3b8afbdf648

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
cae628bb9a3696292f80ad749a8637d1

SHA1
4ad2268a12ee65c27f890e5f94fd9b9c35192eba

SHA256
13ee04d34676f88efa5e58defd553ae2a8919be16a48f781a36231b3e3c2fe86

SHA512
1e9763e525eceae3bb59617b576b5d9cbdf0f973c7d26ba9dc1fa5435b05616fffc736ea28db73ca021f44eba834a70d1aadf878de03544f401de447511bbcce

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
13634ef43802c8326e635837b5c53804

SHA1
75dbb0ab6ae7bf42731d57c4cfe098e1fc2bd2a7

SHA256
7f933c2ec6c5d679ca9f720cc8101c08da2a7bf0e99a42ed9fcaf64aeaf5f2ed

SHA512
39c91b5b508c924529b2042942d656465ad45cb203777076d3dc5b0b325f5e49d8f4e32bb772c4740489f6b00c65716e78fa9fbb45e70b100279dd6ffce43e01

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
82d5c0f1037dcbcbe1782e347b7e5924

SHA1
694629ce8c8a95605f0221f97334d485543feb23

SHA256
60d559a9d235db5b9eff7971b89ca22bd4a810fb639c86e35f8fac51ac5750ec

SHA512
a59d8143307723ff6d8adf2cf3eb14a1b1f3c3cf43ce40e36e19342460b4d2c526a16d0780f74fe527428dbaae966d8e2fd34a80d7a1d1fb091efd33ec12c6c0

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
7dbfee650c63600343b14fd62b21efa9

SHA1
92c112e4d6e258a1e13fa5358b6db2f3c39cb93b

SHA256
ab43df3f21840b36001c41cb6b8377bd568350908e402181b898fb9c90067186

SHA512
7dba6d5dbea9e872298b83927bd2a3e9f8f22209414034e73e88506a00ff9a5345c77e6188ec9dd8cd23ab5d4dff8f15bc148ec1b66d7e314e66d09fe10f0e0f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
c01c7be69af810951dd57c280deecfe6

SHA1
b824f26152207f0607ae1da61ab0812e960d885d

SHA256
19998f0f48c28805e0bd12aeb290c1191a7b6672e636ec8e0e4303fe6b8568ec

SHA512
407f09d0a6731ba1275e6598c3559bbf6e6d293c36f149a067f39b0477624c2ea515a4fa0ddc26ac277242ef26edda26f3665269a20991c62520f57b3ae17637

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e1cda23f6e95753bf8771c1959f34f58

SHA1
9126456495f18d4a04afa215119f17f1b43b433c

SHA256
f2e502c14eefb3493314a2442025877300c43d1ca8d0ab4f5231c004f9ac2fcd

SHA512
969d8948518b23aadc1bd9150051c1c23797478c59af3281c5bfef7595f01bd51f4638e2a2c4051176e61c18994770e523ec366a7a82c74e8154b68ff7420a2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4f6c00f33f0d2406a97561f61069fb97

SHA1
a9234bacb9f17faf4222945e718d77428d3d8e30

SHA256
745aa63fd004117ac2611bfe24aa8b40aaacb5bcd6d0828bd4f27556358b7596

SHA512
520259e5bbfe06eaac1e39c74dc31424335e1aab96028b2529f22d1e8c71d90a36b568b1383f736dcff6c958ed4103080c090c40b45f38c1620c60051d702d4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5faf81bfd7be8e336c06ca231d7565e9

SHA1
e9ee947dbd40879eee9c3d9255c20de63ee7dc00

SHA256
1364ff0d1d85f3623afea7c24ec06250a9f7c7f21f63bc10578b4d4efe5f88ad

SHA512
248ae55be8f65ee49643fa07efa161d3d1ead8a9b6e313d3b89dc8d5b09ce4e77dd64c77a1d6fb3af0799f93de2016afdb255919855e8c7576426fa8529419ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7f8a774c7912453ab266c622239ebae7

SHA1
2112d23d45fc79dba14075cef52127d1eba97aec

SHA256
2dff005f7c44ec3fe4077f1aad9baec9e03d969b3ef8d0775901fe809da49c44

SHA512
ca84b36b8cc3b345e98e7aa39e76e780136778c2d343a44437c1abd708af1ad2974cbc686e789689b4c5172f92662eb056099946ce3a6061a8c30e2497faa315

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
bd2cbd5e11de24134f3babc284f29805

SHA1
295c75bd05a5c3553a26e3f9ccba3e479044d702

SHA256
21373df1b94768042a671f5afbd9e93632be36faca94c09468af99f26804a91f

SHA512
f53ffe8a01b94b04c891f7ff691f881647e63e275ae4b85d8a48affdbcaa2bef319d7796dc48c6c9fac5960776ac04bf3350fc41bcd3ca947d6e48ed3fdd6e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d3164db2bfed59cce657c051eb92d00b

SHA1
4a2ada06d303dd0dfbebf0e82ede96f09dddd9e8

SHA256
47cff559c69643b5e30ff88a0ccd81406a65dfe5644f6083eb8b9fc1da7d5d45

SHA512
ed88cad1e69cb7706bda61fc03b6719390f32b09a17e039465b5a8c42483cfc13ba8ac7930007804d7599d5225d6ae57caff52359bf849d7316dd81a3781e48e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
553ca0d6fbae84aefc44be51e798d653

SHA1
edc5d936fcb7bb5ace30a56c243e5a589a55374d

SHA256
79e848cb75534f4b64e38985f17d442be3813342a24c99e67cdc895916a76cc8

SHA512
85f08252183925f0457e82f0a6839beb55023c7de3e10e1dc18c346f6a19965b3123e65503a12c43cb21ddf3551f28bf0ba85f0eeac450dc453287fd731b0dec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0b0545f4b012bfaadd2164e326aa16fc

SHA1
10155178bbc99cbe81d373d25d387eb73b4ea4f1

SHA256
b5a58b33fbb8eb1f1d22a03f09eb6c5cbbd18c80d5c9103d817992bec08b45fd

SHA512
a154f061e92ac224d6ca05929893150d8ba08844dff772a8a6fc3f20173dd1c012f864b4a49ba5af057375154cff14167de36db095620912d954a7179e7b3b66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
0316420b37c1b690476144455f43ce12

SHA1
2f2946db180539cbe4e410ebe7128e202ce03b8a

SHA256
91ed27062d99956cb9da1dd1697bab771186e898a601334ea8344cb73be0dc95

SHA512
057269c19d5b7a9f4a43cf46f92b74c225559bd9239cdffdd1a2f4597a8fa5ee944b1e49c42404adbf30e0862ce04b4a66bd7fb092e5cf386375a6603ca0f79c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7299014c2021d878865205ab6cbf31cc

SHA1
2f570ab978bbcf1f6d91966953d1d51c0a07c077

SHA256
1456ca72e140dbc0a485344c26fbb0dbe066fe491352b8a19e5717b8d4e7fe20

SHA512
b7153e5f2290d44cd72392d11038174cdb2ed07783f87f68ede7d9eacc91dcc77ebd767963bf45d9cf97e9928edd90a334a03d8cd46c319fe5782092477c9b38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
897dc35d0dc5189d3b0149de746f552f

SHA1
25c30b039f3b459269981861747cf4e8ce9ffae4

SHA256
2f383886c02dfef50bf5597f34cd8ddfdd578f5d35f7b2901ddcd3164962df52

SHA512
212dedc984e71e069b5ab6e181d3eebb6e6938d16912b03a3d663b081a00f215012aca94ce4836a1e169069e5812fce7f24269b1b1f5a344cdc16d178d8cf1e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
87c9e599607a3ed55a4956b231de2900

SHA1
679b381ef2ca17359dff23d458d26f6f65a50d50

SHA256
611c7611222eda8b425e10f5e43b8219090ba83d9b5b8fd3ab22c3813809f917

SHA512
1c523982deeb9a8501426b8a6b7433298e21f65c179dc74110bf3dc7006463a0c316eda9da9d2f5ec047077c96de5e7f6ce191399d5003b5742f2919548d08fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3ec440893d43cae1878f42bdebfed716

SHA1
9b95983652029803b4b31d097ca54a42996ed0c0

SHA256
e99febce26d0eae5958e4bb510283ff7a704d0aa02410249bdaa7b658917580c

SHA512
ed600bb1867ef72e0e02c98fc171a817e276164756507c97cb8d97eda4fdf1bc1db10698f877f81173844d8b54997c4dbb3b226be0ac1d9e4fc1ce8ea465120e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
dd7f54cf09d5c480abaa3f591d7df204

SHA1
e1bb8227cffa9a1dddc0d0928eab60b440853ad4

SHA256
3817d14237c71477398f16415e33b48170a0694dbddcd17054e2af6b33aa1661

SHA512
b06257d6889eae67fc1138e501f7289549f8d940956ecb7cba929760687a4668d186b9f3ff3f502ecc68edc623b3fd7f378965a84adea14d03f0839f7e4e4790

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
eebe853dc877e0ad83c51db76afdd306

SHA1
4328fe8961f360f2467c6d38efe9dc3db38be6f6

SHA256
231f58d2331f95c827ef8e3f01c017f286966deb507e888a987da2097485f661

SHA512
428fce0ff02be61b8b85cbdf0556fea8ad4a43aa0cd273e24ca1d367ea8fc45ef279c142a6c3d5a3df54fbe3ea2c607ca0c7bd69c32bf2a926649196fcf43660

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
04cc418904d96797f937673eb215805d

SHA1
ec990a83aa52ada5350507d86b2ca34a15cc4cfa

SHA256
c269d532e0e370965668698edc987671f604388e73b5080d73958f481312d83c

SHA512
c364872113842c1a6e64ebf123e54286fcd1f69730ac4ed2981f9981ca315e90daa325cc5c0950df13af789ac433de22971dc6380baae080a14299bf91940861

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
c1b2fa871932162f1bb2dcd8736f25d4

SHA1
6d41c336960a25c58d739ab4e001628a8f36772e

SHA256
a53ea2782b1ed6846edf6ed6d2f1ef83b10a2d106128f92c1ae114c4772347a5

SHA512
d6d912b1c8cb785ea6427010242b45d2b2e05f13442815da3ab5fa787636b18c2191f1f93e507bbf0ba311c88f45ff37e983fbf7ce73b12aaaa59c44d7f3ea33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
dd7270cf4c07ba92b553fd50840a6783

SHA1
eab7071b4227c3b50e85f422f4e18e2aa1568d67

SHA256
feac63c1bd3bb68216cb0c871dd6c0137e997e4361d1528be99486d18ee6ad9f

SHA512
d3a3ac5ec47b648c52ba878a46bbcc400f42748e3155feb19974187e22890fbf6afccb040e85182c42f5a2e533365af3e52d62f4254c26f26d7506e3212aea5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
52779fca7f9681e250ef123713928983

SHA1
824a26f3fdcc7094b7b41368a60c711806673c53

SHA256
a297fc2289eca6e1ae4a6971a938ca1e576e874b1654d71749477feaea7c02b5

SHA512
87ac636297c8e6889bebf76874401092de9e6f0a62bcba3fe7940ce1ba1c414b2b7d515448bfb5987afb8c35e7c7c9290cfd0e0f246a420db372c3e473f1948e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
68875762c89efe86d8d59c3dfb70bcb5

SHA1
0671a437b969c557f713ce33054c41af20e8a209

SHA256
73e061308bf84a4ebbb851a628dec21a8615c2ad881c2bf340b408d4055ff3b0

SHA512
8366264af327bf9366d83768fc054caaae9fca8546d1c68ee623501675aeba7952e2be4e03df06472d61ca9ed7dc052f9c3cb532884ecb4894107b81d059c86d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bf6c3918c82ce1fa712ac94331eb917e

SHA1
2651b3b624a02391c1f856fc8d451224a64952ae

SHA256
37c3972dea1ce9ff31842526e59271fd9fa948da0fc0461aa0b0c78349735d1c

SHA512
63fd079090794fc7b95469be23017604dc8624b913cffc9570bc040eebb9737aaa0398b8f88eb128c0cb03ceb52e48d7e6fb935eba5b08a70a06660e037fdefb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c90bce85605857902b99e702c5d36ed6

SHA1
668151298aada0f43f62a9692cf0ef2455ef5e79

SHA256
0d54793f38ce491fd280296e02e9ea829c87f0d375ed571af35cafa333854634

SHA512
cd12f12fddf2eb63e7006da01f0bc30cd78959c23e15eed2d5928e25abc96bcac58624214c8ef798e6a2e1e850653d5d5c25a3f52d059315493722318e74bca8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c7bc07e79193627bef71757a88f337a1

SHA1
ebb39fa38344ff80d8b29a7dea5c8fa6df57666e

SHA256
b8f647ba05ce163b876a0a4dd12dedebe0c418c368d527d793a7b2e66def8ec1

SHA512
3a4bbadaf2c90515ee2b68c43771498b7981e3311ef644e170ab535ec5d296c7e36aeb8fb9c021111f979bf2ca0eae05ce694c061585044078ff35beabf27ae9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5fef7b08167e4a928904a0ce9d1a4a39

SHA1
5c5f397d27a697e2b4037647982074c70609e793

SHA256
f04670d49bb4ff06d790744f8d9698b6aedc1672560f6fbd62996756b91fba35

SHA512
76e9c8151552c07ac947e604697deb75d8dbeb24c327dc4b5a7af3443bd152fa8e460f7b3948988cc05f4ed1b9651109b7735dedf813fe632279747cc05c3c2e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d9ca0214e3960259612e06a445750d73

SHA1
7cc3c7cfaee88857a6489f711a4a816cc9c14550

SHA256
728ddfd87277c060d912e71069299bec635f850b3506ea9d7defb53e1883d4a0

SHA512
9ee3c9406c77f300fd3cd53cda005d19f52ff4f1aa353fd6c1d9c640fe47447ad20b8f0a5e77456243c7c9dc16bf5c30ea09277a7c2a2e41c5f95d1a75bc54ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
153abf5d3da1cc4f7dc62b042039fbdb

SHA1
3a779715701111200fc29a59ddaf8f115cc78e8f

SHA256
2cc82b6243ecd893295b4d35586e7697af0d2a89f09d9e07dc86d14a8f966ce5

SHA512
0cc040121fb9054112450a109e54cbfb458ebc3a143f8480935afe115f9eff7ba033f7cb1911101d9970d317e321ac1318c0583e9605d87559184b573477a302

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
80d1f9b5396ebc81e8df01b1e8f1934c

SHA1
d501bd83a19b41aeda16704aae11c9f12cf9338c

SHA256
937ae1dfe0fbd776380f216451146ae841c0469a9e4f417c0b5d6f20fe9cff6c

SHA512
629d192c9f9aedca0d847727235cbaf72d67948cdb92690496cf2d7407b7c91a12449f668c33afcc3853cfa3335eb9d4db0168b46ffb09b332f1f28611406b66

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f8e31afc42b44373937e8dc1a4428f6

SHA1
48f27f37d99c39a8fcd79219163ff1dda1cf8505

SHA256
8eca337a0a3d36485f63610914beae1304dbcf7c679ddb0e0db7cda4f73becf9

SHA512
a1094978cc5296ddf2be0060866697202d1afb86a14054ab5d4e0e48e28446b8e0de90ddb5670d479a5b046b40341ed585d717c39eaf39901d48b9896852f0a0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
badcea03221b7dbab999ba2cb5e4e4d8

SHA1
bc505a819aa1a45ffee7d2b4c2c95a326a522b1b

SHA256
b414c03022f04fec7ea9341f04f8921d00c72c6a5b80c93a6bb39251b74763b9

SHA512
ca64f533b8a82dff10a215a8de28a6fe868f8a196fe273699456bcf7e7b47d820630205a9daffece05014149739040eab125208c1a3e932c90d21d6439bfb2ed

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
23ddcbb87d0ce7f8a007ca67b9abd70b

SHA1
8bd7ccab642ce99c10d1ddb7b80cfd27677ea46f

SHA256
48483a097ee3820afbbb22af5ffdf00dde83a8f98022a1f2570e9bb0b0bac13f

SHA512
62ea09fd7f162499340886a412925eb7c173b9daaf9eac67bfb3a565a6c62ce3b2fb686e3b5472dae9ee236bce31b044a6bdbf90364932b1d5db90f871422659

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b5bc0ee6e5e36a2715ea2f31bda26752

SHA1
3a4002bc7105a526a0e99df4a4aa939f43200ac5

SHA256
6e6fc449ce04f24f635c47fac63d41e49ec495b2267f5e8fea104ce60f1a46a0

SHA512
301f66214a46ccdce5432d6dfbc65b0dc1ee283cdffc9edcdb20012255f5d849e213c4a64b916b70eaa934569bfe436488477d7d93ab8eb76f4b782de52d3a3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d686c5503a4b19d8d1edafedf473b947

SHA1
ecd48c465dac2c3abac053153e426f5d424659c8

SHA256
a20326d2803064cb945a92853b4d560370ec44152d55704f1044822ec663ddda

SHA512
3998bbacaa11e4866a8726785e7436ac32f0a9f17054932c3d0fde2cf998e4cfe2d792a24eed1c336c76d578042420ba33ccf04ea37391e680056d5eeb91e6b7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5840aec791e6a4ae678229cc3c933f19

SHA1
b44c4e367558cb1563abae5b346df56ff86e30d9

SHA256
2a2af4483235b424c54d2582b5883c1fd75101dcef4420d946ae5f93798936e4

SHA512
96708b97853b74a0efbcc0119bbe2ed0f1de67c1953d755bea3475e8acd703ecf347923a6cfdca6f5a8f3884287be5919816061c0e1015ecf556f7b7d36a723b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
56161699af9373d1afaf02215d619219

SHA1
00fc540b2351d99b5927e871b31225c6ab537dc7

SHA256
13c52146306cce101661d31c29fd07f3ba5046351454243b7b983b69848346e4

SHA512
a1a49970df63823877eb15af6c4c498e6ec300f4c65e5007267da97734098315c33a25992082c2c44d5aadae6b5873aee3cfe1141cb4cff4d57e72f7f30d2d0c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
264384de66cc293177fcfb88d4463c56

SHA1
80e6d11a5d7607c6cf0181a7c621b4e1ecb7968d

SHA256
6619716369411479da444554c27b08c8c3fc1762c4cfc639b4a6c5b3f009859d

SHA512
3ebd9ae2daf185a3830f97074f78c211bd17fcc6bb647b4c46cf390858481a84dffe5b6a70c4dcb647b39f71f231a62beb9e8161a478246299381bd3863a5199

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1924b6b3712ae5a39bbe8d73ebb7fe45

SHA1
45f849e39e82a3743fd9b8bd82f497cd360df08a

SHA256
b28de899bd3843176b868fcaebfc1ecbe31487f69ff21077b437a0b7610b340c

SHA512
1b26c7cc07180d805147234d84de30a16aab9b7ab85b8ec3944096c6ba2c6d22b3c511059dc2b2c071370de8ea830d95fefe9c64069c62b25c3df1cc937ab096

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
714ec5356db1a90229364740135de998

SHA1
aa7eab2478f4aea4064b098963c0369a2929e06c

SHA256
fc09d89fd9e18615bf222cd075a2c7ddc13ab0c3da902a8bbaf5765503b233bd

SHA512
dcb70aabccc0d86c125c9c2afa8a06a1fdbd7d6203cd4c24c510e5ef077b48ac28aac0c3ccbb0b1476a545ce9bf15c7d5222788ce90d7e4e111d2350c726cb14

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
274ff9459ed95c22aa2b5543f337bcde

SHA1
b565d905ae218936ab8e3206a24dce4c123e2eae

SHA256
b54ae446e5b0ad22b4bb4108f5e1c52de24114a556534eda8e20422ae2609e9a

SHA512
fec495a2e8b1ce720bb5ed65e80d22daf503a167350c02c9adb9d23b68274959d26ffb38951db67d662386cf820720d187429d3d1670ac0804fc2cf860b27a48

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e13d9afa3e9c7493a061323e585c5688

SHA1
af5fd33f0fe6cc8a11fb5bbc8812f985e05edc3b

SHA256
7ea4585b63dbf60fb0fa73fe4ede4612dc7a21c7b0bf6e5522bac7deae2f610e

SHA512
3001738354c355df8cf5c448837e14e085859e93f2fef74b40a411dc5dee419da95ff69374cbe479662b5d9e9e09ce7495f33961c07efddfc124c318d6a6d9f6

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/516-253-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/516-31-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/516-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/516-39-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/532-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/532-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/548-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/548-554-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/764-574-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/764-339-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1252-1-0x00000000010C0000-0x0000000001126000-memory.dmp

Filesize
408KB

Download
memory/1252-8-0x00000000010C0000-0x0000000001126000-memory.dmp

Filesize
408KB

Download
memory/1252-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1252-79-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1252-87-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1320-305-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1320-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1652-41-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/1652-49-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1652-46-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/1652-254-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1880-75-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/1880-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1880-68-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1880-70-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/1880-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2144-96-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2144-90-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2144-98-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2144-257-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2248-52-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2248-51-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/2248-255-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/2248-59-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2452-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2452-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2532-277-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2532-334-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2760-267-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2760-330-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2760-266-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2776-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2776-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2776-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2776-224-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2944-317-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2944-422-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3248-81-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3248-256-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3276-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3276-320-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3276-423-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3276-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3316-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3316-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3316-424-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3364-511-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3364-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3456-416-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3456-294-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3636-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3636-573-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4596-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4596-223-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4764-338-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4764-287-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download