wannacry | 5dccb2f9af593b904de0358c94033fbecba666287423add3b9f3a733944f6500

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
Size

5.0MB
MD5

ab9cf8af27d00f5770e8f5c428a435d0
SHA1

1f3d5b9be513d5494f192fc3648e19ee03194e21
SHA256

5dccb2f9af593b904de0358c94033fbecba666287423add3b9f3a733944f6500
SHA512

e1ad1378ab6e6828202bdf92da49f4200becb11b18af4a0fbae1608ebcb0ddf0d9e0a438ba908b600855554341b117e10555635ee4a38ab1e209fb04ac7ca86b
SSDEEP

98304:tDqPoBhz1aRxcSUDk36SAEdhvxWa9P593u7wRGpj3w:tDqPe1Cxcxk3ZAEUadzCF9g

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3313) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
5856	alg.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
4244	fxssvc.exe
3624	elevation_service.exe
4576	elevation_service.exe
4948	maintenanceservice.exe
5264	tasksche.exe
5780	msdtc.exe
1100	OSE.EXE
2988	PerceptionSimulationService.exe
2584	perfhost.exe
5632	locator.exe
4620	SensorDataService.exe
3644	snmptrap.exe
3852	spectrum.exe
4668	ssh-agent.exe
5348	TieringEngineService.exe
3436	AgentService.exe
1492	vds.exe
5700	vssvc.exe
4180	wbengine.exe
1280	WmiApSrv.exe
4204	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc51724940c5c813.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000516364e144a1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af6445e144a1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd21e5e144a1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db3b5de144a1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000669abce144a1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080c485e144a1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8c666e144a1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
3624	elevation_service.exe
3624	elevation_service.exe
3624	elevation_service.exe
3624	elevation_service.exe
3624	elevation_service.exe
3624	elevation_service.exe
3624	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1668	2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
Token: SeAuditPrivilege	4244	fxssvc.exe
Token: SeDebugPrivilege	1856	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3624	elevation_service.exe
Token: SeRestorePrivilege	5348	TieringEngineService.exe
Token: SeManageVolumePrivilege	5348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3436	AgentService.exe
Token: SeBackupPrivilege	5700	vssvc.exe
Token: SeRestorePrivilege	5700	vssvc.exe
Token: SeAuditPrivilege	5700	vssvc.exe
Token: SeBackupPrivilege	4180	wbengine.exe
Token: SeRestorePrivilege	4180	wbengine.exe
Token: SeSecurityPrivilege	4180	wbengine.exe
Token: 33	4204	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4204	SearchIndexer.exe
Token: SeDebugPrivilege	3624	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 5284	4204	SearchIndexer.exe	135
PID 4204 wrote to memory of 5284	4204	SearchIndexer.exe	135
PID 4204 wrote to memory of 2656	4204	SearchIndexer.exe	136
PID 4204 wrote to memory of 2656	4204	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1668
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5856

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\AppData\Local\Temp\2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-03-30_ab9cf8af27d00f5770e8f5c428a435d0_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5780

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5632

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5284
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
378fc50e50430327d182a7376b122649

SHA1
9a390a9d7ec7f2a0385c17f4a3f75a7164f502e2

SHA256
1452e04fc391c6ef55ae159faeeff9424ec46d0dea8b20d1939a72520e45bb30

SHA512
6d699adcfaa797b3667885069e4d721b77987e81676a506b2bfce818988247937dbabf1ea268cb1b8e5d1f4271501477f43b1bfab8eefda69b6c12f30c802f7f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
d71b148f8c59e9f5d4ab3aacb77c467b

SHA1
18bf2ad7cb4c940de9739d65140d565529044744

SHA256
5526279002ba732bd203b445cf6dc87f28d82d7443947d772c8d1200a4d60c82

SHA512
1005581484ed190604a7bf4e213d0db1f1df32e72d37e6ab90cfdb6437cd1b185fca4d9e96017ff03fc8e834d9f86ed2c6c2f16eec6e0351609bd8ce0b453b7a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
8044108f8a73fc79a351bd2f9a0c8f2b

SHA1
281b1671251c10d8f1f642f1bc565895cc643d11

SHA256
09b4f56e03f55809543660755840ffd6a779c2f428bf70a2813258a259a9ad6f

SHA512
891547bb6f4b6b926c0c285ae5600846da11c6f168249db3d4b57d04c3c64aecce22e1df8b105fd9514f192154a500ccf741f61276eefafe5ceb2f2d1431a74b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
601ee086e35de4cf6560c5569572b954

SHA1
32124cb377c41063bd6c790fbcea753ee610721c

SHA256
56c43e03c9e8133ce5ad94f612433629fdbfe5686e00532396e47f97a83b020d

SHA512
440c0aba4a3260e39f8a35f2ae84d562cd3f693b8fa15501901d5ec856104b52b4c562b763bdf61e6e70a2a5d492ff504284a74fd2bd0042da4c3d523c249b5d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
71c4e50282be6f6450f8c201af7c4e41

SHA1
228274cbfee1ccb31d6c66fcb5c10be425bcbfcf

SHA256
e5520cc3925be81412295e2bf0c3a752ca127e94246c7a7507bbf6f6d0958aa7

SHA512
144ea51e8334d4ddfb8770bb0e5fd58b197acde34db95a35f93c84f2df5ea02661e63cb1b0e97a1d33721cebe62fb1eda169ee29d23aa6738af6f0fa5cd4341d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2b537a300d13e7cca66172b47c7e59bb

SHA1
63a4efa97cf3c5c9bb4824dddcf9d604a831dac6

SHA256
c8e89e841809425d46333373fb3035e17cfdd68bcf59efd37c241c1a49e84c96

SHA512
49651eb0ed106700d0e4ec9f5969d2db7d89e0023e868b905e259afa796780c90a787691251bb573caac4d95cd8970dc543b72a5453078e8bff0856c6ce90eea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
99e3c73df0ee55dab7bd4b5c6bef19cc

SHA1
e43cb227a78ae50020e965131268e2414d389b60

SHA256
b6bc033f19c4768509607ad8645f23d53dbceb7c6ecde47972c67c8bfa40379b

SHA512
4c434ddb838e591a8d759a2033e1609750b449ef9dc4158076527b93a3a0293029f8b375fb8f3870da8df08434a0c18b7d4f258f10b0404176ea812ff402ec68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
39cd961f680d5903621f7cfdf811d843

SHA1
8ca30c464ede81743c25ae78ee522f75bde5b68c

SHA256
446bd649036a5f98c0bef583f28a97b70648650bc0297b70479a1f10ae015aa0

SHA512
dbb35261ce28ad17e923897495669976b98998a60b39e2e4678345db0b6a67f4b467c1c7dcbe289f2fa8baf465cda8af5d668b0486abc26d04176ac9d3fd95a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
7fb08f3191b38683a4e15c9117946ed7

SHA1
1c224a823bf9941764fef36bcfce5a715694a2f9

SHA256
dbce41f04be5170eeb8299ddd0469b3f91b7d7087e3cbbbee31d51eec8ef18a2

SHA512
e715ccc27f5fa39aafd94f19aaae1ded3d5dbaa379bbd835210cadd929bf13585425f2ab66a8cb355197f4041cfcc9a8ba61887275928756db0c7ab05d35e37c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b985d60006f08910f3f4c0380b8eb39f

SHA1
2ed3a9a4569ed3d00f3a5818ae8e4ec6a46c0fde

SHA256
21e73594aeb7cf9bcb46f2c417a2b120c2b2c4d4414e50c068595b31c499678a

SHA512
a5b9deae33adb38f765138cc6fc374beea158d88af467d2f4ca6c4652570ffd8b8c1a50a83e521b2b753c159c15f3d94cb2c8526dfd42d511642badfd31d724c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f9dac1f2924ee051fc30d6397aac9b28

SHA1
95ac33bd2e7a1ce9c0c62693a986d3d548e94ba2

SHA256
5ceb303e4d92aece1972ccccab3b7f862fc9b1c09092a7c5105071ce87f9e8fb

SHA512
a3c1bfab071f881c39613b0fb11068e2de70e77538632e0af48f258d81fd41663939f908ecc49407b200a17de7310aba3a6a7cb55ee0ea99acbd7c345add78cd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5b4df004a79fdbf97433d20bda74e8f5

SHA1
8cdbc0e522ddad034a39b8bacf5387e606906be2

SHA256
a110d22006c045482faeea6c73eed7a0b96dcda86523dfc81c72bda3ab6e6daf

SHA512
42dc4f3584f74cc05d5a33e739556ca34c1cbf25114b62b674a4d24aec6f15a073b33672d7f357b510066e4cd4eba3e486c0979ba68c82d5309c7febb42717c1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2bec123e574fdde85def1e1996fa3280

SHA1
34533df03375b36b44b3928dee9d14f97ec70447

SHA256
c21cca0b5480222715e5bbcc8c7050fafef85a4e1ba6005661f8890528ec61b0

SHA512
ed96f621736faf123e9af83dfc7ef204f05a930a2865986dade4f6f7f3b4b00ea9f3ace66c35ecc15a4768c9c1f0b4c4dfa4139432345b4208a1a69357b1c383

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b5c03cf8ab2ff3f265070c13db671464

SHA1
5fb313626d83a3a1ce3714d22b669cd9292ccccb

SHA256
ca613a228b1c8d0cedea1f5afb88c1f920209955428c3f4f9f33be95fedcd7cb

SHA512
94031e2724ddb8ce871021a2436453165e6ab4530fae589bac758faf7a50ad2351794d786e7fd13bdb60c38d91075064fcd265c128d1869cdb8d84f3c501ddd6

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
80fdb3ff474455858a4d3183df867ea8

SHA1
6c8a8c4ef69865cad48902e1cfa6bc783a85f996

SHA256
73ef12b97d8f4abba2d0d82794731a1dba4aad827762a495367cc502278bf6fa

SHA512
77ae304080634d3d9a77be09a2faf2a0d4e4e18e28f418f83c7d44717d8c273fb06ee487e4833344cac0d5167cf18d50f0d6ad3af9e5c7a21c464101c7b0ca0b

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
8053ca4dfc5f5a85a0ded665b8b625f7

SHA1
4c8f12ed1ce65318adeefc6e13feec1fdac76109

SHA256
4ed019964df57104707b9bca1868e531ad582f551ae47323fece4909bc62781f

SHA512
3909e802662b1b8b56f3421c6498ca36d472bc53a4f8005060cf4460c3ba91b267efeb0fa28cdf3f1ced42c622830f85ce99a4e452cc2c7cf39c3e13d0645343

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a138d6fbaabbebf5c750137d51fc7485

SHA1
379fb00fad452e231f261b2d816c39e0a4b8b72e

SHA256
da32ca29638d1d1564fdc4ac7028436742aad4b0cd92a27bb8005839555b5ce1

SHA512
f8974ab76f6cfb15f9c63094071fe304e66f40999c1aea3897c6ee7d3cad0325e0943eae0ff505c4b7b6ab5188b9ac33c5c3f5fb71e349d84064c743633a291a

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
0cd4fe35779c16073b8a09d7e2053873

SHA1
ee434d8b41f337ea12be9ab773b32b51da8c9315

SHA256
77cbbf0d86eec16967c6585b36a4a045e3ec74739c6da7ed76779c1b2efbb835

SHA512
23cf4a0ec76bf8e65c4cf8ac0a80144033f2b58a683c33766e69a19f6e0f6e9199121630546470b38333d6999f8a43ef63684f2c7b73bb49367fc42db6d8a853

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
dbc5356928bba1b0d3a0321f2082f5fd

SHA1
01361050ab2f64f0c6dbd4aad556ed89b1125d6b

SHA256
a5d3358899569080341a4fdbeaa1a8dfaf2e7183c394daa449854c42ae3c38db

SHA512
be3a31fc354eeb7c443e0fd41205711c4551b3f8f84b7d655e7ae4866c0a192ecd9d844ac6a87b79d2221bb6ff011e9f0de6d362fe4920bea600d28b08b4113a

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
6352068268b54bd4cc9cb7408b469c26

SHA1
9a2308b8211fe5105bc3c1accb1b55bc29419d72

SHA256
4eaece9b164ee35ea594b34ebab51254d7f2ddb922786cb82dc7076bdad4256c

SHA512
d02ff47d4893364e7c553f17ff3cc890400c93b16a336019af027aa3049bc5fde7132888f4cf8824782cfc0a27a0c25579c09ca7ead902100905dc8f163e7446

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
9964a76e27f25922adce6632d4340854

SHA1
de55eb39b2812cad8ee020d0509f065d334381c8

SHA256
08203c72289661e953b12be8a216d5ef6ffdd1fbac397a6faa909d24214c5fdc

SHA512
e88329bfd1e30abc5596b8633ec748b637f118d173a2ca4c13ee9e058f20c8f1f868cb916ae3166dbd6ed7151b0523829085f4d4a035e616ee754d31c800a4c8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ce8ddb1c64639cb828aa07bc9ade0e3e

SHA1
38320a86c3b07c5f3112f2bd35b2ac7a557ff13c

SHA256
cecb81df248adda82126dbb1eceb2e31f0917ff2baf2499ba827e7af259f7b2e

SHA512
a18aba1b861c31cf9542f6fa4a8dc501818377af818d4b623fdf26983b1b6cf7842f51786b0fb30ad2f8a6641ee8d1caf50b7fb8a7fe72d689184b6576b2090b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0ce94e00235442d4c95b18ec6ff4e4de

SHA1
e4b6befedcace773b5e117c7264802cfe0efd2bf

SHA256
d6673d29616a5c8c0b10335226038ae9d5c00dafd391b234635281d273c4ba4d

SHA512
146399c37708d28f1ddabf1222372a09260c857a6e2404ccfae960b6490caa2488a84b00447ef99a922b0169a792d6d9d59699914d5d7b054b71e06c7c81e8a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
1154be7cc373e4d42c75d1f587cc1f9f

SHA1
ce40671b70e32508334d43cbb4680971a3cebc88

SHA256
03c4213027e52cf619bcac90f18ec47c398e057bc0b78bc6ffd700431f5181db

SHA512
21a4443de7a6ed4f3b96d3db6d4bf4612ae0928a04b32268b7438cf33a6d976827f45c14418eb4d91458b9f84814c3f107fe8fb9905e637286c5fe3c44fde857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
64c6177cc14f9ec4ef7a5e9e73de52d8

SHA1
65216fecaf75bec5c63c8625eb0769f866b05c73

SHA256
eb39935a27d144d8c6b0b4f1dc62e7dc74483cbc6fd1f3cbbc565031211da0b5

SHA512
2b8ee2206c45192b8827d234589ab4e48c5cdd7e6b5e02a6b5cb69fb9565f8ccaed4c1b8bd90108e7d37f8838d6c5c6141744a8aa2c17de28e0f7ea9e707473d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
09c2b781b11d30f6b4d601b1dc3c32fb

SHA1
0825f4e2fad7a6ef34bd13dd52c2f6ca4ab51165

SHA256
c87e8e769642519fcc550d3c2e1d89ce969e70d44d0adeec49c59330a2b15c82

SHA512
707749c31cef1e5907fc3250ea60bdf9c32f23f793f862d9d2bdcb061705a098f48f0c799494fb6aca545977a798bf2e1f7ed1cddd3b8fe10dfda750384f9b36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8bf69527591cc9a12c38368133f1728c

SHA1
fbb21def50405050aa1b98a56e4004a330904f76

SHA256
4bb109625587c7c4081218ca3ef18f864c5c78e47a9ecac77e5fe28e5475c363

SHA512
e19d7e20a7d68a9c9a92d2864903b6fe8851107e17201de1114aa8aa0be80298d3c5486eda384ae2644998f53dd1f1ce0eb661f34776c467c9e9e608a2136b58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0870cdc27a403421b216b2316ed7522e

SHA1
f4d2513367b562dec3650e753aefcc2dd1dfa5d9

SHA256
590265d31965071488788bf0746ac23f801b9e50b268fb3a5f356e64018e08b9

SHA512
5f6eb700032bf3dba952428dc68dbe6f2a89cd09b97c64400ddd710f2be324280343cb565049f0557b3bb67db9d9a9a628758ac3267c848d397e44bc67881358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
79142f585a6c167a0fc3faa2c962e95f

SHA1
181b371f079113e639a780344c90726be85409f5

SHA256
630306a6a875b6abf0b07326788792c4ef050b2def3eebc1b0d9121cc0607c9b

SHA512
b72c7daa1e32d867e6b34fb555ac53d42df2cbf114820657d6f2f1cbcf559024bb649b9a991018de8806d3e0e3bb5637c24dabbecbd05163b1363fe3f5311334

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
aec7415c66f499ef192fd30ec801c3a5

SHA1
176329dbf948a071cba61e51fc104c83aa2a9cd7

SHA256
39a7708b9fa54f99b5732bfc911dc000ca2a3ee050d5c906de90012fe14b1f19

SHA512
c4555465eef0b7fc24b5abc77e7d6a1e0cfab2b60945a7e07bab365f5292fd4edd6b1511f74da01708df4e08d77c4e4cb1b6fad977943878ee0c4cdd87339932

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
19c5890f8e5a58c33975b609745b55e3

SHA1
29d317b20f37321ec72d94cd570230163e7d9047

SHA256
f9f86990e1bf489ec2bb3eadfd31b5d4b9c4429945aa25df9346735216ca6d5b

SHA512
234d0bdb5e9dea3ecdf6227e556fb3f2d945f44a65a75d2118c8fec7ec15a930a3f2be19ec50492c35daba77cff00b1a588268e0647bee2c39d2209ffe2391e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
42f9cf45439c00ea1453c2db8fcb8dfd

SHA1
c6ee162e403da38f5ff60f63ffd9ee8e8066a550

SHA256
6ac7b4721578de3be375c4b392afca10d46cc61a8520ddb759fda280892ce5da

SHA512
0d4f5f1d231340fb1b913c1de06a34fdf971de141b39899e8f244f252f08aa3e57a45fd7cfd8709a4708471b0b73bbb9fcfa43dfcf2a69dcd601c6870bf7c538

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
ab1285bde1face8b1e2d875ae3365636

SHA1
24087b71f1bdbf407bca4a9800b0e71ff8dd7323

SHA256
338bbb25cd0224420f6bb66721cb170b3959d2141d36c634a9df7759b911862b

SHA512
e45dc9a675110a6302c67575dea6498705b901e6e88d6d0773e5ed62f515a2e18c3f1b7282833b01607319e7e64f92a9a20e8bf8016bd6993779bfa2fc453d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6f9c519c62d6aa0f3bc227f5f4d80440

SHA1
d66567e0f9a863fa8bed3b22277f486eda692b5e

SHA256
bb4096ff7060a4af49b68575488d1e8f0730422d7837cf5155a2fa32744e37d3

SHA512
7996ba82b8c79d123bfad468832fe676f8a486f0238eff547fc0e8948c656c815e3cf8ddb083501aab8529323f0cb557bceec7c00646af679c94f4890b5c7630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a40113c210dd4c1b22213be1d4540e90

SHA1
44c96ca94ec7f2718912dfd21efb95095fdbb313

SHA256
2b573fb8fc2a263c2914c45d8c22ec0d42d58c967cbf7d48d6c959a433dff3a7

SHA512
5768444520a5383b636d5758790f83d5f24e71c0269fd81a9a217ba9e2802a99a2f9671623539095a5919ec5f3301c463abb05937692d484d9ed4db75af8d57f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
4588c65d5f7f2abb5031d02e4d04488a

SHA1
7aaea5818a426ce937a5fd54c578aa75a82a445b

SHA256
4f448f787e867f2045129c6ff4e1aad650ad8ef3c72a930ecca4e3b0bfbd29b0

SHA512
f320f5cd3ff6eb91877685c0f5e0791d4cd2a57782c109c04fb42b59f7a1f96a4496dcaf0bb6ab3accc2fbd1e0c8cc8c64f9b62f10afbcbbd880530f376eb5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
b6821295fa6c8f45d043ab1813129f87

SHA1
9e17d2da1d2169e1a1b365fae5d695a963d5a548

SHA256
d93ab0311b5e0c0f4e6709b183f73b54cbc4a5fd5079d1410e9506659347a079

SHA512
5a10675199615885e617da0004b74c7105546f9192ee341f207bd44de27e1bbb09750b038565fcc535a5f69309efb4260720f1b95fff0aa9abb31f8d6b967f95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
2b9cddbe99d1aa87f2b8af21e12c87a9

SHA1
5bfe4bab8addc5ef60afbe5a22bdaee01af9ecaf

SHA256
fc0c5adc58319da6e2d032ee584beab61e93a902cdaf170c53ddcec9c5ff15f4

SHA512
4473efe9b371b51cb8fbe49d8fb490447be445a5362588a8d98cd6c3181bc3fb1300ca9c220cfb1532cc79afd25c57142589e7be6fdf8b7942e61795f5da45c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
6d22e7c9786af3ae0fdee9b4d025c268

SHA1
8bce5b3e598fc5d5a77ce1b30a673774df9c04ab

SHA256
885e10565a64faf2efed0ed1fc007cd224f059157cd9eec4d9e82064ce7eb586

SHA512
199b33962c8e1d5865d8937f1a04d05a24b22906768d6c278e5419aa9b4df6d68672b1fec0107c07c6b3c22ef94879f031a942e1c1247ccee4198a82954a36d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
19b0c10950b5770e93195842db592c48

SHA1
1f453decc1fedf94edd007a868f12523752136d7

SHA256
95bda57e63421cd417dc3dd324003dc8fd2edceb2a21f39862f27b80a6dbc00c

SHA512
ecc16e842479c5b7b9fa317295d6309c653661a9f982ce5e1fad0bbe686711c3efbac2650706bbf511dcbb18351865f5b954aaa6d3aa2a75700f392c5de8efcb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
0106c8c68f5c489b8675c5fee92fd75e

SHA1
73448d57a286db5af14c519a1ca52820ea7e229e

SHA256
27dbf18b3a39c7e19f8541af806507eb58aea4d95efc5fb7ed45a73250daa005

SHA512
c78c3a7a939b8938b17d3e8f546641f91c30a8d3fa9e9e4cf2529718ca2f3b756a84eb295f428aabe0923b641b163c1ffc39992dd8594b3707db573e4e318e48

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a2b44ff6ece4f92cb27d9b59c0a80ea6

SHA1
fa4288862c25731bc04b29ccbb778aca9c4451d1

SHA256
1d1afb38849daa0473e7e7e453e794240d72d27835cff05f0542d03975e54ff8

SHA512
b31c47c8f70816782eb3b39b029d1ef731d8cde7ae43e4792f8be9b18ae6ba4495c19d4d496727589a027e523831e1ce97ad66334272f3a58175b4897683677c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f32a232f23c94b186d9790d526fc718b

SHA1
9393ca8fceaab8a811863b695c19d690434f003c

SHA256
1a051a639613b71e848600ded71fc78a79c631cc386f1798d433ccedc582d18e

SHA512
9ca7b101063e29a7da4d8173d8ef9f8eff444196f40cfd302224d0dabc5f07ee8519a64b23477310a2b4db553f6e0515698ef34e94f937c61efb8056118f22fd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fc057e1e7e97a09f181f600f3bb376b6

SHA1
f3c9622a6762aa3e112508621c2e82036076d986

SHA256
e2f40ed7c69bebe689123ceb9f55f6f56f113eea930c85fcf8a62f5278b7bb52

SHA512
258812b88491e18f91b17d185c55e7eb25b01b1d503848b0352b11e2f0d55c03cd1fa9910a02be325569ac16d93caaa405683f260ccc0da51c6a4dcf9e1f87d5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
051544c125893b2de6c4810a4c7e45af

SHA1
55798eb02d98622265b41dfde6be19b1dce3468f

SHA256
5be7ba8ca0769d0369019877b684ea08ab91b5a33cb62067b49b1dbc91c5a076

SHA512
defec04b0b968638b25e159c1b501b5150ab4a91f1d22e180756a72c929ce68b27b08940d3be24213d0b6229444239645b2a3996759ffaebccad95883bf7a864

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8ab45ead7d01ab56f6699b84232d8b6c

SHA1
07ed7251956659fbc6b97ede23616a2b6698f523

SHA256
794f1eaddb90a3831dd28128c47dff8f681e14d74947b2fcfa5c797f1330f609

SHA512
dbe323d8da0f678635b2e74b0b658086427dbbb03e555ae4ab06ee1bd19acc72a9d456c06d5ae8008b5f155812bd71f00b0f6d3d56f890d639584e24c279ee52

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ee1a39c70eaf771c7520b0edf4bc5f4c

SHA1
a1efbd5b09fa569dfa4e83fdd0cad9fa8045aac1

SHA256
89855dd9811461ca73a93f0c52b5c899615a61d5c56c7ba0827ed9a1c3db11bb

SHA512
935ac3efe1ddb5b470c0e22e2746c466b99d56cb10140b3e891391fb6f169b52460c6efa9198184277bfa4ac64ae2fadaf30f1d1f7eca720fb7527b51f55617a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
57a9ce6ad9d09f3ccf907b8896f81996

SHA1
4623aa73ff145c142540361f283e1fdd74cbd464

SHA256
e67d00079fb7ac6711e4cb9d177a5b31ed6ed0378a0b4c827d1974acd107b79d

SHA512
4dec4ea52015b8fb3fa23bebd4489c2fc43186c537250d583233708794d4ab2af57e3abeed6b7f36fee1bf5a7f2408ec61b94f79f9526a27db5ff22eb704e740

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
946a4eeb111dabeed46d9f55367021eb

SHA1
602433123e113d9a68dc6043f178c4ca3af41aba

SHA256
1efd7bcbe35264d511b4e1905cfad7ca90a772f15ab636cda25917b70a3bbb86

SHA512
54b0fb5bd21c570404a09ed0411cb44d1ee779b46ccb8c730775618205c24e8e55b911a5b70cf693cb366f9322c51799b3816aadcda5c38c743516581a8d056b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0c807f8a3276039fb31492d8df77284b

SHA1
6a936391213ca1d7f1da3b06dec4e6056bb9cc9b

SHA256
3415a3378e09abcfdda6ff8a1a95495926ceff2dce205cbbe8ff43cbada7ba86

SHA512
d50c55411171de5e347a601528f09187e0a27779006549a9d7ad0b5766995ebed296fd74d767d357a9085904f1797d0ff730990b9a6d9ca8d1d3eec64ad6bfb9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
61e843d27e63e6e5193190e557f02b82

SHA1
5519f5dacace4c6fa59171fdbf7835a96590b635

SHA256
cfa86400f022b5a26cba942012f2445774322f8380e598a6c708a73ad51bc2cb

SHA512
aa69694d893a806a9aa441ce2685f370bebab921740d3baa076a2e158789b1e0057b7d9662a3c13832ac19bfcfe84b00a6ea04ed84495fa187a57ccb7827b8b7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6437cd9d34554433d38215aacea42e28

SHA1
ebd3b9238a10be5b04376711d4d6919084b5fe6a

SHA256
9766d05c17034413d7227129787239a555193b95519fdf3343474c248f2e9208

SHA512
d655bf66d3ea49a3d66ea77e702d7e6948f25c98de6696b4fd2fde7ec6246d7b76d90e57deb2b429346db520ce0ccc142d390a80189949d9c1dac27124a04f4f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c2a13efe1a4a5818d4acd111c5a78650

SHA1
29a2eb5c45144a08ed9d16d723058923e1571cc6

SHA256
71ce66e7974e54e90dd34d9f696c781bf88cadd92f870c61ea9abc3425a58dfa

SHA512
5c3d595815c7e4cbf41f8084c64afed1567d0dfaf009751ff0d08dab6f79df384639a507c0a57626149865d73430d66407d18caea78adf6855fbc76019ab09b5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b9767aa50ab098f6f0be4b4193abc80d

SHA1
9b675f65ce45377645e5ba7882c0303a3a68eae8

SHA256
914911caa58c0e3613d39471b4b116d63165ce7f1e53d06b41a78ce800f4070e

SHA512
6cfbc7e16ea508b0034edc84e1468a4807bd90d173ac35ba341c8a2f7835e5d6156099fc4dcb22fec353ceb859aeb9a49b46928604386da844d96608e20781f3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a3d95c5609473b4210281c768e815947

SHA1
bbde1fd12ca949f3e88e866bc2095bbfd3538a93

SHA256
635a2516b7af57d0e1ddf8168b59b10f866139211a4a587a47b543f9bdbea8e3

SHA512
4c488dc58a71443efe5a6393e9175d57b29e9511d87cb7c15ddec03e7b857149cc26bf1d05f8cef681750584316680bc0f6c4e34e1edd60ff94c7dd627e06619

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
740ecde5d59446460d58ffdd6d4673bf

SHA1
0a6fa801613bb0fb56fd76a01c006f6a61cfc12b

SHA256
907adc0be67e3b2e573f65659baf7535ab3066ad771965c8952ac03875d64d25

SHA512
638cce7dca11dcc909d192ee8d25cb85502d2668c0fb3472a8cad422dcc1c05e42cccf97d581e17c20fdafd097db20e3f8411dca3be57ba1519c5e3c4eba1773

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4c017de72f648015583ed842def0c446

SHA1
c4235d9bd08070284488f7040f0fa841c60525db

SHA256
43e09ed52b92704723ade1ad6469b8e5b776065290bfb5a951119aa28eabaf29

SHA512
5e959f784de41e69ab11ad069561550817924079acf21fbff93b08e45067f07840e5315f3c639725f43341800e36b78ba0dc0a34f231e98b4729c6cf5f4c65f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d7f6528b5353a0faef35bc38064cfb8

SHA1
c0feaccf038d9bd1e5d7340d68e39ad59ec661c1

SHA256
610181a69d271319534caf712fc33268032def6a494551afc311f97455ba0b6e

SHA512
0e260411d223f1f38a5eec9b9ac21ca32d3b7a31df9faa3a5fe6d308de5580041791065f02a4859e7e0048266e6a3cec4566d3f6895bb1015bb27960891dc72e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8f032ba8526beb6ec647047136d53221

SHA1
effb203d86fba16cc6e994c52b3887441ce015d5

SHA256
a3f883f0c28e90b9253a4c347b5fab1a4044d3cc7a3fdb5a71bb1de6482aeb04

SHA512
092ff585a4735a6b17079e2eae3c50509f1dc0385b8e52855f68ab36c9e1b41bff8affc1cb41920df7db807e2e7b9d9d8756346c88a5b15f7ea26e66377eb4c5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
04d3b73878d2392ab7bb1f39d74a81b6

SHA1
9ed93e482086c6eb17b38fae4e9007e0f1eb7127

SHA256
2c1ce9aa7079f99b5286737b6001faae39cda6e3f96647e6fb529520c90332d5

SHA512
7328437e91388080863bc69c68fef148e7026bb680df091cf940b94aba9e98f8b04c228eb79c3b784b8efdfbf167c47455c667fe3cb8054e050b16077a088680

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/1100-98-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1100-256-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1100-95-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1100-89-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1280-350-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1280-497-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1492-487-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1492-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1668-1-0x0000000001080000-0x00000000010E6000-memory.dmp

Filesize
408KB

Download
memory/1668-97-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1668-8-0x0000000001080000-0x00000000010E6000-memory.dmp

Filesize
408KB

Download
memory/1668-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1856-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1856-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1856-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1856-122-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2584-333-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2584-276-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2988-265-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2988-266-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2988-329-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3436-322-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3436-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3624-252-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3624-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3624-41-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3624-39-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3644-293-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3644-415-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3852-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3852-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4180-334-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4180-492-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4204-498-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4204-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4244-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4244-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-253-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4560-49-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/4560-59-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4560-44-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/4576-254-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4576-52-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4576-57-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4576-61-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4620-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-353-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4668-316-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4668-437-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4948-75-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4948-63-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/4948-70-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4948-65-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4948-76-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/5348-483-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5348-319-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5632-286-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5632-349-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5700-491-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5700-330-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5780-87-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5780-255-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5856-121-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5856-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download